More NMAP Stuff
I really need to get the hang of this NMAP first before I get into anything else. I think NMAP is amazing, it can really do about everything. If I can increase my expertise on NMAP I think it will make my journey a lot easier. I feel like the next thing I need to learn is follow up on CVE’s or Common Vulnerabilities and Exposures. The reason is because then – I would know what the NMAP results actually means, and changing my attack vector based on CVE’s.
My neighbor, thankfully, is a lot more knowledgeable able about hacking. He recommended the book Red Team Field Manual (I’m guessing that’s RTFM… which means something else in the Linux community lol). I purchased the book on Amazon, it was 14ish dollars I think, version 2. So I’m looking forward to reading it before I go to bed or something like that.
Anyways – continuing on my journey. I just learned about NMAP scripting engine, which is nuts to me – but now I’m looking at avoiding IDS/IPS which is extremely important. I’ll post snippets and continue on what I think about them.
So the -s[ACK/SYN/CONNECT option] is pretty easier to remember now – since they relate to the TCP 3-way handshake. If you don’t know – the three way handshake is like this (with a consenting user and server):
- user -> “HI are you there? Give me xyz” -> server (SYN)
2. server -> “Yeah, I’m here. I’ll send you xyz with this sequence number.” -> user (SYN/ACK)
3. user -> “Ok I’m ready to receive” -> server (ACK)
If you have a port server that doesn’t want to listen to a SYN from un-trusted people, it will drop or reject the connection. Some people will configure their firewall to drop the connection so it seems like it’s not an open port. However, we can circumvent this with:
sudo nmap $TARGET -sA
Which we can bypass firewalls which are looking for SYN packets, when we’re sending an ACK packet.
I could go great lengths about NMAP and maybe I’ll post a couple videos (if I start doing that?)
Anyways, I finished the NMAP HTB Academy course. It was definitely a good course. Then I went into a hydra course – or I guess more specifically into brute-forcing. I had some issues with hashcat and wordlists, I think I’ll visit that sometime later. So soon – I decided to try a box in the main site – https://app.hackthebox.com. Definitely tried the easy box.
My first Hack The Box
Yes – I definitely used a walkthrough. But – I don’t necessarily think it’s cheating from my point of view. While I am trying to “hack the box” I need to learn the steps into what I need to do, in order to hone my focus on specifically what I need to learn. I felt that brute forcing with hydra – isn’t as effective as other methods.
After the first box, I realized that the pattern of hacking, at least in hack the box, kind of goes like this:
[ ] Enumerate, find box services and versions
[ ] Find CVE’s of these versions – specifically one’s that have Proof of Concept or POC
[ ] Exploit POC
[ ] Gain user flag
[ ] Privilege Escalation
[ ] Gain root flag
I think that pretty much sums it up. I have the enumerate fairly down – and CVE’s and POC are pretty easy to find with a quick google search. Using them in practice is kind of hard for me – then privilege escalation is the hardest for me. So I’ll learn these steps in the future.