Skip to content

10.10.10.175

Recon

Port Scan

PORT      STATE SERVICE       REASON          VERSION                                                                                                                        

53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus                                                                                                                

80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0                                                                                                       |_http-server-header: Microsoft-IIS/10.0                                                                                                                                     | http-methods:                                                                                                                                                              |   Supported Methods: OPTIONS TRACE GET HEAD POST                                                                                                                           |_  Potentially risky methods: TRACE                                                                                                                                         |_http-title: Egotistical Bank :: Home                                                                                                                                       

88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-02-04 01:08:30Z)                                                                 

135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                 139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn                                                                                          389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)              445/tcp   open  microsoft-ds? syn-ack ttl 127                                                                                                                       464/tcp   open  kpasswd5?     syn-ack ttl 127                                                                                                                        593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0                                                                                    636/tcp   open  tcpwrapped    syn-ack ttl 127                                                                                                                        

5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                        |_http-title: Not Found                                                                                                                                                      |_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                  

9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing                                                                                                           49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                          49673/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0                                                                                            49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                          49677/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                          49689/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                 49696/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                          

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port                                                                        

OS fingerprint not ideal because: Missing a closed TCP port so results incomplete                                                                                            

No OS matches for host

Enumerate attack surface

This box also appears to be AD based domain controller.

DNS - 53: Simple DNS Plus

Active Directory - 88: Kerberos - 389: LDAP - 636: LDAPs - 464: kpasswd5

SMB - 139: netbios-ssn - 445: microsoft-ds - various RPC ports

Webserver - 80: Microsoft IIS 10.0 - Bootstrap 4.0.0

200      640l     1767w    30954c http://10.10.10.175/About.html                                                                                                             200      470l     1279w    24695c http://10.10.10.175/Blog.html                                                                                                              200      325l      770w    15634c http://10.10.10.175/Contact.html                                                                                                           301        2l       10w      150c http://10.10.10.175/Images                                                                                                                 200      683l     1813w    32797c http://10.10.10.175/Index.html                                                                                                             200      640l     1767w    30954c http://10.10.10.175/about.html                                                                                                             200      470l     1279w    24695c http://10.10.10.175/blog.html                                                                                                              200      325l      770w    15634c http://10.10.10.175/contact.html                                                                                                           301        2l       10w      147c http://10.10.10.175/css                                                                                                                    301        2l       10w      149c http://10.10.10.175/fonts                                                                                                                  301        2l       10w      150c http://10.10.10.175/images                                                                                                                 200      683l     1813w    32797c http://10.10.10.175/index.html                                                                                                             200      684l     1814w    38059c http://10.10.10.175/single.html

Others - 593: Microsoft RPC over HTTP 1.0 - 9389: .Net Message Framing - 5985: Microsoft HTTPAPI httpd 2.0 - WinRM? Check _manual_commands.txt - 49673: Microsoft RCP over HTTP 1.0

Public Exploits