RustScan
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ rustscan --no-banner --scripts none -a $IP
Open 192.168.198.165:53
Open 192.168.198.165:88
Open 192.168.198.165:135
Open 192.168.198.165:139
Open 192.168.198.165:389
Open 192.168.198.165:445
Open 192.168.198.165:464
Open 192.168.198.165:593
Open 192.168.198.165:3268
Open 192.168.198.165:3389
Open 192.168.198.165:5985
Open 192.168.198.165:8080
Open 192.168.198.165:9389
Open 192.168.198.165:49667
Open 192.168.198.165:49666
Open 192.168.198.165:49673
Open 192.168.198.165:49674
Open 192.168.198.165:49677
Open 192.168.198.165:49703
Open 192.168.198.165:49758
192.168.198.165 -> [53,88,135,139,389,445,464,593,3268,3389,5985,8080,9389,49667,49666,49673,49674,49677,49703,49758]Nmap
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ nmap -Pn -p- -T5 --min-parallelism 100 --max-parallelism 100 $IP --open
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 15:44 CEST
Nmap scan report for 192.168.198.165
Host is up (0.021s latency).
Not shown: 65513 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
8080/tcp open http-proxy
9389/tcp open adws
49666/tcp open unknown
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49677/tcp open unknown
49703/tcp open unknown
49758/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 75.84 seconds
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ nmap -Pn -p- -T4 --min-rate 1000 --max-retries 2 --max-rtt-timeout 200ms --open $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 15:42 CEST
Nmap scan report for 192.168.198.165
Host is up (0.022s latency).
Not shown: 65513 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
8080/tcp open http-proxy
9389/tcp open adws
49666/tcp open unknown
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49677/tcp open unknown
49703/tcp open unknown
49758/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 141.84 seconds
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ nmap -Pn -sC -sV -p53,88,135,139,389,445,464,593,3389,5985,8080,9389,49666,49667,49674,49673,49677,49703,49758 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 15:45 CEST
Nmap scan report for 192.168.198.165
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-07 13:45:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HEIST
| NetBIOS_Domain_Name: HEIST
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: heist.offsec
| DNS_Computer_Name: DC01.heist.offsec
| DNS_Tree_Name: heist.offsec
| Product_Version: 10.0.17763
|_ System_Time: 2025-07-07T13:46:44+00:00
|_ssl-date: 2025-07-07T13:47:23+00:00; -4s from scanner time.
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Not valid before: 2025-07-06T13:38:54
|_Not valid after: 2026-01-05T13:38:54
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-title: Super Secure Web Browser
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49758/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-07T13:46:45
|_ start_date: N/A
|_clock-skew: mean: -3s, deviation: 0s, median: -3s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.21 secondsThe target system appears to be a Domain Controller in an Active Directory environment.
The domain is HEIST.OFFSEC.
The FQDN of the target system is dc01.heist.offsec.
/Practice/Heist_OffSec/1-Recon/attachments/{D1E6DAD4-64C3-4A16-92A6-61CFC5F35047}.png)
The domain information has been appended to the /etc/hosts file on Kali for DNS resolution.
UDP
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ sudo nmap -Pn -sU -top-ports 1000 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 15:42 CEST
Nmap scan report for 192.168.198.165
Host is up (0.021s latency).
Not shown: 996 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
Nmap done: 1 IP address (1 host up) scanned in 23.34 seconds