Skip to main content

Basic Enumeration

We can perform a quick nmap scan to discover open ports and services.

Nmap Scans#

> sudo nmap -sS -Pn -sV -sC 10.10.10.228
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-17 13:58 +08Nmap scan report for 10.10.10.228Host is up (0.046s latency).Not shown: 993 closed portsPORT     STATE SERVICE       VERSION22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)| ssh-hostkey:|   2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)|   256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)|_  256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)80/tcp   open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)| http-cookie-flags:|   /:|     PHPSESSID:|_      httponly flag not set|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1|_http-title: Library135/tcp  open  msrpc         Microsoft Windows RPC139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn443/tcp  open  ssl/http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)| http-cookie-flags:|   /:|     PHPSESSID:|_      httponly flag not set|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1|_http-title: Library| ssl-cert: Subject: commonName=localhost| Not valid before: 2009-11-10T23:48:47|_Not valid after:  2019-11-08T23:48:47|_ssl-date: TLS randomness does not represent time| tls-alpn:|_  http/1.1445/tcp  open  microsoft-ds?3306/tcp open  mysql?| fingerprint-strings:|   LPDString, SIPOptions:|_    Host '10.10.14.25' is not allowed to connect to this MariaDB server1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port3306-TCP:V=7.91%I=7%D=7/17%Time=60F27178%P=x86_64-unknown-linux-gnuSF:%r(LPDString,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.25'\x20is\x20noSF:t\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SISF:POptions,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.25'\x20is\x20not\x2SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:|_clock-skew: -1h00m01s| smb2-security-mode:|   2.02:|_    Message signing enabled but not required| smb2-time:|   date: 2021-07-17T04:58:21|_  start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 25.84 seconds

Enumerate SMB#

As a windows machine, I am tempted to do basic enumeration on SMB to see if there are any exposed shares using default credentials.

Unfortunately, enum4linux does not return any important information for basic credentials for null login and guest accounts.

We can move on to the next most obvious target: The web service at port 80.