nmap - Evasion Lab - Easy - htb

Firewall and IDS/IPS Evasion - Easy Lab

Now let's get practical. A company hired us to test their IT security defenses, including their IDS and IPS systems. Our client wants to increase their IT security and will, therefore, make specific improvements to their IDS/IPS systems after each successful test. We do not know, however, according to which guidelines these changes will be made. Our goal is to find out specific information from the given situations.

We are only ever provided with a machine protected by IDS/IPS systems and can be tested. For learning purposes and to get a feel for how IDS/IPS can behave, we have access to a status web page at:

http://<target IP>/status.php

This page shows us the number of alerts. We know that if we receive a specific amount of alerts, we will be banned. Therefore we have to test the target system as quietly as possible.

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: 10.129.2.80

Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.

Answer:

Lets start by pulling up the status.php endpoint so we can monitor alerts.

After visiting it lists a max of 100 alerts and it continously counts up so we have to work carefully.

We can start a simple SYN scan to find open ports

$ sudo nmap -sS -p- 10.129.2.80 -T 3 | tee Documents/htb/labs/nmap/results/firewalls-easy-init
[sudo] password for cscogin:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 08:46 CST
Nmap scan report for 10.129.2.80
Host is up (0.053s latency).
Not shown: 64562 closed tcp ports (reset), 970 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
10001/tcp open  scp-config

Nmap done: 1 IP address (1 host up) scanned in 45.96 seconds

Next we can try and run some discovery scripts on the narrowed ports list

$ sudo nmap -sS -p22,80,10001 --script discovery 10.129.2.80 -T 3 | tee Documents/htb/labs/nmap/results/firewalls-easy-discovery
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 08:52 CST
Pre-scan script results:
| targets-asn:
|_  targets-asn.asn is a mandatory parameter
| ipv6-multicast-mld-list:
|   fe80::8b02:1a19:efbe:6d95:
|     device: eth0
|     mac: 00:15:5d:9c:00:45
|     multicast_ips:
|       ff02::1:ffbe:6d95         (NDP Solicited-node)
|       ff02::1:ff26:9b15         (Solicited-Node Address)
|       ff02::fb                  (mDNSv6)
|       ff02::c                   (SSDP)
|_      ff02::1:fffa:4c82         (Solicited-Node Address)
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
| broadcast-igmp-discovery:
|   172.30.240.1
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.251
|     Description: mDNS (rfc6762)
|_  Use the newtargets script-arg to add the results as targets
| targets-ipv6-multicast-slaac:
|   IP: fe80::edf4:b739:46fa:4c82  MAC: 00:15:5d:9c:00:45  IFACE: eth0
|   IP: fe80::a19a:38e7:f926:9b15  MAC: 00:15:5d:9c:00:45  IFACE: eth0
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-mld:
|   IP: fe80::8b02:1a19:efbe:6d95  MAC: 00:15:5d:9c:00:45  IFACE: eth0
|
|_  Use --script-args=newtargets to add the results as targets

Let's check in on the status page.

[!] You have been detected and banned for 3 minutes!

Uh-oh looks like we need to be a little quiter, maybe we disable some options in our scan to make us quieter.

Added Flags:

  • --disable-arp-ping

  • -Pn

  • --packet-trace

$ sudo nmap -sS -p22,80,10001 --script discovery 10.129.2.80 -T 3 --disable-arp-ping -Pn --packet-trace | tee Documents/htb/labs/nmap/results/firewalls-easy-discovery
...
...
...
contents to long, and we were busted again. Back to the drawing board

Let's try one port at a time and increase the performance to 2 - polite and steadily decrease as needed.

$ $ sudo nmap -sS -p 22 --script banner 10.129.2.80 -T 2 --disable-arp-ping -Pn --packet-trace | tee Documents/htb/labs/nmap/results/firewalls-easy-banner
[sudo] password for cscogin:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 09:27 CST
NSOCK INFO [0.0770s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.0770s] nsock_connect_udp(): UDP connection requested to 172.30.240.1:53 (IOD #1) EID 8
NSOCK INFO [0.0770s] nsock_read(): Read request from IOD #1 [172.30.240.1:53] (timeout: -1ms) EID 18
NSOCK INFO [0.0770s] nsock_write(): Write request for 42 bytes to IOD #1 EID 27 [172.30.240.1:53]
NSOCK INFO [0.0770s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [172.30.240.1:53]
NSOCK INFO [0.0770s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [172.30.240.1:53]
NSOCK INFO [1.1950s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [172.30.240.1:53] (42 bytes): .F...........80.2.129.10.in-addr.arpa.....
NSOCK INFO [1.1950s] nsock_read(): Read request from IOD #1 [172.30.240.1:53] (timeout: -1ms) EID 34
NSOCK INFO [1.1950s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [1.1950s] nevent_delete(): nevent_delete on event #34 (type READ)
SENT (1.6220s) TCP 10.10.15.56:49278 > 10.129.2.80:22 S ttl=48 id=4918 iplen=44  seq=2191490538 win=1024 <mss 1460>
RCVD (1.6708s) TCP 10.129.2.80:22 > 10.10.15.56:49278 SA ttl=63 id=0 iplen=44  seq=3298609174 win=29200 <mss 1340>
NSOCK INFO [1.1950s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [1.7640s] nsock_connect_tcp(): TCP connection requested to 10.129.2.80:22 (IOD #1) EID 8
NSOCK INFO [1.8160s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [10.129.2.80:22]
NSE: TCP 10.10.15.56:32848 > 10.129.2.80:22 | CONNECT
NSOCK INFO [1.8170s] nsock_read(): Read request from IOD #1 [10.129.2.80:22] (timeout: 10000ms) EID 18
NSOCK INFO [1.8700s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.129.2.80:22] (42 bytes): SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10..
NSE: TCP 10.10.15.56:32848 < 10.129.2.80:22 | SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10

NSE: TCP 10.10.15.56:32848 > 10.129.2.80:22 | CLOSE
NSOCK INFO [1.8700s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
Nmap scan report for 10.129.2.80
Host is up (0.049s latency).

PORT   STATE SERVICE
22/tcp open  ssh
|_banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10

Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds

Bam! Looks like we were able to use nmap only and not have to use a secondary tool to discover the OS version and name.

OS Name: Ubuntu-4ubuntu2.10

Submmiting is successful after giving the parent OS and not OS with version. This was very CTFish for submitting the answer, but hey we made it through and now on to the next one.

Previousnmap - Evasion techniquesNextnmap - Evasion Lab - Medium - htb

Last updated