Network Enumeration with Nmap
Introduction
The following is a walkthough of the Questions in the module ‘Network Enumeration with Nmap’ on HTB Academy. I try my best to explain my process and why I am taking any actions. This is to not only help myself have a better understanding, but also help anyone that is struggling on the enumeration process with Nmap.
Host Discovery
- Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.
# Last result in module
sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:12 CEST
SENT (0.0107s) ICMP [10.10.14.2 > 10.129.2.18 Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28 ]
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]
Nmap scan report for 10.129.2.18
Host is up (0.086s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
We can determine the likely OS by examining the TTL when the host responds to us on this line:
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]
TTL of 128 suggests [redacted]
Host and Port Scanning
- Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.
We can find the amount of ports just by doing an all ports scan on the host
sudo nmap 10.129.228.63
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 09:01 EDT
Nmap scan report for 10.129.228.63
Host is up (0.026s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
There are x ports open on the host
- Enumerate the hostname of your target and submit it as the answer. (case-sensitive)
We can obtain the hostname by running a default script scan on the target:
sudo nmap -sC 10.129.228.63
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 08:59 EDT
Nmap scan report for 10.129.228.63
Host is up (0.022s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
| 256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_ 256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
110/tcp open pop3
|_pop3-capabilities: RESP-CODES PIPELINING CAPA AUTH-RESP-CODE SASL UIDL TOP
139/tcp open netbios-ssn
143/tcp open imap
|_imap-capabilities: IMAP4rev1 ID IDLE more capabilities LITERAL+ SASL-IR listed LOGINDISABLEDA0001 LOGIN-REFERRALS have ENABLE Pre-login post-login OK
445/tcp open microsoft-ds
31337/tcp open Elite
Host script results:
|_clock-skew: mean: -39m50s, deviation: 1h09m16s, median: 9s
|_nbstat: NetBIOS name: [redacted], NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: [redacted]
| NetBIOS computer name: [redacted]\x00
| Domain name: \x00
| FQDN: [redacted]
|_ System time: 2024-05-17T15:00:00+02:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-17T13:00:00
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Nmap done: 1 IP address (1 host up) scanned in 36.34 seconds
Based on the script result, we see the name of the host
Different Formats
- Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer.
sudo nmap -oX nmap -p- 10.129.228.63
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 09:05 EDT
Nmap scan report for 10.129.228.63
Host is up (0.024s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
31337/tcp open Elite
We can answer the question without an HTML report; however we can convert the XML to an HTML page using xsltproc
xsltproc nmap.xml -o nmap.html
Service Enumeration
- Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.
We can begin by enumerating the individual ports that are open.
We can enumerate versions using -sV and use netcat to banner grab
nc 10.129.228.63 31337
220 [redacted flag]
Nmap Scripting Engine
- Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.
We can run default scripts on the open ports to try and find the flag
sudo nmap -p22,80,110,139,143,445,31337 -sC
After looking at the results, we don’t see any flags. Lets try to enumerate versions
sudo nmap -p22,80,110,139,143,445,31337 -sC -sV
We still don’t get any flags, so we need to start specifying specific categories/scripts. We also enumerate each port individually, as to make the output more readable/organized
sudo nmap -p80 --script vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 09:47 EDT
Nmap scan report for 10.129.228.63
Host is up (0.023s latency).
PORT STATE SERVICE
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_ /robots.txt: Robots file
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
Nmap done: 1 IP address (1 host up) scanned in 30.91 seconds
The vuln cateogry contains htt-enum, which detecetd robots.txt. We can check http://HOST_IP/robots.txt in a browser for any interesting information, which contains the flag!
Lab - Easy
Now let’s get practical. A company hired us to test their IT security defenses, including their IDS and IPS systems. Our client wants to increase their IT security and will, therefore, make specific improvements to their IDS/IPS systems after each successful test. We do not know, however, according to which guidelines these changes will be made. Our goal is to find out specific information from the given situations.
We are only ever provided with a machine protected by IDS/IPS systems and can be tested. For learning purposes and to get a feel for how IDS/IPS can behave, we have access to a status web page at: http://TARGET_IP/status.php
Questions
- Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.
We know that they are running http on port 80 due to status page. It seems to keep count of how many IDS detentions there are, so we want to be stealthy during our enumeration process.
sudo nmap -sV 10.129.22.245 -Pn -p80
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 23:00 EDT
Nmap scan report for 10.129.22.245
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 [Redacted]
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.36 seconds
The above does a service scan on port 80 while disabling ping probes.
Answer is: [Redacted]
Lab - Medium
After we conducted the first test and submitted our results to our client, the administrators made some changes and improvements to the IDS/IPS and firewall. We could hear that the administrators were not satisfied with their previous configurations during the meeting, and they could see that the network traffic could be filtered more strictly.
Questions
- After the configurations are transferred to the system, our client wants to know if it is possible to find out our target’s DNS server version. Submit the DNS server version of the target as the answer.
We know that DNS runs on port 53 and uses UDP, so we target that to reduce the amount of alerts their IDS will trigger
Sudo nmap -sV 10.129.22.22 -Pn -p53 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 23:02 EDT
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.129.22.22
Host is up (0.060s latency).
PORT STATE SERVICE VERSION
53/udp open domain (unknown banner: [redacted]})
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds
-Pn disables ICMP Echo Requests; -sU performs UDP scan.
The Version is revealed
Lab - Hard
With our second test’s help, our client was able to gain new insights and sent one of its administrators to a training course for IDS/IPS systems. As our client told us, the training would last one week. Now the administrator has taken all the necessary precautions and wants us to test this again because specific services must be changed, and the communication for the provided software had to be modified.
Questions
- Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.
First we must find the ports open, checking to see if it accepts TCP 53 source:
sudo nmap 10.129.2.47 -sS -Pn -n --disable-arp-ping --source-port 53 -p- -vvv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 23:18 EDT
Initiating SYN Stealth Scan at 23:18
Scanning 10.129.2.47 [65535 ports]
Discovered open port 80/tcp on 10.129.2.47
Discovered open port 22/tcp on 10.129.2.47
SYN Stealth Scan Timing: About 24.73% done; ETC: 23:20 (0:01:34 remaining)
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 27.24% done; ETC: 23:21 (0:01:55 remaining)
Discovered open port 50000/tcp on 10.129.2.47
<SNIP>
We kill the scan when 50000 appears, as it is a non-standard port.
We run -sV to see if we can grab what is running on it:
sudo nmap 10.129.2.47 -sS -sV -Pn -n --disable-arp-ping --source-port 53 -p50000 -vvv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 23:27 EDT
NSE: Loaded 46 scripts for scanning.
Initiating SYN Stealth Scan at 23:27
Scanning 10.129.2.47 [1 port]
Completed SYN Stealth Scan at 23:27, 0.11s elapsed (1 total ports)
Initiating Service scan at 23:27
NSE: Script scanning 10.129.2.47.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 23:27
Completed NSE at 23:27, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 23:27
Completed NSE at 23:27, 0.00s elapsed
Nmap scan report for 10.129.2.47
Host is up, received user-set (0.093s latency).
Scanned at 2024-05-16 23:27:11 EDT for 0s
PORT STATE SERVICE REASON VERSION
50000/tcp open tcpwrapped syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.55 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
Port 50000 is showing open, when targeted, but no flag.
We can try to connect to the port directly using netcat:
netcat -nv -p 53 10.129.2.47 50000
(UNKNOWN) [10.129.2.47] 50000 (?) open
220 [redacted]
421 Login timeout (300 seconds): closing control connection
-p defines source port
We have successfully identified the version!!