1 │ # Nmap 7.94SVN scan initiated Wed Apr 2 12:54:53 2025 as: nmap -Pn -n --disable-arp-ping --min-rate 4000
│ -sV -sC -p- --open -oN escanero 10.129.111.96
2 │ Nmap scan report for 10.129.111.96
3 │ Host is up (0.12s latency).
4 │ Not shown: 65528 filtered tcp ports (no-response)
5 │ Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
6 │ PORT STATE SERVICE VERSION
7 │ 21/tcp open ftp
8 │ | fingerprint-strings:
9 │ | GenericLines:
10 │ | 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
11 │ | Command unknown, not supported or not allowed...
12 │ | Command unknown, not supported or not allowed...
13 │ | Help:
14 │ | 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
15 │ | 214-The following commands are implemented
16 │ | USER PASS ACCT QUIT PORT RETR
17 │ | STOR DELE RNFR PWD CWD CDUP
18 │ | NOOP TYPE MODE STRU
19 │ | LIST NLST HELP FEAT UTF8 PASV
20 │ | MDTM REST PBSZ PROT OPTS CCC
21 │ | XCRC SIZE MFMT CLNT ABORT
22 │ | HELP command successful
23 │ | NULL:
24 │ |_ 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
25 │ 25/tcp open smtp hMailServer smtpd
26 │ | smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
27 │ |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
28 │ 80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29)
29 │ | http-title: Welcome to XAMPP
30 │ |_Requested resource was <http://10.129.111.96/dashboard/>
31 │ |_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
32 │ 443/tcp open https?
33 │ | ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
34 │ | Not valid before: 2022-04-21T19:27:17
35 │ |_Not valid after: 2032-04-18T19:27:17
36 │ 587/tcp open smtp hMailServer smtpd
37 │ | smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
38 │ |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
39 │ 3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
40 │ | mysql-info:
41 │ | Protocol: 10
42 │ | Version: 5.5.5-10.4.24-MariaDB
43 │ | Thread ID: 13
44 │ | Capabilities flags: 63486
45 │ | Some Capabilities: FoundRows, Support41Auth, ConnectWithDatabase, InteractiveClient, IgnoreSigpipes, D
│ ontAllowDatabaseTableColumn, SupportsTransactions, LongColumnFlag, SupportsCompression, IgnoreSpaceBeforeP
│ arenthesis, SupportsLoadDataLocal, Speaks41ProtocolNew, ODBCClient, Speaks41ProtocolOld, SupportsMultipleR
│ esults, SupportsAuthPlugins, SupportsMultipleStatments
46 │ | Status: Autocommit
47 │ | Salt: {8@zfnx/}K?9@uL\\i|Rd
48 │ |_ Auth Plugin Name: mysql_native_password
49 │ 3389/tcp open ms-wbt-server Microsoft Terminal Services
50 │ | ssl-cert: Subject: commonName=WIN-EASY
51 │ | Not valid before: 2025-04-01T17:52:07
52 │ |_Not valid after: 2025-10-01T17:52:07
53 │ |_ssl-date: 2025-04-02T17:56:44+00:00; -3s from scanner time.
54 │ 1 service unrecognized despite returning data. If you know the service/version, please submit the followin
│ g fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
55 │ SF-Port21-TCP:V=7.94SVN%I=7%D=4/2%Time=67ED7A16%P=x86_64-pc-linux-gnu%r(NU
56 │ SF:LL,41,"220\\x20Core\\x20FTP\\x20Server\\x20Version\\x202\\.0,\\x20build\\x20725
57 │ SF:,\\x2064-bit\\x20Unregistered\\r\\n")%r(GenericLines,AD,"220\\x20Core\\x20FTP
58 │ SF:\\x20Server\\x20Version\\x202\\.0,\\x20build\\x20725,\\x2064-bit\\x20Unregister
59 │ SF:ed\\r\\n502\\x20Command\\x20unknown,\\x20not\\x20supported\\x20or\\x20not\\x20al
60 │ SF:lowed\\.\\.\\.\\r\\n502\\x20Command\\x20unknown,\\x20not\\x20supported\\x20or\\x20
61 │ SF:not\\x20allowed\\.\\.\\.\\r\\n")%r(Help,17B,"220\\x20Core\\x20FTP\\x20Server\\x20
62 │ SF:Version\\x202\\.0,\\x20build\\x20725,\\x2064-bit\\x20Unregistered\\r\\n214-The\\
63 │ SF:x20following\\x20commands\\x20are\\x20implemented\\r\\n\\x20\\x20\\x20\\x20\\x20U
64 │ SF:SER\\x20\\x20PASS\\x20\\x20ACCT\\x20\\x20QUIT\\x20\\x20PORT\\x20\\x20RETR\\r\\n\\x20
65 │ SF:\\x20\\x20\\x20\\x20STOR\\x20\\x20DELE\\x20\\x20RNFR\\x20\\x20PWD\\x20\\x20\\x20CWD\\
66 │ SF:x20\\x20\\x20CDUP\\r\\n\\x20\\x20\\x20\\x20\\x20MKD\\x20\\x20\\x20RMD\\x20\\x20\\x20NO
67 │ SF:OP\\x20\\x20TYPE\\x20\\x20MODE\\x20\\x20STRU\\r\\n\\x20\\x20\\x20\\x20\\x20LIST\\x20\\
68 │ SF:x20NLST\\x20\\x20HELP\\x20\\x20FEAT\\x20\\x20UTF8\\x20\\x20PASV\\r\\n\\x20\\x20\\x20
69 │ SF:\\x20\\x20MDTM\\x20\\x20REST\\x20\\x20PBSZ\\x20\\x20PROT\\x20\\x20OPTS\\x20\\x20CCC
70 │ SF:\\r\\n\\x20\\x20\\x20\\x20\\x20XCRC\\x20\\x20SIZE\\x20\\x20MFMT\\x20\\x20CLNT\\x20\\x2
71 │ SF:0ABORT\\r\\n214\\x20\\x20HELP\\x20command\\x20successful\\r\\n");
72 │ Service Info: Host: WIN-EASY; OS: Windows; CPE: cpe:/o:microsoft:windows
73 │
74 │ Host script results:
75 │ |_clock-skew: -3s
76 │
77 │ Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
78 │ # Nmap done at Wed Apr 2 12:56:55 2025 -- 1 IP address (1 host up) scanned in 121.72 seconds
FUERA BRUTA A SERVICIO SMTP
❯ smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t 10.129.111.96
Starting smtp-user-enum v1.2 ( <http://pentestmonkey.net/tools/smtp-user-enum> )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... users.list
Target count ............. 1
Username count ........... 79
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ inlanefreight.htb
######## Scan started at Wed Apr 2 13:05:51 2025 #########
10.129.111.96: [email protected] exists
######## Scan completed at Wed Apr 2 13:06:04 2025 #########
1 results.