Reconnaissance and Scanning#
Preface#
Recently, I had some time to open my home computer, so I started experimenting with the GOAD target environment. The write-up for the GOAD target will follow the author's process first, and later I can add my own understanding and supplements after learning.
For environment setup, refer to the previous blog: https://lca.xlog.app/game-of-active-directoryGOAD-yu-huan-jing-da-jian
Before starting the experiment, take a snapshot of the VM.
Start all machines.
vargant up
Network settings for the environment.
Ubuntu: The IP range for the VirtualBox VM is: 192.168.31.0/24
VirtualBox: The IP range for the GOAD target environment is 192.168.56.1/0
Thus, the overall access path for the environment is:
Windows (host IP: 192.168.31.151) -> Ubuntu (VM IP: 192.168.31.142) -> GOAD target (VirtualBox VM IP: 192.168.56.1/24)
I initially wanted to use Kali as the attack machine, but as mentioned in previous article comments, it would be inaccessible and would require a proxy for testing. However, running Kali would consume memory, and my host machine only has 32GB of RAM. If I start another Kali, the target machine would throw an error due to insufficient memory.
The CPU of the host machine would also spike.
So I decided to directly conduct attacks on Ubuntu. If the Ubuntu machine does not meet the attack requirements later, we can discuss that!
Network Enumeration#
cme
# Install cme
sudo snap install crackmapexec
# cme smb scan
crackmapexec smb 192.168.56.0/24
The results of the cme scan are shown in the image above, returning some useful information, including the IPs, names, and domain information of all target machines.
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
- north.sevenkingdoms.local (2 IPs)
- CASTELBLACK 192.168.56.22
- WINTERFELL 192.168.56.11
- sevenkingdoms.local (1 IP)
- KINGSLANDING 192.168.56.10
- essos.local (2 IPs)
- MEEREEN 192.168.56.12
- BRAAVOS 192.168.56.23
From the topology, it is clear that the GOAD target has three domains. The cme scan results also show that the DC signatures are all True (signing). In a real environment, to prevent NTLM relay attacks, all signatures must be set to True.
Finding the DC IP#
You can use nslookup to perform DNS queries to list the relevant information of the DC.
nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
- nslookup: DNS query tool
- -type=srv: Specifies to query SRV records, which are a type of DNS record used to identify specific services.
_ldap._tcp.dc._msdcs.sevenkingdoms.local
: The hostname to query for information about the domain controller providing LDAP services in the "sevenkingdoms.local" domain.- The IP address of the DNS server being queried.
Querying sevenkingdoms.local
Querying north.sevenkingdoms.local
nslookup -type=srv _ldap._tcp.dc._msdcs.north.sevenkingdoms.local 192.168.56.10
Querying essos.local
nslookup -type=srv _ldap._tcp.dc._msdcs.north.essos.local 192.168.56.10
Setting /etc/hosts and Kerberos#
To use Kerberos in a Linux environment, some settings need to be made.
- Configure the /etc/hosts file to set DNS.
# /etc/hosts
# GOAD
192.168.56.10 sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding
192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell
192.168.56.12 essos.local meereen.essos.local meereen
192.168.56.22 castelblack.north.sevenkingdoms.local castelblack
192.168.56.23 braavos.essos.local braavos
Install the Kerberos Linux client.
sudo apt install krb5-user
Set admin_server to meereen.essos.local.
If krb5-user is already installed or needs reconfiguration, you can use dpkg-reconfigure or modify the /etc/krb5.conf file for reconfiguration, as follows:
sudo gedit /etc/krb5.conf
[libdefaults]
default_realm = essos.local
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
north.sevenkingdoms.local = {
kdc = winterfell.north.sevenkingdoms.local
admin_server = winterfell.north.sevenkingdoms.local
}
sevenkingdoms.local = {
kdc = kingslanding.sevenkingdoms.local
admin_server = kingslanding.sevenkingdoms.local
}
essos.local = {
kdc = meereen.essos.local
admin_server = meereen.essos.local
}
After completing the Kerberos setup, you can try to see if you can obtain a TGT ticket.
Download:
Impacket is a collection of Python classes for working with network protocols.
sudo pip3 install .
sudo python3 setup.py install
getTGT.py essos.local/khal.drogo:horse
export KRB5CCNAME=/home/lca/tools/impacket/examples/khal.drogo.ccache
python3 smbclient.py -k @braavos.essos.local
Impacket v0.12.0.dev1+20240502.235035.cb8467c3 - Copyright 2023 Fortra
Type help for list of commands
# shares
ADMIN$
all
C$
CertEnroll
IPC$
public
# use C$
# ls
drw-rw-rw- 0 Thu Feb 14 19:42:10 2019 $Recycle.Bin
-rw-rw-rw- 384322 Fri Feb 15 03:38:48 2019 bootmgr
-rw-rw-rw- 1 Fri Feb 15 03:38:48 2019 BOOTNXT
-rw-rw-rw- 1014 Thu Jan 18 00:00:49 2024 dns_log.txt
drw-rw-rw- 0 Wed Jan 17 07:27:46 2024 Documents and Settings
drw-rw-rw- 0 Wed Jan 17 22:04:13 2024 inetpub
-rw-rw-rw- 1476395008 Sun May 5 23:00:57 2024 pagefile.sys
drw-rw-rw- 0 Thu Feb 14 20:19:12 2019 PerfLogs
drw-rw-rw- 0 Wed Jan 17 23:07:58 2024 Program Files
drw-rw-rw- 0 Thu Jan 18 00:28:34 2024 Program Files (x86)
drw-rw-rw- 0 Thu Jan 18 00:17:10 2024 ProgramData
drw-rw-rw- 0 Tue Jan 16 23:28:06 2024 Recovery
drw-rw-rw- 0 Wed Jan 17 22:31:30 2024 setup
drw-rw-rw- 0 Thu Jan 18 00:32:16 2024 shares
drw-rw-rw- 0 Sun May 5 15:01:26 2024 System Volume Information
drw-rw-rw- 0 Wed Jan 17 21:53:12 2024 tmp
drw-rw-rw- 0 Wed Jan 17 23:57:19 2024 Users
drw-rw-rw- 0 Wed Jan 17 22:05:24 2024 Windows
As shown, Kerberos is set up.
Unset the ticket.
unset KRB5CCNAME
Test other domains.
export KRB5CCNAME=/home/lca/tools/impacket/examples/arya.stark.ccache
python3 smbclient.py -k -no-pass @winterfell.north.servenkingdoms.local
Impacket v0.12.0.dev1+20240502.235035.cb8467c3 - Copyright 2023 Fortra
[-] [Errno Connection error (winterfell.north.servenkingdoms.local:445)] [Errno -3] Temporary failure in name resolution
I don't know why Kerberos does not work when using the full FQDN for Winterfell, but it works fine when just setting Winterfell instead of winterfell.north.sevenkingdoms.local.
Nmap Scan#
Install nmap.
sudo apt install nmap
Use nmap to perform a scan with the following parameters.
nmap -Pn -p- -sC -sV -oA full_scan_goad 192.168.56.10-12,22-23
Parameters are as follows:
- -Pn: Do not perform ping scan.
- -p-: Full port scan, 1-65535.
- -sC: Run default detection scripts.
- -sV: Perform service version detection on specified ports.
- -oA: Output results in three formats.
The nmap scan results are as follows:
# Nmap 7.80 scan initiated Sun May 5 16:44:49 2024 as: nmap -Pn -p- -sC -sV -oA full_scan_goad 192.168.56.10-12,22-23
Nmap scan report for sevenkingdoms.local (192.168.56.10)
Host is up (0.0011s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-05 08:45:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after: 2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after: 2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after: 2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after: 2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-16T12:49:01
|_Not valid after: 2024-07-17T12:49:01
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T06:56:16
|_Not valid after: 2027-01-14T06:56:16
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49711/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/5%Time=66374728%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: KINGSLANDING, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:62:c4:af (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-05-05T08:48:40
|_ start_date: N/A
Nmap scan report for winterfell.north.sevenkingdoms.local (192.168.56.11)
Host is up (0.00079s latency).
Not shown: 65506 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-05 08:45:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after: 2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after: 2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after: 2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after: 2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-16T12:59:52
|_Not valid after: 2024-07-17T12:59:52
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:00:27
|_Not valid after: 2027-01-14T07:00:27
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49687/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49739/tcp open msrpc Microsoft Windows RPC
54275/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/5%Time=6637472E%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WINTERFELL, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:73:1f:da (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-05-05T08:48:43
|_ start_date: N/A
Nmap scan report for essos.local (192.168.56.12)
Host is up (0.00043s latency).
Not shown: 65508 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-05 08:46:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after: 2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: ESSOS)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after: 2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after: 2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after: 2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=meereen.essos.local
| Not valid before: 2024-01-16T12:49:13
|_Not valid after: 2024-07-17T12:49:13
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:08:56
|_Not valid after: 2027-01-14T07:08:56
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49711/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/5%Time=66374763%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: MEEREEN; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_nbstat: NetBIOS name: MEEREEN, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c5:7e:aa (Oracle VirtualBox virtual NIC)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-05-05T08:48:42
|_ start_date: 2024-05-05T04:02:06
Nmap scan report for castelblack.north.sevenkingdoms.local (192.168.56.22)
Host is up (0.0022s latency).
Not shown: 65516 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
| ms-sql-ntlm-info:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:22:58
|_Not valid after: 2054-05-05T07:22:58
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
| Product_Version: 10.0.17763
|_ System_Time: 2024-05-05T08:48:42+00:00
| ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local
| Not valid before: 2024-01-16T13:08:04
|_Not valid after: 2024-07-17T13:08:04
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:22:58
|_Not valid after: 2027-01-14T07:22:58
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
| tls-alpn:
|_ http/1.1
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49690/tcp open ms-sql-s Microsoft SQL Server
| ms-sql-ntlm-info:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:22:58
|_Not valid after: 2054-05-05T07:22:58
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port49865-TCP:V=7.80%I=7%D=5/5%Time=663747D6%P=x86_64-pc-linux-gnu%r(ms
SF:-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0\x1
SF:c\0\x01\x03\0\x1d\0\0\xff\x0f\0\x07\xd0\0\0\0\0");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 192.168.56.22:1433:
| Version:
| name: Microsoft SQL Server
| number: 15.00.2000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
|_nbstat: NetBIOS name: CASTELBLACK, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:96:f0:ff (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-05T08:48:44
|_ start_date: N/A
Nmap scan report for braavos.essos.local (192.168.56.23)
Host is up (0.00073s latency).
Not shown: 65516 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
| ms-sql-ntlm-info:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:01:25
|_Not valid after: 2054-05-05T07:01:25
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=braavos.essos.local
| Not valid before: 2024-01-16T13:46:38
|_Not valid after: 2024-07-17T13:46:38
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:29:16
|_Not valid after: 2027-01-14T07:29:16
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
49724/tcp open msrpc Microsoft Windows RPC
49769/tcp open msrpc Microsoft Windows RPC
49773/tcp open msrpc Microsoft Windows RPC
49896/tcp open ms-sql-s Microsoft SQL Server
| ms-sql-ntlm-info:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:01:25
|_Not valid after: 2054-05-05T07:01:25
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port49896-TCP:V=7.80%I=7%D=5/5%Time=66374886%P=x86_64-pc-linux-gnu%r(ms
SF:-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0\x1
SF:c\0\x01\x03\0\x1d\0\0\xff\x0f\0\x07\xd0\0\0\0\0");
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_nbstat: NetBIOS name: BRAAVOS, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:36:af:ca (Oracle VirtualBox virtual NIC)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-05T08:51:30
|_ start_date: 2024-05-05T07:01:07
Post-scan script results:
| clock-skew:
| 0s:
| 192.168.56.10 (sevenkingdoms.local)
| 192.168.56.12 (essos.local)
|_ 192.168.56.23 (braavos.essos.local)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 5 16:51:34 2024 -- 5 IP addresses (5 hosts up) scanned in 404.39 seconds
Beautify the nmap output in XML format.
sudo apt install xsltproc
xsltproc full_scan_goad.xml -o full_scan_goad.html
firefox full_scan_goad.html