Complex Attack Types: Sample Scenarios 17

It is time to get to know the enemy we are facing and discover the doors we can infiltrate, using Nmap. We can speed up this process with two separate nmap commands.

nmap -p- --min-rate 1000 -v -oN nmap_long.txt $target_ip

nmap -sV -sC -oN nmap_short.txt -A -T4 --script=vuln $target_ip

-p-: Scans all 65,535 TCP ports. This tells Nmap to scan all ports from 1 to 65,535, instead of the default 1,000 ports.--min-rate 1000: Sets a minimum packet rate of 1000 packets per second. This parameter increases the speed of the scan by ensuring that Nmap sends packets at least at the specified rate, which can be useful for faster scanning on networks that can handle it.-v: Increases verbosity. Nmap will provide more detailed output during the scanning process, which can be useful for monitoring progress and diagnosing issues.-oN nmap_long.txt: Output to a file. Saves the scan results to a file named nmap_long.txt in a human-readable format.-sV: Service version detection. Nmap will attempt to determine the version of the services running on open ports.-sC: Default script scanning. Nmap will use a set of standard scripts from the Nmap Scripting Engine (NSE) to gather additional information about the target.-A: Comprehensive scan. Enables OS detection, version detection, script scanning, and traceroute. This provides detailed information about the target.-T4: Aggressive timing template. Increases the speed of the scan by using a faster timing profile. This is useful for speeding up scans, especially on reliable networks.--script=vuln: Runs NSE scripts that check for vulnerabilities. This specifically targets scripts designed to identify potential vulnerabilities in the target services.

You must be patient while waiting for answers.

outputoutputoutput

In this first result, we learned that port 80 (HTTP) was open.

output

Let’s save this address in the /etc/hosts file.

output

Ping it to control.

output

We are all good.

Let’s examine the source code of the page.

output

There is much more than meets the eye. It’s like these resources have been hashed. Let’s find out what type of hash these are.

output

It looks like MD5.

Let’s save these in a file.

output

Let’s use hashcat: hashcat –m 0 hashes /usr/share/wordlists/rockyou.txt

Another command to use in a loop: for i in $(cat /usr/share/wordlists/rockyou.txt); do echo -n “$i”| md5sum | tr -d “ -” >> hashes; done

output

Or use https://crackstation.net/.

output

We have a numbered page layout. Let’s visit these pages.

output

Now let’s get the MD5 value of the “0” indexed page and visit this page ourselves. Use https://gchq.github.io/CyberChef/

output

We have cfcd208495d565ef66e7dff9f98764da . Go there.

output

We got that!