| Port | Protocol | What it Means |
|---|---|---|
| 88 | Kerberos | Potential for Kerberos-based enumeration |
| 135 | MS-RPC | Potential for RPC enumeration (null sessions) |
| 139 | SMB/NetBIOS | Legacy SMB access |
| 389 | LDAP | LDAP queries to AD |
| 445 | SMB | Modern SMB access, critical for enumeration |
| 464 | Kerberos (kpasswd) | Password-related Kerberos service |
| 636 | LDAPS | Secure LDAP. Although it is encrypted, it can still expose AD structure if misconfigured |
fping -agq 10.211.11.0/24 #-q=--quiet -a=--alive (show alive targets) -g=--generate (generate list of target ip addresses)
OR
nmap -sn 10.211.11.0/24
nmap -p 88,135,139,389,445,464,636 -sV -sC 10.211.11.0/24
nmap -p 88,135,139,389,445,464,636 -sV -sC -iL hosts.txt *# hosts.txt has list of hosts known to be up*
nmap -sS -p- -T3 -iL hosts.txt -oN full_port_scan.txt
# nmap -p 88,135,139,389,445,636 -sV -sC 10.211.11.10 [...]
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-15 12:41:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tryhackme.loc0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2019 Datacenter 17763 microsoft-ds (workgroup: TRYHACKME)
636/tcp open tcpwrapped
[...]
smbclient -L //10.211.11.10 -N #-L=--list, -N=--no-pass
OR
**smbmap.py -H 10.211.11.10 # -H = host**
# smbclient -L //10.211.11.10 -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
AnonShare Disk
C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SharedFiles Disk SYSVOL Disk Logon server share UserBackups Disk SMB1 disabled -- no workgroup available