[HTB Academy] Network Enumeration with NMAP Notes
1. GPO (Group Policy Object): Powerful tool for managing security policies.
2. RST flag in TCP: Reset flag, used to immediately terminate a TCP connection.
3. Host Discovery:
1) Scan Network Range: Get an overview of which systems are online
yeon0815@htb[/htb]$ sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28
- 10.129.2.0/24: Target network range
- sn: Disables port scanning
4. Default TTL values of Different OS: https://subinsb.com/default-device-ttl-values/
Default TTL (Time To Live) Values of Different OS
TTL (Time To Live) is a timer value included in packets sent over networks that tells the recipient how long to hold or use the packet before discarding and expiring the data (packet). TTL values are different for different Operating Systems. So, you can d
subinsb.com
5. -sS: The SYN scan is set only to default when we run it as root becauase of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (-sT) is performed by default.
6. xsltproc: Transforms XML files to HTML files.
7. SMTP (Simple Mail Transfer Protocol)
8. TCP Flag overview
1) SYN: Synchronize. Initiates a new connection
2) ACK: Acknowledgement. Acknowledges received data
3) FIN: Finish. Terminates a connection
4) RST: Reset. Resets a connection due to an error.
5) PSH: Push. Pushes data to the application layer immediately.
6) URG: Urgent. Marks the data as urgent.
8. Firewall and IDS/IPS Evasion
1) -sA: TCP ACK scanning method. It is much harder to filterr for firewalls than regular -sS or sT scans because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.
2) -D: Decoy scanning method. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent.
3) -S: Scans the target by using different source IP address.
9. Indentifying the OS of a target machine quietly, without triggering too many alerts.
1) Passive Reconnaissance First
e.g., ping -c 1 {target_ip)
- TTL ~64: LInux/Unix-based
- TTL ~128: Windows
- TTL ~255: Networking Devices
2) Use Service Banner Grabbing
- Focus on common ports: 22(SSH), 80(http), 443(https), 445(SMB)
e.g., nc {target_ip} 22
e.g., curl -I http://{target_ip}
e.g., whatweb {target_ip}
3) Use SMB
- SMB is one of the best ways to identify Window systems.
e.g., smbclient -L //{target_ip} -N
4) Avoid Full Port Scans
10. Finding the DNS server version of a target machine, without triggering too many alerts.
1) Check if Port 53 (DNS) is open
e.g., nmap -p 53 --open {target_ip}
if port 53 is open, the target is running a DNS service.
2) Use a Non-Intrusive DNS Query to get the version.
e.g., dig @{target_ip} version.bind CH TXT
- dig: A tool for querying DNS servers
- version.bind: A special DNS query to get the version
- CH: The Chaosnet class, used for non-standard DNS queries
- TXT: Query for a text record containing the version
3) Use Nmap's DNS version script
If dig doesn't work, we can use an Nmap script specifically designed to query the DNS server version.
e.g., nmap -p 53 --script=dns-version {target_ip}
4) If blocked, try brute-forcing version info
If the target DNS server has retricted direct queries, you can use dnsrecon or dnsenum to attempt to brute-force the version info.
e.g., dnsrecon -r {target_ip}