Step 8: Network Enumeration with NMAP
Long time no speak people of the internet. To be honest I haven’t been doing academy modules but have been going through some HTB walkthroughs of retired boxes just to get a feel for expert’s thought processes when enumerating etc.
Back to some academy modules now as I’ve done a couple boxes solo. I do want to go back through and complete module paths properly so I suspect this next one will be largely repetitive, but you never know!
I’m currently working on the Bug Bounty Hunter Path in Academy as that’s something I can do freelance, but still builds skills for eventual pentesting.
Anyway, here we go…
Introduction
Fundamentally, I need to move away from the time-sensitive GO GO GO nature of the CTF style environments when doing enumeration. So far it’s been very much a process of:
- Find one attack vector
- Attack
Personally, I am going to slow down and work on the breadth of my enumeration and exhausting all possible attack vectors. Ultimately in pentesting you are trying to find all possible vulnerabilities in a network, not just one.
Enumeration is the process simply put of, finding as many ways as possible to attack a particular machine/network.
As quoted in the learning material, getting access to a machine can be narrowed down into the following two categories:
Functions and/or resources that allow us to interact with the target and/or provide additional information.
Information that provides us with even more important information to access our target.
Nmap (network mapper) is a tool written in C, C+, LUA and Python. It not only scans for open ports, but can detect services running/OS information, finding firewalls and intrusion detection systems(IDS).
For example, the TCP-SYN scan (
-sS
) is one of the default settings unless we have defined otherwise and is also one of the most popular scan methods. This scan method makes it possible to scan several thousand ports per second. The TCP-SYN scan sends one packet with the SYN flag and, therefore, never completes the three-way handshake, which results in not establishing a full TCP connection to the scanned port.If our target sends an
SYN-ACK
flagged packet back to the scanned port, Nmap detects that the port isopen
.If the packet receives an
RST
flag, it is an indicator that the port isclosed
.If Nmap does not receive a packet back, it will display it as
filtered
. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall.
Host Enumeration
When conducting an internal pentest for the entire network of a company, the first thing you would do is get an overview of which systems are online to work with. The most effective host discovery method is ICMP echo requests.
During an internal pentest, you could be provided with a list of IPs to test for which can be done with nmap as such:
AWildRavenclaw@htb[/htb]$ cat hosts.lst
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28
Scanning multiple IPs looks like this:
AWildRavenclaw@htb[/htb]$ sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5
10.129.2.18
10.129.2.19
10.129.2.20
TTL (Time to live) can give us information on OS.
Host and Port Scanning
We need four things:
- Open port(s) and services
- Service versions
- Information services are providing
- Operating System
There are six states a port can be in:
Discovering Open TCP Ports
By default, nmap scans the top 1000 ports with the SYN (-sS) scan.
Filtered ports
In most cases, when a port is shown to be ‘filtered’ it means that there is some firewall rule to handle specific connections. Sent packets can either be dropped or rejected.
Discovering Open UDP Ports
Sometimes system admins forget to filter UDP ports due to their stateless protocol, not requiring the three-way handshake like TCP. UDP scans are significantly slower, but can be equally revealing in information.
Task:
- Find all TCP ports on target and submit that number as your answer: 7
2. Enumerate Hostname (case sensitive): NIX-NMAP-DEFAULT
Saving the Results
While we run various scans, we should always save the results. We can use these later to examine the differences between the different scanning methods we have used.
Nmap
can save the results in 3 different formats.Normal output (
-oN
) with the.nmap
file extensionGrepable output (
-oG
) with the.gnmap
file extensionXML output (
-oX
) with the.xml
file extensionWe can also specify the option (
-oA
) to save the results in all formats.
Task:
Find highest port number and submit as result: 31337
This was easy as I did a full -A -p- scan earlier… thinking ahead or what?
Service Enumeration
The (-sV) tag can be used to scan for services.
Task:
- Enumerate all ports and their services, one has the flag.
TCPdump and wait 30 seconds after setting up a netcat listener on port 31337 with that target IP.
2) Use NSE in one of the services to find flag. HTTP vulns script was key.
Firewall and IDS/IPS Evasion
Nmap gives many ways to bypass firewall rules and IDS/IPS. Two main wants are the fragmentation of packets and use of decoys.
When a port is shown to be filtered remember, there are a variety of reasons that could cause this.
This is different for
rejected
packets that are returned with anRST
flag. These packets contain different types of ICMP error codes or contain nothing at all.Such errors can be:
Net Unreachable
Net Prohibited
Host Unreachable
Host Prohibited
Port Unreachable
Proto Unreachable
The -sA method (TCP ACK) scan is harder for firewalls to filter/detect as only ACK flags are sent in packets.
Detect IDS/IPS
Much more passive systems and so are more difficult to bypass.
Several virtual private servers (
VPS
) with different IP addresses are recommended to determine whether such systems are on the target network during a penetration test. If the administrator detects such a potential attack on the target network, the first step is to block the IP address from which the potential attack comes. As a result, we will no longer be able to access the network using that IP address, and our Internet Service Provider (ISP
) will be contacted and blocked from all access to the Internet.
IDS systems
alone are usually there to help administrators detect potential attacks on their network. They can then decide how to handle such connections. We can trigger certain security measures from an administrator, for example, by aggressively scanning a single port and its service. Based on whether specific security measures are taken, we can detect if the network has some monitoring applications or not.One method to determine whether such
IPS system
is present in the target network is to scan from a single host (VPS
). If at any time this host is blocked and has no access to the target network, we know that the administrator has taken some security measures. Accordingly, we can continue our penetration test with anotherVPS
.Consequently, we know that we need to be quieter with our scans and, in the best case, disguise all interactions with the target network and its services.
Decoy tag (-D) can be used which generates random IPs into headers.
DNS Proxying
By default,
Nmap
performs a reverse DNS resolution unless otherwise specified to find more important information about our target. These DNS queries are also passed in most cases because the given web server is supposed to be found and visited. The DNS queries are made over theUDP port 53
. TheTCP port 53
was previously only used for the so-called "Zone transfers
" between the DNS servers or data transfer larger than 512 bytes. More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.However,
Nmap
still gives us a way to specify DNS servers ourselves (--dns-server <ns>,<ns>
). This method could be fundamental to us if we are in a demilitarized zone (DMZ
). The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can useTCP port 53
as a source port (--source-port
) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.
Firewall and IDS/IPS Evasion — Easy Lab
Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer:
Service scan gave it away… Apache Ubuntu.
Firewall and IDS/IPS Evasion — Medium Lab
Submit DNS server version:
Use https://nmap.org/nsedoc/scripts/
Firewall and IDS/IPS Evasion — Hard Lab
This task hinted at large amounts of data and so a full port scan (-p-) reveals port 50000. Above we set up a netcat listener between DNS port 53 and this new mysterious port 50000. Let the netcat listener run for a second or two and the flag presents itself with a successful 220 request.
This module required a lot of outside research, but I feel it’s part of the job. It’s not a memory of everything game, but knowing where to look for the tool you need to do the job you want. Until next time!