Open in app

Sign up

Sign in

Write

Sign up

Sign in

HTB Network Enumeration with Nmap Walkthrough

Ahmet Talha Şen
InfoSec Write-ups
Published in
8 min readJul 6, 2023

--

Image from HTB

In this module, we covered Nmap, a versatile network scanning tool. We learned its usage, analyzed scan results, utilized the Nmap Scripting Engine (NSE), and practiced evasion techniques. Through practical challenges and assessments, we gained valuable experience with Nmap’s capabilities.

Host and Port Scanning

  1. Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.
nmap 10.129.2.49                                          
Starting Nmap 7.94 ( <https://nmap.org> ) at 2023-06-24 19:53 +03
Nmap scan report for 10.129.2.49
Host is up (0.10s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
**22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
31337/tcp open  Elite**
Nmap done: 1 IP address (1 host up) scanned in 2.02 seconds

nmap: This is the actual command used to launch the Nmap software.
The IP address that we wish to check is10.129.2.429. By giving Nmap this address, we are instructing it to scan that specific device because IP addresses are used to uniquely identify devices on a network.

2. Enumerate the hostname of your target and submit it as the answer. (case-sensitive)

nmap --script smb-os-discovery 10.129.2.49
Starting Nmap 7.94 ( <https://nmap.org> ) at 2023-06-24 20:02 +03
Nmap scan report for 10.129.2.49
Host is up (0.11s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
31337/tcp open  Elite
Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
**|   Computer name: nix-nmap-default**
|   NetBIOS computer name: NIX-NMAP-DEFAULT\\x00
|   Domain name: \\x00
|   FQDN: nix-nmap-default
|_  System time: 2023-06-24T19:04:10+02:00
Nmap done: 1 IP address (1 host up) scanned in 3.32 seconds

— script smb-os-discovery: In this instance, the smb-os-discovery script is being used. A network protocol called SMB (Server Message Block) is used for device sharing, printer sharing, and other types of communication.

Saving the Results

  1. Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer.
nmap 10.129.2.49 -oA target    
Starting Nmap 7.94 ( <https://nmap.org> ) at 2023-06-24 20:15 +03
Nmap scan report for 10.129.2.49
Host is up (0.11s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
**31337/tcp open  Elite**
Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds
                                                                         
ls
target.gnmap  target.nmap  target.xml  tnet.gnmap  tnet.nmap  tnet.xml

-oA target: These are command-line options passed to Nmap. -oA is used to specify the output format and file name. In this case, target is the file name prefix used for the output files generated by Nmap.

  • -oA: Specifies the output format and file name.
  • target: The file name prefix for the output files.

Service Enumeration

  1. Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.
nc -nv 10.129.2.49 31337
(UNKNOWN) [10.129.2.49] 31337 (?) open
220 HTB{pr0F7pDv3r510nb4nn3r}

nc stands for “netcat,” which is a versatile networking utility used for reading from and writing to network connections. It allows you to establish connections, listen on ports, transfer data, and more.

-nv: These are command-line options or flags that modify the behavior of the nc command:

-n option: This flag tells nc not to perform DNS resolution on the provided IP address. It ensures that the IP address is used as-is, without any attempt to resolve it to a hostname.
-v option: This flag enables the verbose mode, which provides more detailed output. It allows you to see additional information about the connection, such as debugging messages or connection status.

31337: This is the port number on the target host that nc will attempt to connect to. Ports are like virtual communication channels on a computer that allow different services or applications to send and receive data. In this case, nc will try to establish a connection on port number 31337.

Nmap Scripting Engine

  1. Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.
nmap 10.129.210.124 -p 80 --script vuln   
Starting Nmap 7.94 ( <https://nmap.org> ) at 2023-06-25 13:49 +03
Nmap scan report for 10.129.210.124
Host is up (0.22s latency).PORT   STATE SERVICE
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750>
|_      <http://ha.ckers.org/slowloris/>
| http-enum: 
|_  /robots.txt: Robots file
Nmap done: 1 IP address (1 host up) scanned in 322.48 seconds
curl <http://10.129.210.124/robots.txt>
User-agent: *
Allow: /
HTB{873nniuc71bu6usbs1i96as6dsv26}

-p 80: The -p option is used to specify the port number(s) that Nmap should scan on the target machine. In this command, we are scanning for port 80. Port 80 is commonly used for HTTP traffic, so this command specifically focuses on scanning for vulnerabilities related to web servers.

— script vuln: The — script option allows you to specify a script or a category of scripts to run during the scanning process. In this case, the vuln script category is specified, which contains Nmap scripts specifically designed to identify vulnerabilities on target systems.

The acronym “curl” stands for “Client URL.” It is a command-line utility used to send and receive data from web addresses known as URLs.

http://10.129.210.124/robots.txt: This is the website’s URL or address from which we are seeking data. The server with the IP address “10.129.210.124” is where we are retrieving the file “robots.txt” in this instance. A typical text file called “robots.txt” offers instructions for web crawlers or robots on which areas of a website to crawl and which to avoid.

Firewall and IDS/IPS Evasion — Easy Lab

  1. Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.
nmap --script smb-os-discovery 10.129.2.80
Starting Nmap 7.94 ( <https://nmap.org> ) at 2023-06-25 14:14 +03
Nmap scan report for 10.129.2.80
Host is up (0.31s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
10001/tcp open  scp-config
Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: nix-nmap-easy
|   NetBIOS computer name: NIX-NMAP-EASY\\x00
|   Domain name: \\x00
|   FQDN: nix-nmap-easy
|_  System time: 2023-06-25T13:16:13+02:00
Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds

— script parameter , you may tell the scanning process to run a specific script or series of scripts. To execute OS (Operating System) identification on SMB (Server Message Block) services in this instance, we are utilizing the script smb-os-discovery. SMB is a protocol used for network communications between computers, file sharing, printer sharing, and other purposes.

Firewall and IDS/IPS Evasion — Medium Lab

  1. After the configurations are transferred to the system, our client wants to know if it is possible to find out our target’s DNS server version. Submit the DNS server version of the target as the answer.
nmap -sSU -p 53 --script dns-nsid 10.129.45.239
Starting Nmap 7.94 ( <https://nmap.org> ) at 2023-06-27 12:04 +03
Nmap scan report for 10.129.45.239
Host is up (0.058s latency).
PORT   STATE    SERVICE
53/tcp filtered domain
53/udp open     domain
| dns-nsid: 
|_  bind.version: HTB{GoTtgUnyze9Psw4vGj*****}
Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds

-sSU: These are options passed to the nmap command.

  • -s specifies the type of scan to perform, and in this case, it stands for SYN scan, which is a type of TCP scan.
  • U stands for UDP scan, which means both TCP and UDP ports will be scanned.

-p 53: This option specifies the port number to scan. In this case, it is port 53. Port 53 is typically used for DNS (Domain Name System) services.

--script dns-nsid: This option specifies a particular Nmap script to run during the scan. The dns-nsid script is designed to perform DNS Name Server Identifier (NSID) queries and gather information from the DNS server.

Firewall and IDS/IPS Evasion — Hard Lab

  1. Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.
nc -nv -p 53 10.129.2.47 50000               
(UNKNOWN) [10.129.2.47] 50000 (?) open
220 HTB{kjnsdf2n982n1827eh76238s98d****}

nc: This is the command itself and stands for “netcat.” Netcat is a versatile networking utility used for reading from and writing to network connections.

-nv: These are command-line options passed to the nc command.

-n: It disables DNS name resolution. In this case, it means that the IP addresses specified in the command won’t be resolved to hostnames.
-v: It enables verbose output, providing more detailed information about the connection.
-p 53: This is another command-line option specifying the source port for the connection.

-p: It indicates that we want to set the source port.
53: In this case, the source port is set to port number 53. Port 53 is typically associated with DNS (Domain Name System) services.

50000: This is the destination port number to which the connection is being made. Port number 50000 is the target port for the connection.

And there you have it! This guide has explored the process of network enumeration with Nmap for HTB challenges. By leveraging Nmap’s powerful scanning capabilities and using various techniques, you can gather valuable information about the network and its hosts.

Remember, network enumeration is a critical step in any penetration testing or CTF challenge, as it helps you identify potential vulnerabilities and avenues for exploitation. Stay curious, keep practicing, and continue expanding your knowledge in the fascinating field of cybersecurity.

Thank you for taking the time to read this article. I hope it has provided you with valuable insights and practical techniques for network enumeration with Nmap. If you have any questions or suggestions, feel free to leave a comment below. Happy hacking!

Ctf Writeup
Hackthebox
Nmap
Hackthebox Walkthrough
Networking

--

--

Ahmet Talha Şen
InfoSec Write-ups
Follow

Written by Ahmet Talha Şen

192 Followers

Cybersecurity enthusiast sharing Cisco Packet Tracer notes, CTFs, Pentest and insights to help others stay protected. Let's make the internet a safer place!

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams