Hands-On-KB

Tag: HTB-Academy

  • HTB: Network Enumeration with Nmap

    kibrettsige

    Firewall and IDS/IPS Evasion (Easy)

    So our goal in this first lab is to figure out the OS running on the target host without tipping off the client’s IDS/IPS solution and getting blocked. You can easily complete this lab with a basic service scan like nmap -sV [Target IP], but that might lead to too many alerts and you being banned by the IDS/IPS.

    That’s embarrassing.

    So instead we’ll use a slower timing template for our scan. I used T2 (a.k.a “Polite”) to pull this off.

    The full command I used was: nmap -sV -T2 –top-ports 100 [Target IP]

    This gives us our answer in a timely manner (I threw in –top-ports 100 because I’m impatient), and it avoids setting off too many alerts.

    Success!

    Answer: Ubuntu

    Firewall and IDS/IPS Evasion (Medium)

    Now the client would like us to discover the version of their DNS server (really a flag in the bind.version parameter) after they’ve configured their security system to be a little tougher to deal with.

    For this question you can use the dns-nsid script with Nmap.

    I simply used the same example scan from the documentation for the script on nmap.org: sudo nmap -sSU -p53 –script dns-nsid [Target IP]

    This is a TCP SYN and UDP scan (since DNS can run on both depending on whether or not it’s actually DNSSEC), ensuring that your script doesn’t miss anything.

    Success! And it barely even registered with the security system.

    Answer: HTB{GoTtgUnyze9Psw4vGjcuMpHRp}

    Firewall and IDS/IPS Evasion (Hard)

    Lastly, the client has now sent one of its system administrators to a training course for IDS/IPS systems and wants to see if we can beat the newly educated admin’s configuration strategy for the security system by enumerating the versions of the services they’re running.

    For this task I used two commands:

    First, I just decided to be loud and scan the entire port range with sudo nmap -v -p- -Pn –source-port 53 [Target IP] -D RND:5 which revealed an interesting service on port 50000 named “ibm-db2.” This scan only produced about 11 alerts on the IDS/IPS system but don’t be mistaken, any half-decent SOC analyst would see this and immediately know what was going on, regardless of how many decoys you use.

    Anyway, we continue by using this knowledge of an IBM database management service running on our target host to connect to it with Ncat. The command we use, and pretty much all the information you need for these labs, can be found in the “Firewall and IDS/IPS Evasion” section. Just don’t forget to include “sudo” so you don’t get the libnsock mksock_bind_addr() error like I did the first time (socket privileges require sudo privileges, duh!)

    Answer: HTB{kjnsdf2n982n1827eh76238s98di1w6}

    Overall this section was pretty fair, despite some of the complaints people had in the HTB Academy forums. The modules throughout this section do a great job of spelling things out for you and giving you the tools you need to complete the labs.

    As a general rule of thumb for these HTB Academy materials, always go back and reference the material in the modules whenever you’re stuck. Don’t just refer to the cheat sheet and/or Google things aimlessly.

    Good luck with the next one!