Skip to content

CPTS labs - 02 Network Enumeration with nmap

Network Enumeration with Nmap

Host Enumeration

Host Discovery

Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.

1
sudo nmap $ip -sn -oA host -PE --packet-trace --disable-arp-ping

Result: Windows

Host and Port Scanning

Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.

1
nmap $ip

Results: 7

Enumerate the hostname of your target and submit it as the answer. (case-sensitive):

1
sudo nmap $ip -Pn -sC -sV -p22,80,110,139,143,445,31337

Results: nix-nmap-default

Saving the Results

Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer.

1
nmap $ip

Results: 31337

Service Enumeration

Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

1
sudo nmap $ip -Pn -sC -sV -p22,80,110,139,143,445,31337

Results: HTB{pr0F7pDv3r510nb4nn3r}

Nmap Scripting Engine

Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

1
sudo nmap $ip -p80 --script vuln

Result:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.129.68.164
Host is up (0.047s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|_  /robots.txt: Robots file

Go to robots.txt and get the flag.

Results: HTB{873nniuc71bu6usbs1i96as6dsv26}

Bypass Security Measures

Firewall and IDS/IPS Evasion - Easy Lab

Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.

1
sudo nmap -sC -sV $ip -p80  -Pn --max-retries 3 --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

Results: Ubuntu

Firewall and IDS/IPS Evasion - Medium Lab

After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.

1
sudo nmap -sU -p53 --script dns-nsid $ip

Results: HTB{GoTtgUnyze9Psw4vGjcuMpHRp}

Firewall and IDS/IPS Evasion - Hard Lab

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

1
sudo nc -nv -p 53 $ip  50000

Results: HTB{kjnsdf2n982n1827eh76238s98di1w6}

Last update: 2025-01-26
Created: January 26, 2025 19:15:53