nmap - Evasion Lab - Medium - htb

Firewall and IDS/IPS Evasion - Medium Lab

---

After we conducted the first test and submitted our results to our client, the administrators made some changes and improvements to the IDS/IPS and firewall. We could hear that the administrators were not satisfied with their previous configurations during the meeting, and they could see that the network traffic could be filtered more strictly.

Questions

Target: 10.129.2.48

After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.

Answer: HTB{GoTtgUnyze9Psw4vGjcuMpHRp}

Lets start with looking at the possible DNS scripts available in Nmap scripts

$ sudo nmap --script-help discovery | grep dns
  <code>dns</code> script argument).
dns-brute
https://nmap.org/nsedoc/scripts/dns-brute.html
  subdomains. With the <code>dns-brute.srv</code> argument, dns-brute will also
dns-cache-snoop
https://nmap.org/nsedoc/scripts/dns-cache-snoop.html
  <code>dns-cache-snoop.mode</code> script argument. In
  Use the <code>dns-cache-snoop.domains</code> script argument to use a
dns-check-zone
https://nmap.org/nsedoc/scripts/dns-check-zone.html
dns-client-subnet-scan
https://nmap.org/nsedoc/scripts/dns-client-subnet-scan.html
  Performs a domain lookup using the edns-client-subnet option which
dns-ip6-arpa-scan
https://nmap.org/nsedoc/scripts/dns-ip6-arpa-scan.html
dns-nsec-enum
https://nmap.org/nsedoc/scripts/dns-nsec-enum.html
  <code>dns-nsec3-enum</code>.
dns-nsec3-enum
https://nmap.org/nsedoc/scripts/dns-nsec3-enum.html
  <code>unhash</code> from https://dnscurve.org/nsec3walker.html, to
  Use the <code>dns-nsec-enum</code> script to handle servers that use NSEC
  * https://dnscurve.org/nsec3walker.html
dns-nsid
https://nmap.org/nsedoc/scripts/dns-nsid.html
dns-service-discovery
https://nmap.org/nsedoc/scripts/dns-service-discovery.html
  The script first sends a query for _services._dns-sd._udp.local to get a
dns-srv-enum
https://nmap.org/nsedoc/scripts/dns-srv-enum.html
dns-zeustracker
https://nmap.org/nsedoc/scripts/dns-zeustracker.html
  * https://zeustracker.abuse.ch/ztdns.php
dns-zone-transfer
https://nmap.org/nsedoc/scripts/dns-zone-transfer.html
  <code>dns-zone-transfer.domain</code> script argument. If the query is
  arguments in this phase are: <code>dns-zone-transfer.server</code> the
  specified. The <code>dns-zone-transfer.port</code> argument is optional
  * DNS for rocket scientists: http://www.zytrax.com/books/dns/
  * How the AXFR protocol works: http://cr.yp.to/djbdns/axfr-notes.html

One item that stands out is the dns-srv-enum as this could potentially enumerate the dns server information for us!

Lets give it a try shall we.

$ sudo nmap -sU -sV -p 53 --script dns-srv-enum 10.129.2.48 -T 2 | tee Documents/htb/labs/nmap/results/medium-init-dns-srv-enum
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 13:28 CST
Nmap scan report for 10.129.2.48
Host is up (0.050s latency).

PORT   STATE SERVICE VERSION
53/udp open  domain  (unknown banner: HTB{GoTtgUnyze9Psw4vGjcuMpHRp})
| fingerprint-strings:
|   DNSVersionBindReq:
|     version
|     bind
|     HTB{GoTtgUnyze9Psw4vGjcuMpHRp}
|   NBTStat:
|     CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|_    ROOT-SERVERS
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-UDP:V=7.94SVN%I=7%D=11/24%Time=6560F953%P=x86_64-pc-linux-gnu%r(
SF:DNSVersionBindReq,57,"\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x04
SF:bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x1f\x1eHTB{GoTtgUnyze9
SF:Psw4vGjcuMpHRp}\xc0\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c")%r(DNSStatus
SF:Request,C,"\0\0\x90\x04\0\0\0\0\0\0\0\0")%r(NBTStat,105,"\x80\xf0\x80\x
SF:90\0\x01\0\0\0\r\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0
SF:\x02\0\x01\x006\xee\x80\0\x14\x01K\x0cROOT-SERVERS\x03NET\0\0\0\x02\0\x
SF:01\x006\xee\x80\0\x04\x01I\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01F\
SF:xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01M\xc0\?\0\0\x02\0\x01\x006\xe
SF:e\x80\0\x04\x01G\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01D\xc0\?\0\0\
SF:x02\0\x01\x006\xee\x80\0\x04\x01E\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x0
SF:4\x01B\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01J\xc0\?\0\0\x02\0\x01\
SF:x006\xee\x80\0\x04\x01A\xc0\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01H\xc0
SF:\?\0\0\x02\0\x01\x006\xee\x80\0\x04\x01L\xc0\?\0\0\x02\0\x01\x006\xee\x
SF:80\0\x04\x01C\xc0\?");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.41 seconds

And just like that we can take the flag found under DNSVersionBindReq => version => bind

After we submit the flag we see a success message.