Machine IP: 10.10.11.90
Difficulty: Medium
Target OS: Windows

Reconnaissance Phase

Initial Port Scanning — Deep Dive

The reconnaissance phase is the foundation of any penetration test. We used Nmap with aggressive scanning options to perform comprehensive service enumeration:

nmap -p 1-65535 -T4 -A -v 10.10.11.90

Command Breakdown:

  • -p 1-65535: Scans all 65,535 TCP ports

  • -T4: Sets timing template to "aggressive" (fast scan)

  • -A: Enables OS detection, version detection, script scanning, and traceroute

  • -v: Verbose output for real-time results

What We Discovered:

  • Only one open port — 1433/TCP running Microsoft SQL Server 2022 RTM (16.00.1000.00)

  • NTLM leakage in SSL handshake revealed the hostname: DC01.SIGNED.HTB (domain controller)

  • The service is secured with a self-signed certificate (SSL_Self_Signed_Fallback)

Attack Surface Summary

  • Single Point of Entry via MSSQL

  • Domain Controller Context: SQL Server on a DC

  • Test/Prod Crossover: Self-signed SSL in a domain context

Subscribe to keep reading

This content is free, but you must be subscribed to Andrés to continue reading.

Already a subscriber?Sign in.Not now

Keep Reading

No posts found

© 2025 Andrés.

Report abuse

Privacy policy

Terms of use

Powered by beehiiv