[*] domain on tcp/53 [-] Use dnsrecon to bruteforce subdomains of a DNS domain. dnsrecon -n escape.htb -d escape.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. dnsrecon -n escape.htb -d 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/tcp53/tcp_53_dnsrecon_default_manual.txt [*] msrpc on tcp/135 [-] RPC Client: rpcclient -p 135 -U "" escape.htb [*] netbios-ssn on tcp/139 [-] Bruteforce SMB crackmapexec smb escape.htb --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/escape.htb/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/escape.htb/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" escape.htb [*] ldap on tcp/389 [-] ldapsearch command (modify before running): ldapsearch -x -D "" -w "" -H ldap://escape.htb:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp389/tcp_389_ldap_all-entries.txt" [*] microsoft-ds on tcp/445 [-] Bruteforce SMB crackmapexec smb escape.htb --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" [-] Lookup SIDs impacket-lookupsid '[username]:[password]@escape.htb' [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/escape.htb/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/escape.htb/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" escape.htb [*] ldap on tcp/636 [-] ldapsearch command (modify before running): ldapsearch -x -D "" -w "" -H ldap://escape.htb:636 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp636/tcp_636_ldap_all-entries.txt" [*] ms-sql-s on tcp/1433 [-] (sqsh) interactive database shell: sqsh -U -P -S escape.htb:1433 [*] ldap on tcp/3268 [-] ldapsearch command (modify before running): ldapsearch -x -D "" -w "" -H ldap://escape.htb:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp3268/tcp_3268_ldap_all-entries.txt" [*] ldap on tcp/3269 [-] ldapsearch command (modify before running): ldapsearch -x -D "" -w "" -H ldap://escape.htb:3269 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp3269/tcp_3269_ldap_all-entries.txt" [*] wsman on tcp/5985 [-] Bruteforce logins: crackmapexec winrm escape.htb -d 'escape.htb' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt' [-] Check login (requires credentials): crackmapexec winrm escape.htb -d 'escape.htb' -u '' -p '' [-] Evil WinRM (gem install evil-winrm): evil-winrm -u '' -p '' -i escape.htb evil-winrm -u '' -H '' -i escape.htb [*] msrpc on tcp/49667 [-] RPC Client: rpcclient -p 49667 -U "" escape.htb [*] msrpc on tcp/49678 [-] RPC Client: rpcclient -p 49678 -U "" escape.htb [*] msrpc on tcp/49698 [-] RPC Client: rpcclient -p 49698 -U "" escape.htb [*] msrpc on tcp/49702 [-] RPC Client: rpcclient -p 49702 -U "" escape.htb [*] msrpc on tcp/60738 [-] RPC Client: rpcclient -p 60738 -U "" escape.htb [*] domain on tcp/53 [-] Use dnsrecon to bruteforce subdomains of a DNS domain. dnsrecon -n escape.htb -d escape.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. dnsrecon -n escape.htb -d 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/tcp53/tcp_53_dnsrecon_default_manual.txt [*] msrpc on tcp/135 [-] RPC Client: rpcclient -p 135 -U "" escape.htb [*] netbios-ssn on tcp/139 [-] Bruteforce SMB crackmapexec smb escape.htb --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/escape.htb/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/escape.htb/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" escape.htb [*] ldap on tcp/389 [-] ldapsearch command (modify before running): ldapsearch -x -D "" -w "" -H ldap://escape.htb:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp389/tcp_389_ldap_all-entries.txt" [*] microsoft-ds on tcp/445 [-] Bruteforce SMB crackmapexec smb escape.htb --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" [-] Lookup SIDs impacket-lookupsid '[username]:[password]@escape.htb' [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/htb/escape/results/escape.htb/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/htb/escape/results/escape.htb/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" escape.htb [*] ldap on tcp/636 [-] ldapsearch command (modify before running): ldapsearch -x -D "" -w "" -H ldap://escape.htb:636 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp636/tcp_636_ldap_all-entries.txt" [*] ms-sql-s on tcp/1433 [-] (sqsh) interactive database shell: sqsh -U -P -S escape.htb:1433 [*] ldap on tcp/3268 [-] ldapsearch command (modify before running): ldapsearch -x -D "" -w "" -H ldap://escape.htb:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp3268/tcp_3268_ldap_all-entries.txt" [*] ldap on tcp/3269 [-] ldapsearch command (modify before running): ldapsearch -x -D "" -w "" -H ldap://escape.htb:3269 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/htb/escape/results/escape.htb/scans/tcp3269/tcp_3269_ldap_all-entries.txt" [*] wsman on tcp/5985 [-] Bruteforce logins: crackmapexec winrm escape.htb -d 'escape.htb' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt' [-] Check login (requires credentials): crackmapexec winrm escape.htb -d 'escape.htb' -u '' -p '' [-] Evil WinRM (gem install evil-winrm): evil-winrm -u '' -p '' -i escape.htb evil-winrm -u '' -H '' -i escape.htb [*] msrpc on tcp/49667 [-] RPC Client: rpcclient -p 49667 -U "" escape.htb [*] msrpc on tcp/49674 [-] RPC Client: rpcclient -p 49674 -U "" escape.htb [*] msrpc on tcp/49696 [-] RPC Client: rpcclient -p 49696 -U "" escape.htb [*] msrpc on tcp/49703 [-] RPC Client: rpcclient -p 49703 -U "" escape.htb [*] msrpc on tcp/53254 [-] RPC Client: rpcclient -p 53254 -U "" escape.htb [*] domain on udp/53 [-] Use dnsrecon to bruteforce subdomains of a DNS domain. dnsrecon -n escape.htb -d escape.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. dnsrecon -n escape.htb -d 2>&1 | tee /home/simon/htb/escape/results/escape.htb/scans/udp53/udp_53_dnsrecon_default_manual.txt