Introduction
We used Nmap and Hydra to perform scanning and enumeration of services and credentials. We also used Nmap to bypass an intrusion detection system. This was as part of net sec challenge from Tryhackme.
Use this challenge to test your mastery of the skills you have acquired in the Network Security module. All the questions in this challenge can be solved using only nmap
, telnet
, and hydra
.
Initial Scans and Recon
The first thing I do is run a full port scan on the target machine to see what’s open. This helps me answer a few initial questions about the network’s layout. The scan reveals six open TCP ports, with the highest one below 10,000 being 8080, and another one way up at 100021.
Digging for Flags in Headers
With the open ports identified, I start looking for hidden flags. I use Nmap’s scripting engine to inspect the HTTP and SSH headers.
- For the HTTP flag, I initially check port 8080, but it turns out to be a proxy. The real web server is on port 80, and a quick script run against that port reveals the flag.
- For the SSH flag, I run a similar script against port 22 to inspect the SSH hostkey, and that’s where I find the next flag.
Cracking into the FTP Server
My initial scan also found an FTP server running on the unusual port 100021. I use an Nmap script to figure out the server’s version.
Then, armed with two usernames I supposedly got from “social engineering” (eddie and quinn), I fire up Hydra to brute-force their passwords using the popular rockyou.txt
wordlist. Hydra makes quick work of it, and I find the passwords for both accounts. I log in as each user, and in one of their accounts, I find a file named ftp.txt
which contains the next flag.
Evading the IDS
The final and most interesting part of the challenge is to scan a machine as covertly as possible to avoid being detected by an IDS. To do this, I use a few different Nmap techniques:
- FIN Scan (
-sF
): This type of scan sends a TCP packet with only the FIN flag set. Many firewalls are configured to not block these, making it a stealthy technique. I also slow down the scan timing (-T1
) and set a smaller MTU size (--mtu 8
) to be even less conspicuous. - Null Scan (
-sN
): This sends a TCP packet with no flags set at all, which can also bypass some firewall rules. - Decoy Scan (
-D
): This is a really cool technique where I can make it look like the scan is coming from other IP addresses (decoys), hiding my own IP in the noise.
The goal is to keep the detection counter on the IDS below 10%. By using these stealthy techniques, I’m able to complete the scan without setting off any alarms and capture the final flag.
Technical Commands
Here are the commands I used in my terminal throughout the challenge:
sudo nmap -p- [target_IP]
sudo nmap -sn [target_IP]
sudo nmap -p 8080 --script=http-headers -sV [target_IP]
sudo nmap -p 80 --script=http-headers -sV [target_IP]
sudo nmap -p 22 --script=ssh-hostkey -sV [target_IP]
sudo nmap -p 100021 --script=ftp-anon -sV [target_IP]
hydra -l eddie -P /usr/share/wordlists/rockyou.txt ftp://[target_IP]:100021
hydra -l quinn -P /usr/share/wordlists/rockyou.txt ftp://[target_IP]:100021
ftp [target_IP] 100021
get ftp.txt
cat ftp.txt
sudo nmap -sF -T1 --mtu 8 [target_IP]
sudo nmap -sN -T0 [target_IP]
sudo nmap -D 10.10.1.1,10.10.1.2,ME [target_IP]
TryHackMe Net Sec Challenge answers
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
How many TCP ports are open?
What is the flag hidden in the HTTP server header?
What is the flag hidden in the SSH server header?
We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
We learned two usernames using social engineering: eddie
and quinn
. What is the flag hidden in one of these two account files and accessible via FTP?
Browsing to http://MACHINE_IP:8080
displays a small challenge that will give you a flag once you solve it. What is the flag?