Firewalls and IDS
This post is a walkthrough of the lab. I won't display the flags but I'll show how we go to obtain them. I recommend downloading this FREE Nmap Cheat Sheet which is based on the previous posts; this cheat sheet helped me get through these labs
Breaking down Firewall and IDS/IPS Evasion: Easy Lab
For this lab, we need to get the operating system running on the server. I'll attempt the following command:
nmap 10.129.63.36 -A -F -Pn -n -disable-arp-ping --packet-trace --source-port=53 -f -D RND:5Let's break down my reasoning:
-Amakes an aggressive scan-Fto check only the top 100 ports-Pn -n -disable-arp-ping --packet-trace. These flags have been present during the module. They disable ARP ping, ICMP echo requests, and DNS resolution. This also provides packet tracing. From the modules, we can see the TCP response, see if there is RA, and check for rejected packets.--source-port=53disguises our Nmap scan as DNS queries-fmakes the packets tiny. If the packet is 24 bytes long,-fsends three packets, each of eight bytes-D RND:5applies decoy and uses 5 generated IP addresses
I'll run both scans, one with the flags --source-port=53 -f -D RND:5 and a second one without them. We can see the number of alerts at <ip>/status.php and start with 50/100.
Running the command returns a big output that may or may not be hard to read. And a rather interesting result.
But if we scroll through it, we can see the trace of NSOCK and know the system it is using:
NSOCK INFO [2.0230s] nsock_read(): Read request from IOD #1 [10.129.63.36:22] (timeout: 6000ms) EID 26
NSOCK INFO [2.0230s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [10.129.63.36:80]
Service scan sending probe NULL to 10.129.63.36:80 (tcp)
NSOCK INFO [2.0230s] nsock_read(): Read request from IOD #2 [10.129.63.36:80] (timeout: 6000ms) EID 34
NSOCK INFO [2.0700s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [10.129.63.36:22] (41 bytes): SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7..
Service scan hard match (Probe NULL matched with NULL line 3524): 10.129.63.36:22 is ssh. Version: |OpenSSH|7.6p1 Ubuntu 4ubuntu0.7|Ubuntu Linux; protocol 2.0|
NSOCK INFO [2.0700s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [8.0270s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 34 [10.129.63.36:80]
Service scan sending probe GetRequest to 10.129.63.36:80 (tcp)We got the flag and the IDS/IPS system got 5 alerts:
But do the --source-port=53 -f -D RND:5 really help? How many alerts do we set if we send the command without them?
nmap 10.129.63.36 -A -F -Pn -n -disable-arp-ping --packet-traceWe got detected (doing this a second time, this raises approximately 50 alerts):
Interestingly enough, we got the ports that were open, and the -A flag worked.
Nmap scan report for 10.129.63.36
Host is up (0.029s latency).
Not shown: 60 closed tcp ports (reset), 38 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
| 256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_ 256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=10/17%OT=22%CT=7%CU=36034%PV=Y%DS=2%DC=T%G=Y%TM=671
OS:14E18%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=107%TI=Z%CI=Z%TS=1)SEQ(
OS:SP=103%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST11N
OS:W7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE88
OS:%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53C
OS:NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R
OS:=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=
OS:AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=
OS:40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 28.62 ms 10.10.14.1
2 28.87 ms 10.129.63.36
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.51 secondsWhich makes me wonder, which flag stops -A from working?
nmap 10.129.63.36 -F -Pn -n -disable-arp-ping --packet-trace --source-port=53
67
received response
nmap 10.129.63.36 -F -Pn -n -disable-arp-ping --packet-trace --source-port=53 -f
62
received response
nmap 10.129.63.36 -F -Pn -n -disable-arp-ping --packet-trace --source-port=53 -D RND:5
5
no response
So there is an error with -D RND:5. Even though the command returned this lab's flag, it did not return a response.
We also technically don't receive the Lab's flag from the response but rather from the banner message. I'll fix that by making the following changes:
Changing
-Ato-sV -ORemoving
-D RND:5
And we get a nice response with only 17 alerts.
Nmap scan report for 10.129.63.36
Host is up (0.029s latency).
Not shown: 60 closed tcp ports (reset), 38 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=10/17%OT=22%CT=7%CU=31167%PV=Y%DS=2%DC=I%G=Y%TM=671
OS:1585D%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A
OS:)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53
OS:CST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88
OS:)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.44 secondsBreaking down Firewall and IDS/IPS Evasion: Medium Lab
For this lab, we want the DNS server version. If we google "DNS server version nmap" we learn that there is a script that can help us achieve our goal. Keeping in mind there is an IDS/IPS, the command we'll use will be the following:
nmap 10.129.192.108 -sS -sU -p53 --source-port=53 --script dns-nsid Pn -n -disable-arp-ping -fLet's break down the new flags:
-sS -sUmeans TCP SYN and UDP scan-p53we're interested in the DNS server, and we know the DNS server is in port 53--script dns-nsidwe'll run the nse script to identify the DNS version
Once we run this command, we get a nice response with only 2 alerts.
Nmap scan report for 10.129.192.108
Host is up (0.031s latency).
PORT STATE SERVICE
53/tcp filtered domain
53/udp open domain
| dns-nsid:
|_ bind.version: HTB{flag}
Nmap done: 1 IP address (1 host up) scanned in 2.39 secondsThere is another flag that we could try. Instead of -sS we can use -sA, and it would return the same response with 2 alerts.
If you're curious like me and do
-sSand-sA, Nmap will send an error that you specified more than one TCP scan and then quit.
Breaking down Firewall and IDS/IPS Evasion: Hard Lab
Finally, we are told that the admin took precautions and now there is more security. By now I've realized the --source-port=53 -f raises few alerts, so I won't be focusing as much on the alerts.
Since we're looking for a version of a service, I'll run the following command:
nmap 10.129.22.234 -sV -O --source-port=53 -f --script version -Pn -n -disable-arp-pingWhich returns the following
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-17 15:35 CDT
Nmap scan report for 10.129.108.102
Host is up (0.029s latency).
Not shown: 869 closed tcp ports (reset), 128 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
50000/tcp open tcpwrapped
|_drda-info: TIMEOUT
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/).Port 50000 caught my eye, especially the drda-info: TIMEOUT. What is drda? From the nmap.org website, the drda protocol is related to databases.
Once a port catches your eye, see if it is vulnerable. Once locate the drda scripts, (with locate *.nse | grep drda) we run the following
nmap 10.129.22.234 -p50000 --source-port=53 -f --script drda-info,drda-brute -packet-trace-sS is open and shows ibm-db2 -sA is unfiltered and shows ibm-db2 -sU is closed
Both TCP scans show that there are too many fingerprints. But if the port is open/unfiltered, we might be able to connect with ncat.
So we run ncat -nv --source-port=53 10.129.22.234 50000 and we successfully connect to the server:
$ sudo ncat -nv --source-port=53 10.129.22.234 50000
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Connected to 10.129.22.234:50000.
220 HTB{flag}If you run the command and receive something like
libnsock mksock_bind_addr(): Bind to 0.0.0.0:53 failed (IOD #1): Permission denied (13), you might wanna addsudoat the beginning of thencatcommand. I know this got me stuck for a while.
Now, we have successfully completed the Network Enumeration with Nmap Module!
Thank you for reading! Next post I'll start with the Login Bruteforcing Module! There will be some C and some Python involved, so, stay tuned for that. Thank you for reading, if you have any comments or would like to connect, I am always eager to chat on my linkedin
Last updated