Scanning and Enumeration

Scanning

nmap -p- -T4 10.10.10.13

  • -p- scans for all port

  • -T4 scans aggressively, alot faster 

nmap -p- T4 10.10.10.13
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http
kali@kali:~$ nmap -sV -sC -p 22,53,80 10.10.10.13 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 19:09 EDT
Nmap scan report for 10.10.10.13
Host is up (0.095s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds

Enumerating DNS

vim /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
10.10.10.3      cronos.htb

This gives us the following webpage:

DNS Zone Transfer

dig axfr @10.10.10.13 cronos.htb

Zone transfers require DNS tcp, because our nmap scan showed this, we will perform a zone transfer. Doing so gives us the following:

kali@kali:$ dig axfr @10.10.10.13 cronos.htb 

; <<>> DiG 9.16.6-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 95 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Thu Oct 08 22:15:08 EDT 2020
;; XFR size: 7 records (messages 1, bytes 203)

  • cronos.htb

  • www.cronos.htb

  • ns1.cronos.htb

  • admin.cronos.htb

Found login page through DNS

Found login through DNS
PreviousCronosNextExploitation

Last updated

Was this helpful?