Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  1. Active Directory Attack Lab: Recon-to-Root
  2. Reconnaissance Phase

2. Service and Version Detection

So now that you’ve discovered open ports like:

88/tcp     open  kerberos-sec       # Kerberos authentication for domain logins
135/tcp    open  msrpc              # Microsoft RPC endpoint mapper
139/tcp    open  netbios-ssn        # NetBIOS session service (legacy file sharing)
389/tcp    open  ldap               # LDAP directory service (domain controller indicator)
445/tcp    open  microsoft-ds       # SMB over TCP for file sharing and remote access
464/tcp    open  kpasswd5           # Kerberos password change service
593/tcp    open  http-rpc-epmap     # RPC over HTTP, used for remote management
636/tcp    open  ldapssl            # LDAP over SSL/TLS (secure LDAP)
3268/tcp   open  globalcatLDAP      # Global Catalog LDAP (non-SSL)
3269/tcp   open  globalcatLDAPssl   # Global Catalog LDAP over SSL

Tool Used: nmap

The next step is to identify the services running on those ports and their versions. This is important because once you know the version, you can check if there are any known vulnerabilities (CVEs).

✅ Use this Nmap command:

nmap -sV -p 88,135,139,389,445,464,593,636,3268,3269 -Pn 192.168.10.4

Explanation:

  • -sV → Detects the service and version

  • -p → Tells Nmap which ports to scan

  • -Pn → Skips ping (treats the host as alive)

Optional (more aggressive scan):

If you want more detailed info like OS detection and script scanning, you can add -A:

nmap -sV -A -p 88,135,139,389,445,464,593,636,3268,3269 -Pn 192.168.10.4

⚠️ Warning: The -A option is more aggressive and might trigger alerts on the target system.

Previous1. Full TCP Port Scan on Target HostNext3. Null Session SMB Enumeration

Last updated 25 days ago