RustScan
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ rustscan -a $IP
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Where scanning meets swagging. 😎
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 192.168.224.187:53
Open 192.168.224.187:80
Open 192.168.224.187:88
Open 192.168.224.187:135
Open 192.168.224.187:139
Open 192.168.224.187:389
Open 192.168.224.187:443
Open 192.168.224.187:445
Open 192.168.224.187:464
Open 192.168.224.187:593
Open 192.168.224.187:636
Open 192.168.224.187:3268
Open 192.168.224.187:3269
Open 192.168.224.187:5985
Open 192.168.224.187:9389
Open 192.168.224.187:47001
Open 192.168.224.187:49665
Open 192.168.224.187:49664
Open 192.168.224.187:49666
Open 192.168.224.187:49669
Open 192.168.224.187:49670
Open 192.168.224.187:49668
Open 192.168.224.187:49679
Open 192.168.224.187:49674
Open 192.168.224.187:49671
Open 192.168.224.187:49701
Open 192.168.224.187:49786Nmap
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ nmap -p- -sC -sV -T5 --min-parallelism 100 --max-parallelism 256 $IP --open
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-21 13:23 CEST
Nmap scan report for 192.168.224.187
Host is up (0.028s latency).
Not shown: 65458 closed tcp ports (reset), 50 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNS-SD-TCP:
| _services
| _dns-sd
| _udp
|_ local
80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Access The Event
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-21 11:23:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
443/tcp open ssl/http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_http-title: Access The Event
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49786/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=4/21%Time=68062AC3%P=x86_64-pc-linux-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04
SF:_udp\x05local\0\0\x0c\0\x01");
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-21T11:24:11
|_ start_date: N/A
|_clock-skew: -14s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.13 secondsThe target system appears to be a Domain Controller in an Active Directory environment.
The domain is ACCESS.OFFSEC, and the FQDN of the target system has not been identified at this time.
UDP
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ sudo nmap -sU --top-ports 1000 $IP --open
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-21 13:23 CEST
Nmap scan report for 192.168.224.187
Host is up (0.026s latency).
Not shown: 973 closed udp ports (port-unreach)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
Nmap done: 1 IP address (1 host up) scanned in 1235.64 seconds