Cont'd Nmap

Today, I'll continue the Nmap Enumeration module. I invite you to read the day 1.

This post will break down each command in HTB Academy and provide a different perspective on some concepts rather than a detailed explanation of what Nmap can do. If you are going to try this module for yourself, go to the Nmap module in Hack The Box. If you want to sign up, use my referral link to register and win cubes with me!

Breaking down Service Version Detection

The first command we have is nmap 10.129.2.47 -p- -sV

From the previous commands, -p- goes through all ports, but -sV has not been explored quite yet.

I ran the command with only -sV and the output is almost the same.

Nmap using -sv

While -sVis faster, without the -p-, it only analyzes the 1000 most common ports. Adding the -p- makes a more extensive scan.

And -p- without sV displays a scan we've seen before:

Nmap using -p-

Then we get the --stats-every=_s. The scans can be very slow, so this flag is going on my notebook since I often find myself spamming the space bar to know the progress of my scan. Along with this one: -v which shows ports as they appear in the scan!

Nmap using -v

In Banner Grabbing, we are introduced with banners. This is a response to a connection. Nmap shows detailed internal logging about how Nmap extracts information from the port based on a response.

Breaking down Nmap Scripting Engine: Walkthrough

This section introduces -sC and --script. -sC runs the common scripts while --script allows the definition of specific scripts or groups of scripts.

Now, what scripts are there? By typing locate *.nse we can find a list of the scripts available. If we're looking for a specific protocol, we can grep the output.

This will be a walkthrough for this section's flag. I'll use -sC and --script and other commands to achieve this.

We'll start analyzing the IP using the flag -A which stands for aggressive, which includes -sV -O --traceroute -sC, which are quite a lot.

When running that, we get a very large output, and is kind of hard to read. We see the open ports are 22, 80, 110,139, 143, 445, 31337.

nmap -A flag

From the scripts, we get the following:

Nmap -A scripts part

We have 2 SMBs running both on 139 and 445. According to this website, port 139 ran on top of NetBIOS which is an older transport layer, while port 445 uses the TCP stack. Basically, on port 139, CMB did not work well on the internet and was limited to local networks while port 445 runs locally and on the internet. I'll focus on the 445

I ran nmap <ip> -p445 -sV --script exploit

Nmap script exploit

Then my first thought was to use smbclient and realized, since this is the second module on the Basic Toolset Path, they are definitely not expecting us to use smbclient. So I went for a walk and a coffee and then ran a command again, this time using -sC --scripts vuln, and got the following output:

Nmap script vuln

And there it is, /robots.txt file. If we enter <ip>/robots.txt into a browser, we get the flag.

This module explains the Nmap Scripting Engine and how useful it is to get an overview of the version and potential vulnerabilities. HTB Academy enumerates the different categories of scripts and I would suggest to go and check them all!

Getting into Firewalls and IDS/IPS Evasion

Something to remember:

  • dropped packages receive no response

  • rejected packages receive an RST response, if we know the port is up, we can assume the firewall is rejecting them

  • sA uses TCP ACK scans while -sS uses TCP SYN.

A little about TCP: TCP 3-way handshake has 3 steps. The client sends a SYN packet to initiate communication, then the server confirms the SYN with a SYN-ACK, and finally, the client sends an ACK packet. And this is the 3-way handshake. HTB Academy says that "the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network." This is because ACK packets appear to be from an already-established connection. This works in stateless firewalls that do not keep track of the connections that have been made.

  • For IDS we use -D flag and RND=_ to use existing IPs. It is recommended to have VPS and use one to detect an IDS and use the others once the first one is blocked.

  • If we want to specify a source, we use -S

If you're like me, DNS Proxying is a kind of difficult part to understand. I studied 4 years of Computer Science and DNS was always some unknown but recognizable part of the computer science multiverse. So I'll attempt to explain this section for both (you the reader and myself) of our sakes:

DNS is a protocol that translates domain names to IP addresses. It's like a Yellow Pages but for the internet. These queries are done in port 53 for UDP or TCP. Since DNS translates from domain name to IP, a reverse DNS resolution goes from IP to domain name. Since these queries are small, they are usually done with UDP since it is fast and TCP has overhead, so it is not really worth it. Nonetheless, DNS would use TCP on Zone Transfers. Zone Transfer is a name for the process of replicating DNS database records from one DNS to another. Zone Transfers keep DNS servers up-to-date. TCP would also be used when DNS responses were very large (more than 512 bytes). But as the internet grows and expands, DNS has started to use TCP more and more.

So, what Nmap allows us to do is disguise scans as DNS queries by using TCP port 53 because firewalls are most likely to accept DNS queries. We do this by specifying --source-port 53. HTB Academy goes further into this and says that if DNS is accepted, we might be able to connect using Netcat: ncat -nv --source-port 53 10.129.2.28 50000

  • nv means: no not make DNS resolution and produce verbose output

This is it for today, I'll continue tomorrow with a Walkthrough of the Firewall and IDS/IPS Evasion Labs. Thank you for reading, if you have any comments or would like to connect, I am always eager to chat on my linkedlin

PreviousIntroduction to NmapNextFirewalls and IDS

Last updated