nmap lab - host:port scanning - htb

Short lab walk through of nmap training through HTB academy

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: 10.129.2.49

Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.

Answer: 7

Enumerate the hostname of your target and submit it as the answer. (case-sensitive)

Answer: nix-nmap-default

Starting the scan to get a quick response of open ports

┌──(cscogin㉿SCOGIN-L7-WRKST)-[~]
└─$ sudo nmap -sS -Pn -p- 10.129.2.49
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 01:24 CST

Results

┌──(cscogin㉿SCOGIN-L7-WRKST)-[~]
└─$ sudo nmap -sS -Pn -p- 10.129.2.49
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 01:24 CST
Nmap scan report for 10.129.2.49
Host is up (0.050s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 24.17 seconds

Lets submit the answer 7 (the answer was correct, just not showing screen shots for labs unless necessary)

Now to answer the second question...

Enumerating the hostname:

┌──(cscogin㉿SCOGIN-L7-WRKST)-[~]
└─$ sudo nmap -sC -A 10.129.2.49
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 01:29 CST

Results - (Take a small potty break, warm up some food, check email, etc.)

┌──(cscogin㉿SCOGIN-L7-WRKST)-[~]
└─$ sudo nmap -sC -A 10.129.2.49
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 01:29 CST
Nmap scan report for 10.129.2.49
Host is up (0.050s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
|   256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_  256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
110/tcp   open  pop3        Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL TOP UIDL PIPELINING RESP-CODES CAPA
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd
|_imap-capabilities: post-login have capabilities IMAP4rev1 listed IDLE ENABLE more LOGINDISABLEDA0001 Pre-login SASL-IR LOGIN-REFERRALS ID OK LITERAL+
445/tcp   open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
31337/tcp open  Elite?
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/24%OT=22%CT=1%CU=34334%PV=Y%DS=2%DC=T%G=Y%TM=656
OS:05187%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8
OS:)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53
OS:CST11NW7%O6=M53CST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120
OS:)ECN(R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)

Network Distance: 2 hops
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: nix-nmap-default
|   NetBIOS computer name: NIX-NMAP-DEFAULT\x00
|   Domain name: \x00
|   FQDN: nix-nmap-default
|_  System time: 2023-11-25T00:58:52+01:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2023-11-24T23:58:52
|_  start_date: N/A
|_clock-skew: mean: 16h06m43s, deviation: 34m38s, median: 16h26m43s
|_nbstat: NetBIOS name: NIX-NMAP-DEFAUL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   51.67 ms 10.10.14.1
2   51.81 ms 10.129.2.49

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 200.42 seconds

Answer: (Also seen above) - nix-nmap-default