Reconnaissance and Scanning#
Preface#
Recently, I had some time to open my home computer, so I started conducting experiments on the GOAD target environment. The write-up for the GOAD target will first follow the author's process, and later I can add my own understanding and supplements after learning.
For environment setup, refer to the previous blog: https://lca.xlog.app/game-of-active-directoryGOAD-yu-huan-jing-da-jian
Before conducting experiments, take a snapshot of the VM.
Start all machines.
vargant up
Network settings for the environment.
Ubuntu: The IP range for the VirtualBox VM is: 192.168.31.0/24
VirtualBox: The IP range for the GOAD target is 192.168.56.1/0
Thus, the overall access path for the environment is:
Windows (host machine - IP: 192.168.31.151) -> Ubuntu (VM IP: 192.168.31.142) -> GOAD target (VirtualBox VM IP: 192.168.56.1/24)
I initially wanted to use Kali as the attack machine, but as mentioned in previous article comments, it would be inaccessible and would require a proxy for testing. However, running Kali consumes memory, and my host machine only has 32GB of RAM. If I start another Kali instance, the target machine will report an error due to insufficient memory.
The CPU of the host machine will also spike.
So I will directly conduct attacks using Ubuntu. If later the Ubuntu machine does not meet the attack requirements, we will discuss that then!
Network Enumeration#
cme
# Install cme
sudo snap install crackmapexec
# cme smb scan
crackmapexec smb 192.168.56.0/24
The results of the cme scan are shown in the image above, returning some useful information, including all target machine IPs, names, and domain information.
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
- north.sevenkingdoms.local (2 IPs)
- CASTELBLACK 192.168.56.22
- WINTERFELL 192.168.56.11
- sevenkingdoms.local (1 IP)
- KINGSLANDING 192.168.56.10
- essos.local (2 IPs)
- MEEREEN 192.168.56.12
- BRAAVOS 192.168.56.23
From the topology, it is clear that the GOAD target has three domains. The cme scan results also indicate that the DC signatures are all True (signing). In a real environment, to prevent NTLM relay attacks, all signatures must be set to True.
Finding the DC's IP#
You can use nslookup to perform DNS queries to list relevant information about the DC.
nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
- nslookup: DNS query tool
- -type=srv: Specifies to query SRV records, which are a type of DNS record used to identify specific services.
_ldap._tcp.dc._msdcs.sevenkingdoms.local: The hostname to query for information about domain controllers providing LDAP services in the "sevenkingdoms.local" domain.- The IP address of the queried DNS server.
Querying sevenkingdoms.local
Querying north.sevenkingdoms.local
nslookup -type=srv _ldap._tcp.dc._msdcs.north.sevenkingdoms.local 192.168.56.10
Querying essos.local
nslookup -type=srv _ldap._tcp.dc._msdcs.north.essos.local 192.168.56.10
Setting /etc/hosts and Kerberos#
To use Kerberos in a Linux environment, some settings need to be made.
- Configure the /etc/hosts file to set DNS.
# /etc/hosts
# GOAD
192.168.56.10 sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding
192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell
192.168.56.12 essos.local meereen.essos.local meereen
192.168.56.22 castelblack.north.sevenkingdoms.local castelblack
192.168.56.23 braavos.essos.local braavos
Install the Kerberos Linux client.
sudo apt install krb5-user
Set admin_server to meereen.essos.local.
If krb5-user is already installed or needs to be reconfigured, you can use dpkg-reconfigure or modify the /etc/krb5.conf file for reconfiguration. The content is as follows:
sudo gedit /etc/krb5.conf
[libdefaults]
default_realm = essos.local
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
north.sevenkingdoms.local = {
kdc = winterfell.north.sevenkingdoms.local
admin_server = winterfell.north.sevenkingdoms.local
}
sevenkingdoms.local = {
kdc = kingslanding.sevenkingdoms.local
admin_server = kingslanding.sevenkingdoms.local
}
essos.local = {
kdc = meereen.essos.local
admin_server = meereen.essos.local
}
After completing the Kerberos setup, you can try to see if you can obtain a TGT ticket.
Download:
Impacket is a collection of Python classes for working with network protocols.
sudo pip3 install .
sudo python3 setup.py install
getTGT.py essos.local/khal.drogo:horse
export KRB5CCNAME=/home/lca/tools/impacket/examples/khal.drogo.ccache
python3 smbclient.py -k @braavos.essos.local
Impacket v0.12.0.dev1+20240502.235035.cb8467c3 - Copyright 2023 Fortra
Type help for list of commands
# shares
ADMIN$
all
C$
CertEnroll
IPC$
public
# use C$
# ls
drw-rw-rw- 0 Thu Feb 14 19:42:10 2019 $Recycle.Bin
-rw-rw-rw- 384322 Fri Feb 15 03:38:48 2019 bootmgr
-rw-rw-rw- 1 Fri Feb 15 03:38:48 2019 BOOTNXT
-rw-rw-rw- 1014 Thu Jan 18 00:00:49 2024 dns_log.txt
drw-rw-rw- 0 Wed Jan 17 07:27:46 2024 Documents and Settings
drw-rw-rw- 0 Wed Jan 17 22:04:13 2024 inetpub
-rw-rw-rw- 1476395008 Sun May 5 23:00:57 2024 pagefile.sys
drw-rw-rw- 0 Thu Feb 14 20:19:12 2019 PerfLogs
drw-rw-rw- 0 Wed Jan 17 23:07:58 2024 Program Files
drw-rw-rw- 0 Thu Jan 18 00:28:34 2024 Program Files (x86)
drw-rw-rw- 0 Thu Jan 18 00:17:10 2024 ProgramData
drw-rw-rw- 0 Tue Jan 16 23:28:06 2024 Recovery
drw-rw-rw- 0 Wed Jan 17 22:31:30 2024 setup
drw-rw-rw- 0 Thu Jan 18 00:32:16 2024 shares
drw-rw-rw- 0 Sun May 5 15:01:26 2024 System Volume Information
drw-rw-rw- 0 Wed Jan 17 21:53:12 2024 tmp
drw-rw-rw- 0 Wed Jan 17 23:57:19 2024 Users
drw-rw-rw- 0 Wed Jan 17 22:05:24 2024 Windows
As shown above, Kerberos is set up.
Unset the ticket.
unset KRB5CCNAME
Test other domains.
export KRB5CCNAME=/home/lca/tools/impacket/examples/arya.stark.ccache
python3 smbclient.py -k -no-pass @winterfell.north.servenkingdoms.local
Impacket v0.12.0.dev1+20240502.235035.cb8467c3 - Copyright 2023 Fortra
[-] [Errno Connection error (winterfell.north.servenkingdoms.local:445)] [Errno -3] Temporary failure in name resolution
I don't know why Kerberos does not work when using the full FQDN for Winterfell, but it works fine when just setting Winterfell instead of winterfell.north.sevenkingdoms.local.
Nmap Scan#
Install nmap.
sudo apt install nmap
Use nmap to perform a scan with the following parameters.
nmap -Pn -p- -sC -sV -oA full_scan_goad 192.168.56.10-12,22-23
Parameters are as follows:
- -Pn: Do not perform ping scan.
- -p-: Full port scan, 1-65535.
- -sC: Run default detection scripts.
- -sV: Perform service version detection on specified ports.
- -oA: Output results in three formats.
The nmap scan results are as follows:
# Nmap 7.80 scan initiated Sun May 5 16:44:49 2024 as: nmap -Pn -p- -sC -sV -oA full_scan_goad 192.168.56.10-12,22-23
Nmap scan report for sevenkingdoms.local (192.168.56.10)
Host is up (0.0011s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-05 08:45:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after: 2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after: 2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after: 2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after: 2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-16T12:49:01
|_Not valid after: 2024-07-17T12:49:01
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T06:56:16
|_Not valid after: 2027-01-14T06:56:16
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49711/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/5%Time=66374728%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: KINGSLANDING, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:62:c4:af (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-05-05T08:48:40
|_ start_date: N/A
Nmap scan report for winterfell.north.sevenkingdoms.local (192.168.56.11)
Host is up (0.00079s latency).
Not shown: 65506 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-05 08:45:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after: 2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after: 2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after: 2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after: 2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-16T12:59:52
|_Not valid after: 2024-07-17T12:59:52
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:00:27
|_Not valid after: 2027-01-14T07:00:27
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49687/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49739/tcp open msrpc Microsoft Windows RPC
54275/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/5%Time=6637472E%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WINTERFELL, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:73:1f:da (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-05-05T08:48:43
|_ start_date: N/A
Nmap scan report for essos.local (192.168.56.12)
Host is up (0.00043s latency).
Not shown: 65508 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-05 08:46:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after: 2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: ESSOS)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after: 2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after: 2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after: 2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=meereen.essos.local
| Not valid before: 2024-01-16T12:49:13
|_Not valid after: 2024-07-17T12:49:13
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:08:56
|_Not valid after: 2027-01-14T07:08:56
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49711/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/5%Time=66374763%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: MEEREEN; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_nbstat: NetBIOS name: MEEREEN, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c5:7e:aa (Oracle VirtualBox virtual NIC)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-05-05T08:48:42
|_ start_date: 2024-05-05T04:02:06
Nmap scan report for castelblack.north.sevenkingdoms.local (192.168.56.22)
Host is up (0.0022s latency).
Not shown: 65516 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
| ms-sql-ntlm-info:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:22:58
|_Not valid after: 2054-05-05T07:22:58
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
| Product_Version: 10.0.17763
|_ System_Time: 2024-05-05T08:48:42+00:00
| ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local
| Not valid before: 2024-01-16T13:08:04
|_Not valid after: 2024-07-17T13:08:04
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:18:49
|_Not valid after: 2027-01-14T07:18:49
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
| tls-alpn:
|_ http/1.1
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49690/tcp open ms-sql-s Microsoft SQL Server
| ms-sql-ntlm-info:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:22:58
|_Not valid after: 2054-05-05T07:22:58
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port49865-TCP:V=7.80%I=7%D=5/5%Time=663747D6%P=x86_64-pc-linux-gnu%r(ms
SF:-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0\x1
SF:c\0\x01\x03\0\x1d\0\0\xff\x0f\0\x07\xd0\0\0\0\0");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 192.168.56.22:1433:
| Version:
| name: Microsoft SQL Server
| number: 15.00.2000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
|_nbstat: NetBIOS name: CASTELBLACK, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:96:f0:ff (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-05T08:48:44
|_ start_date: N/A
Nmap scan report for braavos.essos.local (192.168.56.23)
Host is up (0.00073s latency).
Not shown: 65516 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
| ms-sql-ntlm-info:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:01:25
|_Not valid after: 2054-05-05T07:01:25
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=braavos.essos.local
| Not valid before: 2024-01-16T13:46:38
|_Not valid after: 2024-07-17T13:46:38
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:01:25
|_Not valid after: 2027-01-14T07:01:25
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
49724/tcp open msrpc Microsoft Windows RPC
49769/tcp open msrpc Microsoft Windows RPC
49773/tcp open msrpc Microsoft Windows RPC
49896/tcp open ms-sql-s Microsoft SQL Server
| ms-sql-ntlm-info:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:01:25
|_Not valid after: 2054-05-05T07:01:25
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port49896-TCP:V=7.80%I=7%D=5/5%Time=66374886%P=x86_64-pc-linux-gnu%r(ms
SF:-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0\x1
SF:c\0\x01\x03\0\x1d\0\0\xff\x0f\0\x07\xd0\0\0\0\0");
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_nbstat: NetBIOS name: BRAAVOS, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:36:af:ca (Oracle VirtualBox virtual NIC)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-05T08:51:30
|_ start_date: 2024-05-05T07:01:07
Post-scan script results:
| clock-skew:
| 0s:
| 192.168.56.10 (sevenkingdoms.local)
| 192.168.56.12 (essos.local)
|_ 192.168.56.23 (braavos.essos.local)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 5 16:51:34 2024 -- 5 IP addresses (5 hosts up) scanned in 404.39 seconds
Beautify the nmap output in XML format.
sudo apt install xsltproc
xsltproc full_scan_goad.xml -o full_scan_goad.html
firefox full_scan_goad.html
