4. Reconnaissance 4.1 - Full Port Nmap Scan
nmap -sC -sV -T4 -p- 10.129.202.43 --open -oN nmap_full.txt
Key results:
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP 443/tcp open https 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap 3268/tcp open ldap (Global Catalog) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (WinRM) 9389/tcp open mc-nmf
Host script results: |_clock-skew: mean: 7h03m29s, deviation: 0s, median: 7h03m29s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required
4.2 - SMB Time Check
nmap -sV --script smb2-time -p 445 10.129.202.43
PORT STATE SERVICE 445/tcp open microsoft-ds?
Host script results: | smb2-time: | date: 2026-03-01T22:11:44 |_ start_date: N/A
Critical observation: The DC's clock is 2026-03-01T22:11:44 UTC , while the attacker machine was at 2026-03-01 15:08:00 IST (~09:38 UTC). That's a +7h03m skew - Kerberos rejects anything beyond ±5 minutes. Must sync before proceeding.