Step 8: Network Enumeration with NMAP

Josh Gates
8 min readJun 22, 2022

--

Long time no speak people of the internet. To be honest I haven’t been doing academy modules but have been going through some HTB walkthroughs of retired boxes just to get a feel for expert’s thought processes when enumerating etc.

Back to some academy modules now as I’ve done a couple boxes solo. I do want to go back through and complete module paths properly so I suspect this next one will be largely repetitive, but you never know!

I’m currently working on the Bug Bounty Hunter Path in Academy as that’s something I can do freelance, but still builds skills for eventual pentesting.

Anyway, here we go…

Introduction

Fundamentally, I need to move away from the time-sensitive GO GO GO nature of the CTF style environments when doing enumeration. So far it’s been very much a process of:

  1. Find one attack vector
  2. Attack

Personally, I am going to slow down and work on the breadth of my enumeration and exhausting all possible attack vectors. Ultimately in pentesting you are trying to find all possible vulnerabilities in a network, not just one.

Enumeration is the process simply put of, finding as many ways as possible to attack a particular machine/network.

As quoted in the learning material, getting access to a machine can be narrowed down into the following two categories:

Functions and/or resources that allow us to interact with the target and/or provide additional information.

Information that provides us with even more important information to access our target.

Nmap (network mapper) is a tool written in C, C+, LUA and Python. It not only scans for open ports, but can detect services running/OS information, finding firewalls and intrusion detection systems(IDS).

For example, the TCP-SYN scan (-sS) is one of the default settings unless we have defined otherwise and is also one of the most popular scan methods. This scan method makes it possible to scan several thousand ports per second. The TCP-SYN scan sends one packet with the SYN flag and, therefore, never completes the three-way handshake, which results in not establishing a full TCP connection to the scanned port.

If our target sends an SYN-ACK flagged packet back to the scanned port, Nmap detects that the port is open.

If the packet receives an RST flag, it is an indicator that the port is closed.

If Nmap does not receive a packet back, it will display it as filtered. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall.

Host Enumeration

When conducting an internal pentest for the entire network of a company, the first thing you would do is get an overview of which systems are online to work with. The most effective host discovery method is ICMP echo requests.

During an internal pentest, you could be provided with a list of IPs to test for which can be done with nmap as such:

AWildRavenclaw@htb[/htb]$ cat hosts.lst

10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

Scanning multiple IPs looks like this:

AWildRavenclaw@htb[/htb]$ sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5

10.129.2.18
10.129.2.19
10.129.2.20

TTL (Time to live) can give us information on OS.

Host and Port Scanning

We need four things:

  1. Open port(s) and services
  2. Service versions
  3. Information services are providing
  4. Operating System

There are six states a port can be in:

Discovering Open TCP Ports

By default, nmap scans the top 1000 ports with the SYN (-sS) scan.

Filtered ports

In most cases, when a port is shown to be ‘filtered’ it means that there is some firewall rule to handle specific connections. Sent packets can either be dropped or rejected.

Discovering Open UDP Ports

Sometimes system admins forget to filter UDP ports due to their stateless protocol, not requiring the three-way handshake like TCP. UDP scans are significantly slower, but can be equally revealing in information.

Task:

  1. Find all TCP ports on target and submit that number as your answer: 7

2. Enumerate Hostname (case sensitive): NIX-NMAP-DEFAULT

Saving the Results

While we run various scans, we should always save the results. We can use these later to examine the differences between the different scanning methods we have used. Nmap can save the results in 3 different formats.

Normal output (-oN) with the .nmap file extension

Grepable output (-oG) with the .gnmap file extension

XML output (-oX) with the .xml file extension

We can also specify the option (-oA) to save the results in all formats.

Task:

Find highest port number and submit as result: 31337

This was easy as I did a full -A -p- scan earlier… thinking ahead or what?

Service Enumeration

The (-sV) tag can be used to scan for services.

Task:

  1. Enumerate all ports and their services, one has the flag.

TCPdump and wait 30 seconds after setting up a netcat listener on port 31337 with that target IP.

2) Use NSE in one of the services to find flag. HTTP vulns script was key.

Firewall and IDS/IPS Evasion

Nmap gives many ways to bypass firewall rules and IDS/IPS. Two main wants are the fragmentation of packets and use of decoys.

When a port is shown to be filtered remember, there are a variety of reasons that could cause this.

This is different for rejected packets that are returned with an RST flag. These packets contain different types of ICMP error codes or contain nothing at all.

Such errors can be:

Net Unreachable

Net Prohibited

Host Unreachable

Host Prohibited

Port Unreachable

Proto Unreachable

The -sA method (TCP ACK) scan is harder for firewalls to filter/detect as only ACK flags are sent in packets.

Detect IDS/IPS

Much more passive systems and so are more difficult to bypass.

Several virtual private servers (VPS) with different IP addresses are recommended to determine whether such systems are on the target network during a penetration test. If the administrator detects such a potential attack on the target network, the first step is to block the IP address from which the potential attack comes. As a result, we will no longer be able to access the network using that IP address, and our Internet Service Provider (ISP) will be contacted and blocked from all access to the Internet.

IDS systems alone are usually there to help administrators detect potential attacks on their network. They can then decide how to handle such connections. We can trigger certain security measures from an administrator, for example, by aggressively scanning a single port and its service. Based on whether specific security measures are taken, we can detect if the network has some monitoring applications or not.

One method to determine whether such IPS system is present in the target network is to scan from a single host (VPS). If at any time this host is blocked and has no access to the target network, we know that the administrator has taken some security measures. Accordingly, we can continue our penetration test with another VPS.

Consequently, we know that we need to be quieter with our scans and, in the best case, disguise all interactions with the target network and its services.

Decoy tag (-D) can be used which generates random IPs into headers.

DNS Proxying

By default, Nmap performs a reverse DNS resolution unless otherwise specified to find more important information about our target. These DNS queries are also passed in most cases because the given web server is supposed to be found and visited. The DNS queries are made over the UDP port 53. The TCP port 53 was previously only used for the so-called "Zone transfers" between the DNS servers or data transfer larger than 512 bytes. More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.

However, Nmap still gives us a way to specify DNS servers ourselves (--dns-server <ns>,<ns>). This method could be fundamental to us if we are in a demilitarized zone (DMZ). The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can use TCP port 53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.

Firewall and IDS/IPS Evasion — Easy Lab

Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer:

Service scan gave it away… Apache Ubuntu.

Firewall and IDS/IPS Evasion — Medium Lab

Submit DNS server version:

Use https://nmap.org/nsedoc/scripts/

Firewall and IDS/IPS Evasion — Hard Lab

This task hinted at large amounts of data and so a full port scan (-p-) reveals port 50000. Above we set up a netcat listener between DNS port 53 and this new mysterious port 50000. Let the netcat listener run for a second or two and the flag presents itself with a successful 220 request.

This module required a lot of outside research, but I feel it’s part of the job. It’s not a memory of everything game, but knowing where to look for the tool you need to do the job you want. Until next time!

--

--