https://tryhackme.com/room/nmap04
Task 1 Introduction
Keine Fragen in diesem Task.
Task 2 Service Detection
Frage 1:
Start the target machine for this task and launch the AttackBox. Run nmap -sV --version-light 10.10.201.22 via the AttackBox. What is the detected version for port 143?
└─$ sudo nmap -sV --version-light 10.10.201.22
[sudo] password for belcher:
Sorry, try again.
[sudo] password for belcher:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-12 18:09 CEST
Nmap scan report for 10.10.201.22
Host is up (0.070s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http nginx 1.6.2
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind
143/tcp open imap Dovecot imapd
Service Info: Host: debra2.thm.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 secondsAntwort 1:
Dovecot imapd
Frage 2:
Which service did not have a version detected with --version-light?
Wie wir an der Ausgabe in Frage 1 sehen können, hat rpcbind keine Versionsangabe.
Antwort 2:
rpcbind
Task 3 OS Detection and Traceroute
Frage 1:
Run nmap with -O option against 10.10.201.22. What OS did Nmap detect?
sudo für root-Rechte nicht vergessen! In dem ganzen Wirrwar müssen wir erst etwas suchen:
└─$ sudo nmap -O 10.10.201.22
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-12 18:16 CEST
Nmap scan report for 10.10.201.22
Host is up (0.063s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=10/12%OT=22%CT=1%CU=35098%PV=Y%DS=2%DC=I%G=Y%TM=6346E8
OS:80%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST1
OS:1NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.05 seconds Antwort 1:
Linux
Task 4 Nmap Scripting Engine (NSE)
Frage 1:
Knowing that Nmap scripts are saved in /usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for?
Wir öffnen also die Datei und sehen nach:
description = [[
Checks for disallowed entries in <code>/robots.txt</code> on a web server.Antwort 1:
disallowed entries
Frage 2:
Can you figure out the name for the script that checks for the remote code execution vulnerability MS15-034 (CVE2015-2015-1635)?
Eine kurze Google-Suche erläutert uns, dass es sich hierbei um eine http-Verwundbarkeit handelt. Diese Scripts fangen immer mit „http-vuln-“ an. Danach kommt immer die CVE Bezeichnung (Achtung, in der Aufgabe ist ein Fehler).
Antwort 2:
http-vuln-cve2015-1635
Frage 3:
Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts -sC against 10.10.126.17. You will notice that there is a service listening on port 53. What is its full version value?
└─$ nmap -sC 10.10.126.17
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-12 18:35 CEST
Nmap scan report for 10.10.126.17
Host is up (0.067s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 1024 d58097a3a83b57782f0a78aead3424f4 (DSA)
| 2048 aa667a45ebd18c00e31231d8768eed3a (RSA)
| 256 3d8272a307492ecbd987db08c6905665 (ECDSA)
|_ 256 dcf00c89708765ba52b1e959f75dd26a (ED25519)
25/tcp open smtp
|_smtp-commands: debra2.thm.local, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| ssl-cert: Subject: commonName=debra2.thm.local
| Not valid before: 2021-08-10T12:10:58
|_Not valid after: 2031-08-08T12:10:58
|_ssl-date: TLS randomness does not represent time
53/tcp open domain
| dns-nsid:
|_ bind.version: 9.9.5-9+deb8u19-Debian
80/tcp open http
|_http-title: Welcome to nginx on Debian!
110/tcp open pop3
|_pop3-capabilities: RESP-CODES CAPA TOP UIDL SASL AUTH-RESP-CODE PIPELINING
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 38906/udp status
| 100024 1 50824/udp6 status
| 100024 1 57556/tcp status
|_ 100024 1 59414/tcp6 status
143/tcp open imap
|_imap-capabilities: IDLE listed LOGINDISABLEDA0001 ID LOGIN-REFERRALS more OK post-login SASL-IR have IMAP4rev1 Pre-login ENABLE capabilities LITERAL+
Nmap done: 1 IP address (1 host up) scanned in 19.93 secondsAntwort 3:
9.9.5-9+deb8u19-Debian
Frage 4:
Based on its description, the script ssh2-enum-algos “reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by 10.10.126.17?
└─$ nmap -sC --script ssh2-enum-algos 10.10.126.17
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-12 18:39 CEST
Nmap scan report for 10.10.126.17
Host is up (0.073s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (6)
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha1
| server_host_key_algorithms: (4)
| ssh-rsa
| ssh-dss
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| chacha20-poly1305@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
Nmap done: 1 IP address (1 host up) scanned in 1.51 secondsAntwort 4:
diffie-hellman-group14-sha1
Task 5 Saving the Output
Frage 1:
Check the attached Nmap logs. How many systems are listening on the HTTPS port?
Wir laden uns die angegebenen Dateien herunter und durchsuchen die grep-bare Datei nach „https“. Wir erhalten drei Ergebnisse:
└─$ cat scan_172_17_network.gnmap | grep https
Host: 172.17.0.215 () Ports: 22/closed/tcp//ssh///, 80/open/tcp//http///, 443/open/tcp//https/// Ignored State: filtered (997)
Host: 172.17.19.249 () Ports: 22/open/tcp//ssh///, 53/open/tcp//domain///, 80/open/tcp//http///, 443/open/tcp//https/// Ignored State: closed (996)
Host: 172.17.23.240 () Ports: 22/closed/tcp//ssh///, 80/open/tcp//http///, 443/open/tcp//https/// Ignored State: filtered (997)
Antwort 1:
3
Frage 2:
What is the IP address of the system listening on port 8089?
Diesmal greppen wir „8089“:
└─$ cat scan_172_17_network.gnmap | grep 8089
Host: 172.17.20.147 () Ports: 22/open/tcp//ssh///, 8000/open/tcp//http-alt///, 8089/open/tcp//unknown/// Ignored State: closed (997)
Antwort 2:
172.17.20.147
Task 6 Summary
Keine Fragen in diesem Task.