Step 1. Reconnaissance & Enumeration Step 2. Initial Foothold Step 3. Privilege Escalation Manual Addition instead of aclpwn Using ACLPWN Step 1. Reconnaissance & Enumeration It was found that nmap is taking long time. Therefore used masscan to scan all ports of forest machine. masscan -e tun0 -p1-65535,U:1-65535 10.10.10.161 –rate=1000 nmap -Pn -n -sC -sV -p<port numbers></port> 10.10.10.151 -oA version_scan Host script results: |_clock-skew: mean: 2h29m01s, deviation: 4h02m30s, median: 9m01s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.