Skip to content

Analysis

Description

Automated Scanning

NMap Scan

# Nmap 7.94SVN scan initiated Fri Mar  1 14:27:22 2024 as: nmap -sC -sV -vvv -T4 -oN Data/Machines/analysis/nmap.txt 10.10.11.250
Increasing send delay for 10.10.11.250 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for analysis.htb (10.10.11.250)
Host is up, received syn-ack (0.086s latency).
Scanned at 2024-03-01 14:27:23 EST for 56s
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       REASON  VERSION
53/tcp   open  domain        syn-ack Simple DNS Plus
80/tcp   open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title (text/html).
| http-server-header: 
|   Microsoft-HTTPAPI/2.0
|_  Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: 357C439FB7A4491072C7EB34E33F3990
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-03-01 19:27:50Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack
3306/tcp open  mysql         syn-ack MySQL (unauthorized)
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-03-01T19:27:58
|_  start_date: N/A
|_clock-skew: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 7365/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 24886/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 9653/udp): CLEAN (Timeout)
|   Check 4 (port 41050/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar  1 14:28:19 2024 -- 1 IP address (1 host up) scanned in 57.44 seconds

Gobuster (DNS) Scan

DirBuster Scan

No Results

Nuclei Scan

[caa-fingerprint] [dns] [info] analysis.htb
[options-method] [http] [info] http://analysis.htb ["OPTIONS, TRACE, GET, HEAD, POST"]
[email-extractor] [http] [info] http://analysis.htb ["mail@demolink.org","privacy@demolink.org"]
[microsoft-iis-version] [http] [info] http://analysis.htb ["Microsoft-IIS/10.0"]
[tech-detect:google-font-api] [http] [info] http://analysis.htb
[tech-detect:ms-iis] [http] [info] http://analysis.htb
[old-copyright] [http] [info] http://analysis.htb ["\u00a9 2023"]
[http-missing-security-headers:content-security-policy] [http] [info] http://analysis.htb
[http-missing-security-headers:x-content-type-options] [http] [info] http://analysis.htb
[http-missing-security-headers:referrer-policy] [http] [info] http://analysis.htb
[http-missing-security-headers:clear-site-data] [http] [info] http://analysis.htb
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://analysis.htb
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://analysis.htb
[http-missing-security-headers:strict-transport-security] [http] [info] http://analysis.htb
[http-missing-security-headers:permissions-policy] [http] [info] http://analysis.htb
[http-missing-security-headers:x-frame-options] [http] [info] http://analysis.htb
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://analysis.htb
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://analysis.htb
[mixed-passive-content:img] [http] [info] http://analysis.htb ["http://storage.ie6countdown.com/assets/100/images/banners/warning_bar_0000_us.jpg"]
[iis-shortname] [http] [info] http://analysis.htb/*~1*/a.aspx'
[smb-enum] [javascript] [info] analysis.htb:445 ["OSVersion: 10.0.17763","NetBIOSComputerName: DC-ANALYSIS","NetBIOSDomainName: ANALYSIS","DNSComputerNamen: DC-ANALYSIS.analysis.htb","DNSComputerName: DC-ANALYSIS.analysis.htb","ForestName: analysis.htb"]
[smb2-capabilities] [javascript] [info] analysis.htb:445 ["[\"DFSSupport\",\"LargeMTU\",\"Leasing\"]"]

Automation Summary

NMap Scan Summary:

  • Host is running a variety of services on TCP ports including DNS, HTTP, Kerberos, Microsoft RPC, NetBIOS, LDAP, MySQL, and others.
  • Microsoft HTTPAPI httpd 2.0 and Microsoft-IIS/10.0 are identified as HTTP services.
  • Active Directory LDAP services are running, indicating a Windows domain environment.
  • Kerberos authentication is active.
  • MySQL service is unauthorized.
  • Some SMB security configurations are in place including message signing.

Nuclei Scan Summary:

  • Detected various HTTP headers missing, indicating potential security misconfigurations.
  • Identified Microsoft IIS version 10.0.
  • Found outdated copyright information.
  • Detected mixed passive content for images.
  • Discovered SMB enumeration details including OS version, NetBIOS details, and capabilities.

Insights:

  • The machine appears to be a Windows-based server running Active Directory services.
  • Several potential security misconfigurations are present on the web server, which could be exploited for further enumeration or attacks.
  • SMB enumeration details provide insights into the server's network and domain configuration, useful for further enumeration and exploitation.

These scans provide valuable information for further penetration testing and exploitation of the target machine.

AI Generated

User Own

Root Own

Summary

AI Generated

References