# Enumeration

## Nmap

```bash
nmap -p- -T5 -v 10.200.101.200
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 06:33 CDT
Initiating Ping Scan at 06:33
Scanning 10.200.101.200 [2 ports]
Completed Ping Scan at 06:33, 0.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:33
Completed Parallel DNS resolution of 1 host. at 06:33, 0.02s elapsed
Initiating Connect Scan at 06:33
Scanning 10.200.101.200 [65535 ports]
Discovered open port 80/tcp on 10.200.101.200
Discovered open port 22/tcp on 10.200.101.200
Discovered open port 443/tcp on 10.200.101.200
Discovered open port 10000/tcp on 10.200.101.200
Connect Scan Timing: About 12.39% done; ETC: 06:38 (0:03:39 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 27.92% done; ETC: 06:37 (0:02:30 remaining)
Connect Scan Timing: About 46.32% done; ETC: 06:37 (0:01:42 remaining)
Connect Scan Timing: About 67.03% done; ETC: 06:36 (0:00:58 remaining)
Connect Scan Timing: About 78.85% done; ETC: 06:37 (0:00:42 remaining)
Completed Connect Scan at 06:37, 203.75s elapsed (65535 total ports)
Nmap scan report for 10.200.101.200
Host is up (0.13s latency).
Not shown: 65341 filtered tcp ports (no-response), 188 filtered tcp ports (host-unreach)
PORT      STATE  SERVICE
22/tcp    open   ssh
80/tcp    open   http
443/tcp   open   https
1337/tcp  closed waste
9090/tcp  closed zeus-admin
10000/tcp open   snet-sensor-mgmt

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 203.95 seconds

```

<pre class="language-bash"><code class="lang-bash">nmap -p 80,22,443,1337,9090,10000 -sC -sV -T5 10.200.101.200 -v
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 06:38 CDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:38
Completed NSE at 06:38, 0.00s elapsed
Initiating NSE at 06:38
Completed NSE at 06:38, 0.00s elapsed
Initiating NSE at 06:38
Completed NSE at 06:38, 0.00s elapsed
Initiating Ping Scan at 06:38
Scanning 10.200.101.200 [2 ports]
Completed Ping Scan at 06:38, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:38
Completed Parallel DNS resolution of 1 host. at 06:38, 0.02s elapsed
Initiating Connect Scan at 06:38
Scanning 10.200.101.200 [6 ports]
Discovered open port 443/tcp on 10.200.101.200
Discovered open port 80/tcp on 10.200.101.200
Discovered open port 22/tcp on 10.200.101.200
Discovered open port 10000/tcp on 10.200.101.200
Completed Connect Scan at 06:38, 0.13s elapsed (6 total ports)
Initiating Service scan at 06:38
Scanning 4 services on 10.200.101.200
Completed Service scan at 06:39, 12.71s elapsed (4 services on 1 host)
NSE: Script scanning 10.200.101.200.
Initiating NSE at 06:39
Completed NSE at 06:39, 30.21s elapsed
Initiating NSE at 06:39
Completed NSE at 06:39, 1.98s elapsed
Initiating NSE at 06:39
Completed NSE at 06:39, 0.00s elapsed
Nmap scan report for 10.200.101.200
Host is up (0.14s latency).

PORT      STATE  SERVICE    VERSION
22/tcp    open   ssh        OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 9c:1b:d4:b4:05:4d:88:99:ce:09:1f:c1:15:6a:d4:7e (RSA)
|   256 93:55:b4:d9:8b:70:ae:8e:95:0d:c2:b6:d2:03:89:a4 (ECDSA)
|_  256 f0:61:5a:55:34:9b:b7:b8:3a:46:ca:7d:9f:dc:fa:12 (ED25519)
80/tcp    open   http       Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1c
|_http-title: Did not follow redirect to https://thomaswreath.thm
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
443/tcp   open   ssl/http   Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
| http-methods: 
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1c
|_ssl-date: TLS randomness does not represent time
|_http-title: Thomas Wreath | Developer
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=thomaswreath.thm/organizationName=Thomas Wreath Development/stateOrProvinceName=East Riding Yorkshire/countryName=GB
| Issuer: commonName=thomaswreath.thm/organizationName=Thomas Wreath Development/stateOrProvinceName=East Riding Yorkshire/countryName=GB
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-19T11:23:08
| Not valid after:  2025-03-19T11:23:08
| MD5:   854b:decd:2f80:b6c8:d722:bf7b:d7f2:3a85
|_SHA-1: da64:6ac2:b1e8:1aaf:ee99:c299:6c0b:fecc:e466:e851
1337/tcp  closed waste
9090/tcp  closed zeus-admin
<strong>10000/tcp open   http       MiniServ 1.890 (Webmin httpd)
</strong>|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: FEECEDA60440F51CE9A184164C935677

NSE: Script Post-scanning.
Initiating NSE at 06:39
Completed NSE at 06:39, 0.00s elapsed
Initiating NSE at 06:39
Completed NSE at 06:39, 0.00s elapsed
Initiating NSE at 06:39
Completed NSE at 06:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.53 seconds

</code></pre>

```
echo "10.200.101.200 thomaswreath.thm" | sudo tee -a /etc/hosts 
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/external-pentest-playbook/wreath-try-hack-me/enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.