Haft

Backlinks

Network Enumeration with Nmap

Introduction

Enumeration

Enumeration is the most critical part of all.

This sentence sums-up pretty well the importance given to enumeration by HTB writers. They even made an “ELI5” explanation of the enumeration’s goal :

ELI5 by HTB

Our partner is not at home and has misplaced our car keys. We call our partner and ask where the keys are. If we get an answer like “in the living room,” it is entirely unclear and can take much time to find them there. However, what if our partner tells us something like “in the living room on the white shelf, next to the TV, in the third drawer”? As a result, it will be much easier to find them.

Emphasis on manual enumeration is important as well, since timeout delay can impact directly automated enumeration results. The content is quite verbose and should be read more than re-written.

Introduction to Nmap

The article should be self-sufficient

Host Enumeration

Host Discovery

This apply for a scan of multiple IP in a network. Saving output in file is a must, -oA ensure you store in 3 different format your scan output.

Scan Network Range

Scan Network Range

nmap $ipscope/{mask} -sn -oA nmap_range_scan
 
#Only retrieve IP :
sudo nmap 10.129.2.0/24 -sn -oN scan_output | grep for | cut -d" " -f5
 
#Specify file input with -iL. Expect IP each line for file format. Output will only give active host.
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Use - to specify range

Same as -p-, you can use it on IP address checks.

sudo nmap -sn -oA tnet 10.129.2.18-20
source

Scan IP List

We can use the previous commands to obtain an output with the correct format.

Use input files with IP

cat hosts.lst
#expected format
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28
source

Scan Multiple IP

Basically you can stack up different IP addresses / IP ranges next to the others in the command, and use something like 10.10.10.27-64 if you want a precise range and not rely on mask.

Scan Single IP

Nothing crazy, keep the host check for a single target.

sudo nmap 10.129.2.18 -sn -oA host 
 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 23:59 CEST
Nmap scan report for 10.129.2.18
Host is up (0.087s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

HTB choice of words confused me. They stated that nmap does sent ICMP echo requests if -sn is disabled. However since nmap sends ARP ping in priority, if they get an ARP reply no ICMP request will be sent. As such, if you try to scan your own network you can see the ARP ping using --packet-trace. Adding -PE as they mention does not send ICMP requests if ARP gets a successful reply before. If you want to use ICMP, you need to add --disable-arp-ping.

Questions

Host and Port Scanning

Briefly recap open/closed/filtered/unfiltered state. They made the following table :

StateDescription
openThis indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closedWhen the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filteredNmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfilteredThis state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filteredIf we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filteredThis state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

Discovering Open TCP Ports

By default Nmap scans the 1000 most common ports (TCP), but you can specify a specific number with --top-ports={number}

Quick mention about -sT being accurate but not stealthy.

Filtered Ports

When getting a filtered state, it means the packets were dropped or rejected. “To be able to track how our sent packets are handled, we deactivate the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping) again.”

The resulting error code returned in the received packet (RCVD) can indicate the nature of the error.

Error code 3 means the host is reachable but the port is closed or not listening

sudo nmap 10.129.2.28 -p 445 --packet-trace -n --disable-arp-ping -Pn
 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:55 CEST
SENT (0.0388s) TCP 10.129.2.28:52472 > 10.129.2.28:445 S ttl=49 id=21763 iplen=44  seq=1418633433 win=1024 <mss 1460>
RCVD (0.0487s) ICMP [10.129.2.28 > 10.129.2.28 Port 445 unreachable (type=3/code=3) ] IP [ttl=64 id=20998 iplen=72 ]
Nmap scan report for 10.129.2.28
Host is up (0.0099s latency).
 
PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
 
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

Discovering Open UDP Ports

Always make an UDP scan in background

Nmap does default to TCP scan, but you should make a UDP scan anyway since otherwise you might miss important enumeration information. UDP scan is a lot longer, so you can just keep it in background and save output while doing the other tests.

The exact same reasoning explained for TCP can be applied to UDP. Check top ports, disable ARP, ICMP and DNS resolution if you get filtered output to identify better the underlying behavior. Use -sU for UDP scan.

Questions

Saving the Results

See

Output

  • Normal output (-oN) with the .nmap file extension
  • Grepable output (-oG) with the .gnmap file extension
  • XML output (-oX) with the .xml file extension
  • -oA output the 3 formats.
#For grepable use -oG
nmap $ipscope -{options} -oG
#For saving and inserting in PCF or tools go for xml
nmap $ipscope -{options} -oX
source

XML output is particularly suited to use with other parsing software that use templates to add information to restitution document. Note that you can create an HTML output using xsltproc {nmap_xml_output} -o {outputfile}

Questions

Service Enumeration

Service Version Detection

Use -sV.

Same thing, but adding the holy -Pn -n --disable-arp-ping --packet-trace helps us find additional info we would have missed otherwise, like Ubuntu version in the example given

sudo nmap 10.129.2.28 -p- -sV -Pn -n --disable-arp-ping --packet-trace
 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 20:10 CEST
<SNIP>
NSOCK INFO [0.4200s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.129.2.28:25] (35 bytes): 220 inlane ESMTP Postfix (Ubuntu)..
Service scan match (Probe NULL matched with NULL line 3104): 10.129.2.28:25 is smtp.  Version: |Postfix smtpd|||
NSOCK INFO [0.4200s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
Nmap scan report for 10.129.2.28
Host is up (0.076s latency).
 
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Service Info: Host:  inlane
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

tcpdump and nc are valid alternative for banner grabbing.

Questions

Nmap Scripting Engine

This is already a bit more interesting to work with. NSE allows to use scripts with nmap scans. You can use a list of scripts by specifying the associated categories like noted in the cheatsheet.

Nmap Script Engine

CategoryDescription
authDetermination of authentication credentials.
broadcastScripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
bruteExecutes scripts that try to log in to the respective service by brute-forcing with credentials.
defaultDefault scripts executed by using the -sC option.
discoveryEvaluation of accessible services.
dosThese scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploitThis category of scripts tries to exploit known vulnerabilities for the scanned port.
externalScripts that use external services for further processing.
fuzzerThis uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusiveIntrusive scripts that could negatively affect the target system.
malwareChecks if some malware infects the target system.
safeDefensive scripts that do not perform intrusive and destructive access.
versionExtension for service detection.
vulnIdentification of specific vulnerabilities.
Table from HTB.
nmap $ipscope --script {category}

Locate nmap scripts

specific scripts can be searched for using :

locate -r nse$|grep {keyword}

Aggressive script scan can be used with -A. Otherwise, individual scripts can be selected individually, separated by a coma script1,script2,...

source

Questions

Performance

Timing

Nmap offers many feature to configurate scanning. One of the most known is -T {0-5} with 0 being extremely slow to try to avoid any detection, while 5 is bombarding without a care and might lose accuracy. Default speed is 3, going up to 4 can be interesting to make quicker scan and at first and start more thorough ones in the background.

  • -T 0 / -T paranoid
  • -T 1 / -T sneaky
  • -T 2 / -T polite
  • -T 3 / -T normal
  • -T 4 / -T aggressive
  • -T 5 / -T insane

The Nmap performance documentation is very verbose but explains well the reason for each parameters.

Timeouts

Should be talked about more especially in saturated labs. --min-RTT-timeout specify the amount of time you should wait at maximum before considering a retry or dropping the probe. Though, you’d prefer using --initial-rtt-timeout. The latter sets the minimum but allow for increase up to --max-RTT-timeout depending on previous probes outcome. Default min RTT is 100ms. Syntax of these parameters is as follow :

sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

Max Retries

After a failed probe, Nmap can send back one up to the amount of time specified by --max-retries. Default is 10 and can be changed accordingly to the context.

Rates

We can specify the number of packets per second using --min-rate and --max-rate if we know the load capacity of the target. This can make us spare a lot of time which is the most important thing during mission since we’re on a limited time for specified scope, might as well give us the best condition for giving results.

Bypass Security Measures

Firewall and IDS/IPS Evasion

Firewalls

Firewall are an interesting topic, but it should be looked up at with documentation though. Look up for Stateful and Stateless firewall. Differentiate passed, ignored, blocked to understand the best way possible how your packets are received and the conclusion you can make.

IDS/IPS

The are software solution to try to detect malicious actions and incoming attacks. A unusual / absent User-Agent header, repeated packets sent without proper connection… are all metrics used to determine the actions taken.

Using ACK scan -sA is “much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag” (from HTB text).

Detect IDS/IPS

IDS has rules and search for matching elements to raise alerts. IPS will trigger the expected actions tied to the alerts raised by IDS. Determining the presence of these security will result in you getting blocked. As such, using a VPS to test the network and scan it should be done, even if you burn this IP.

Cloud VPS could be a good idea at first for fast IP rotation, but you are definitely breaching their policies.

Decoys

We can add multiple IP addresses in the IP header to hide our own IP among them. Only active IP should be used to prevent triggering SYN-flooding security. Use -D and IP, or RND:{number} to insert random IP adresses.

We can also change the source IP address with -S to something else, though it’s use is limited by the fact the response will be sent to the one specified.

Interface from which the packets are sent and received can also be specified with -e.

DNS Proxying

Be aware that dns servers can be specified using --dns-server especially in a DMZ for DNS resolution. For administrative purposes, specifying the source port using --source-port can be used notably with port 53. These can help bypassing simple ACL rules that accepts DNS responses based on port.

This can also be applied for connection with netcat for example.

sudo ncat -nv --source-port 53 10.129.2.28 50000
 
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 10.129.2.28:50000.
220 ProFTPd

Make sure the source-port is available

You might encounter an already in use port upon using —source-port on ncat. To fix the problem, identify which service is using the selected port

sudo lsof -i :{port}
sudo systemctl stop {service}

Firewall and IDS/IPS Evasion - Easy Lab

Context

Always read the context

HTB courses always (most of the time) specify contextual information you could miss before jumping to questions.

“We are only ever provided with a machine protected by IDS/IPS systems and can be tested. For learning purposes and to get a feel for how IDS/IPS can behave, we have access to a status web page at: (http://{target}/status.php)” This page shows us the number of alerts. We know that if we receive a specific amount of alerts, we will be banned. Therefore we have to test the target system as quietly as possible.

Questions

Firewall and IDS/IPS Evasion - Medium Lab

We could hear that the administrators were not satisfied with their previous configurations during the meeting, and they could see that the network traffic could be filtered more strictly.

Note

To successfully solve the exercise, we must use the UDP protocol on the VPN.

Questions

Firewall and IDS/IPS Evasion - Hard Lab

Now the administrator has taken all the necessary precautions and wants us to test this again because specific services must be changed, and the communication for the provided software had to be modified.

No tunnel requirements

This time, it’s not necessary to use an UDP tunnel to HTB environment.

Backlinks

Recent Notes