Nmap

 I have just completed a lab on ine.com which required me to use Nmap to identify live hosts on a network and then find out more about their operating systems if possible and the daemons running on the open ports.


I started by identifying the network I was connected to by using ifconfig to find my local IP address and net mask.




This let me know that I was connected to the network 10.142.111.0/24


I then turned my attention to how I would identify the live hosts. Since lots of firewalls are configured to drop ICMP traffic, I decided to use Nmap's SYN, SCTP and UDP scans.


I started with a fast scan of fewer than default ports. I elected to save the results as greppable files so I would be able to grep them together into one neat list of targets later.




This first scan uses -T4 to increase the speed slightly but still keep accuracy. The -Pn flag ensures that all hosts are treated as being up to avoid missing some due to ICMP traffic being dropped. The -sS flag selects the half-open SYN scan to avoid being logged by the host. The -F flag makes Nmap scan fewer than the default 1000 ports. I wanted this part of the process to be a fast way to identify live hosts. The -oG flag specifies that I want to save the output as a greppable file which uses the name given after it. In this case that was tcp.gnmap The IP address and CIDR notation specify that I wanted to scan the entire network.


I repeated this process using the -sY (SCTP) scan method and the -sU (UDP) scan method. The only real difference in the rest of the syntax was that I cut down the number of ports on the UDP scan by targeting well-know UDP ports.






Next, I collated the live hosts into one file called targets.txt




The piped commands I used opened all the files in the directory which had the extension .gnmap then used awk to print the second field from the gnmap files (the second field in an Nmap grep file contains the IP addresses of the machines). Next, I sorted the IP addresses numerically and then removed any duplicates by using the uniq command. I had to sort the IP address before I used uniq because uniq only works if the same numbers are right next to each other. The remaining IP addresses were then saved to targets.txt which I have shown the contents of using cat As we can see, there are eight live hosts, but one of those (10.142.111.240) is my own machine.


Now I had a .txt file containing hosts of interest, I moved to performing full port scans to enumerate the open ports, services running on them and if possible the operating systems of the hosts. I did this for TCP, SCTP and UDP, though I have only included one picture of the command as the others were very similar - again, the UDP scan only used the most common UDP ports which I scanned earlier.




Here, the -A flag runs a half-open SYN scan. It also probes the operating system and versions of services running. In addition, it runs Nmap's default scripts. The -p- flag lets Nmap know that I now want to scan all ports. The -oA flag specifies that I want to save the output in all the available formats - an easily readable .nmap format, a greppable format and an .xml format just in case I later wanted to use a language such as Python to parse the results. The -iL flag specifies the input file, which in this case is the targets.txt file I created earlier.


The results came through from the SYN, SCTP and UDP scans. I was now able to look at the various services running along with their versions and possible operating systems. These data could be recorded in notes for later exploration of vulnerabilities and exploits. I could also of course now use Nessus to look for vulnerabilities, but since I was learning about Nmap, I did some light vulnerability scanning using the vulners script.




Lots of possible vulnerabilities were discovered, but I stopped here as I had already achieved the aim of the lab. When I looked at the solution for the lab, I saw that I had successfully found the required information and then some. Of course, I could have used Nmap in a more simple way to solve this particular lab, but I wanted to practice using Nmap in different ways :-)

Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more