NETWORK ENUMERATION W/ NMAP

FIREWALL & IDS/IPS EVASION: EASY

A company hired us to test their IT security defenses, including their IDS and IPS systems. Our client wants to increase their IT security and will, therefore, make specific improvements to their IDS/IPS systems after each successful test. We do not know, however, according to which guidelines these changes will be made. Our goal is to find out specific information from the given situations.

We are only ever provided with a machine protected by IDS/IPS systems and can be tested. For learning purposes and to get a feel for how IDS/IPS can behave, we have access to a status web page at: http:///status.php This page shows us the number of alerts. We know that if we receive a specific amount of alerts, we will be banned. Therefore we have to test the target system as quietly as possible.

Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.

root@htb:~$ sudo nmap -sA -T1 10.129.62.106 --top-ports=10
 PORT     STATE    SERVICE
 21/tcp   closed   ftp
 22/tcp   open     ssh
 23/tcp   closed   telnet
 25/tcp   filtered smtp
 80/tcp   open     http
 110/tcp  filtered pop3
 139/tcp  filtered netbios-ssn
 443/tcp  filtered https
 445/tcp  filtered microsoft-ds
 3389/tcp closed   ms-wbt-server
 
root@htb:~$ sudo nmap -sA -Pn -n -T1 10.129.62.106 -p25,80,139,443,445,3389 -O --disable-arp-ping --packet-trace
 PORT     STATE      SERVICE
 25/tcp   filtered   smtp
 80/tcp   unfiltered http
 139/tcp  filtered   netbios-ssn
 443/tcp  filtered   https
 445/tcp  filtered   microsoft-ds
 3389/tcp unfiltered ms-wbt-server
 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
 Aggressive OS guesses: Linux 2.6.18 (95%), Linux 2.6.38 (95%), Star Track SRT2014HD satellite receiver (Linux 2.6.23) (95%), Linux 3.2 - 3.5 (95%), Linux 3.3 (95%), Linux 2.4.20-grsec (94%), AVM FRITZ!Box (FritzOS 6.03) (94%), Cisco RV110W Wireless-N VPN Firewall (94%), Android 4.1 (94%), Android 4.1.2 (94%)
 No exact OS matches for host (test conditions non-ideal).
 Network Distance: 2 hops

root@htb:~$ ncat -nv --source-port 53 10.129.62.106 22
 Ncat: Version 7.94SVN ( https://nmap.org/ncat )
 libnsock mksock_bind_addr(): Bind to 0.0.0.0:53 failed (IOD #1): Permission denied (13)
 Ncat: Connected to 10.129.62.106:22.
 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7

FIREWALL & IDS/IPS EVASION: MEDIUM

After we conducted the first test and submitted our results to our client, the administrators made some changes and improvements to the IDS/IPS and firewall. We could hear that the administrators were not satisfied with their previous configurations during the meeting, and they could see that the network traffic could be filtered more strictly.

Note: To successfully solve the exercise, we must use the UDP protocol on the VPN.

After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.

root@htb:~$ sudo nmap -sA -T4 10.129.184.5 -p-
 ...

root@htb:~$ sudo nmap -sU -sV -T1 10.129.113.204 -p 53
 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-04 20:46 CDT
 Nmap scan report for 10.129.113.204
 Host is up (0.0088s latency).

 PORT   STATE SERVICE VERSION
 53/udp open  domain  (unknown banner: HTB{GoTtgUnyze9Psw4vGjcuMpHRp})
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port53-UDP:V=7.94SVN%I=7%D=8/4%Time=689162B0%P=x86_64-pc-linux-gnu%r(DN
 SF:SVersionBindReq,57,"\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x04bi
 SF:nd\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x1f\x1eHTB{GoTtgUnyze9Ps
 SF:w4vGjcuMpHRp}\xc0\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c")%r(DNSStatusRe
 SF:quest,C,"\0\0\x90\x04\0\0\0\0\0\0\0\0")%r(NBTStat,105,"\x80\xf0\x80\x90
 SF:\0\x01\0\0\0\r\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\x
 SF:02\0\x01\x006\xee\x80\0\x14\x01J\x0cROOT-SERVERS\x03NET\0\0\0\x02\0\x01
 SF:\x006\xee\x80\0\x04\x01M\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01H\xc
 SF:0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01G\xc0\?\0\0\x02\0\x01\x006\xee\
 SF:x80\0\x04\x01L\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01B\xc0\?\0\0\x0
 SF:2\0\x01\x006\xee\x80\0\x04\x01F\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\
 SF:x01I\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01D\xc0\?\0\0\x02\0\x01\x0
 SF:06\xee\x80\0\x04\x01K\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01C\xc0\?
 SF:\0\0\x02\0\x01\x006\xee\x80\0\x04\x01A\xc0\?\0\0\x02\0\x01\x006\xee\x80
 SF:\0\x04\x01E\xc0\?");

FIREWALL & IDS/IPS EVASION: HARD

With our second test's help, our client was able to gain new insights and sent one of its administrators to a training course for IDS/IPS systems. As our client told us, the training would last one week. Now the administrator has taken all the necessary precautions and wants us to test this again because specific services must be changed, and the communication for the provided software had to be modified.

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

root@htb:~$ sudo nmap -sV -v -Pn -n 10.129.121.38 --disable-arp-ping -p- --source-port 53
 PORT      STATE SERVICE    VERSION
 22/tcp    open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 80/tcp    open  http       Apache httpd 2.4.29 ((Ubuntu))
 50000/tcp open  tcpwrapped
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

root@htb:~$ sudo ncat -nv --source-port 53 10.129.121.38 50000
 Ncat: Version 7.94SVN ( https://nmap.org/ncat )
 Ncat: Connected to 10.129.121.38:50000.
 220 HTB{kjnsdf2n982n1827eh76238s98di1w6}

PreviousGETTING STARTED NextFOOTPRINTING

Last updated 10 days ago