Notes taken while studying for CPTS.
Network Enumeration with Nmap
Host Discovery
sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5| Scanning Options | Description |
|---|---|
10.129.2.0/24 | Target network range. |
-sn | Disables port scanning. |
-oA tnet | Stores the results in all formats starting with the name ‘tnet’. |
Service Enumeration
Evo9@htb[/htb]$ sudo nmap 10.129.2.28 -p- -sV --stats-every=5s| Scanning Options | Description |
|---|---|
10.129.2.28 | Scans the specified target. |
-p- | Scans all ports. |
-sV | Performs service version detection on specified ports. |
--stats-every=5s | Shows the progress of the scan every 5 seconds. |
Banner Grabbing
tcpdump
Evo9@htb[/htb]$ sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytesNC
Evo9@htb[/htb]$ nc -nv 10.129.2.28 25
Connection to 10.129.2.28 port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)tcpdump - intercepted traffic
18:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], seq 1798872233, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 331260178 ecr 0,sackOK,eol], length 0
18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], seq 1130574379, ack 1798872234, win 65160, options [mss 1460,sackOK,TS val 1800383922 ecr 331260178,nop,wscale 7], length 0
18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 1, win 2058, options [nop,nop,TS val 331260304 ecr 1800383922], length 0
18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu)
18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 36, win 2058, options [nop,nop,TS val 331260368 ecr 1800383985], length 0Nmap Scripting Engine
Evo9@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sV --script vuln Firewall and IDS/IPS Evasion
When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be dropped, or rejected. The dropped packets are ignored, and no response is returned from the host.
Nmap’s TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems