Academy Network Enumeration with NMAP hard lab

I understand that there is another topic about this, but the comments got well off-topic with seemingly no resolution.

Question: Now our client wants to know if it is possible to find out the version of the running services. Submit the version of the service our client was talking about as the answer.

Steps I have taken are this command: ```
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

this gave me the new port that the question references. I then attempted ncat but I keep getting this error: libnsock mksock_bind_addr(): Bind to 0.0.0.0:53 failed (IOD #1)

I googled this to find that the issue is supposedly that PWN Box is running the DNS service systemd-resolved which I did find by using the find command at /usr/lib/systemd/system/systemd-resolved.service in the PWNBox.

I then used the command: sudo systemctl stop systemd-resolved
This did not change my ncat error. I also tried starting the service and then stopping it again.

Any help would be greatly appreciated since many users were finding the answer with the same steps as me.

I am literally stuck at the same place. I have been for like 3 weeks. I also found the other discussions on this topic unhelpful.

Hey, I tried all of these things, but once I ran ncat with sudo, it worked. I will try to look into this more when I get back to work and post an edit to let you know why it worked. I know they said that sudo nmap changes the way that nmap works, and I guess that is the same things with netcat. Anyway, I hope this helps.

Edit: I couldn’t walk away. From this link: " By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS ). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (-sT ) is performed by default. This means that if we do not define ports and scanning methods, these parameters are set automatically. We can define the ports one by one (-p 22,25,80,139,445 ), by range (-p 22-445 ), by top ports (--top-ports=10 ) from the Nmap database that have been signed as most frequent, by scanning all ports (-p- ) but also by defining a fast port scan, which contains top 100 ports (-F )."

So this article “For beginners, Netcat recommends non-root access, thus created as a regular user. Netcat does not require root privileges unless we need it to listen on a port number less than 1024, which Linux protects.”

So basically, unless you run netcat as root, it apparently can’t listen on ports less than 1024 and so you would not be able to establish a tcp connection without being able to listen. I am learning, so if I drew an incorrect conclusion here, I would really appreciate your help.

Lastly, I can’t edit my orginal post, so apparently what I read about needing to disable port 53 is incorrect. Therefore, you do not need to run the command: sudo systemctl stop systemd-resolved
Sorry for the misdirection there.

1 Like

Thank you for the update. I am still lost. It is asking for version detection and whatever i am finding is not correct.

@ThomasAquinas it appears that you may want to spend a little more time reading the section: Firewall and IDS/IPS Evasion. They really do a great job of walking you through it. Also, pay attention to the hint in the question about them adding a new service which will be on a port.

Once you find out the new service, then think about which commands would you want to use on a single port. Also, if you read my original post on this topic, I think you will find all of this helpful.

Lastly, remember that nmap and netcat run differently as root than as a regular user. They also discuss this in the module. Try not to rush through the modules. I have to slow down and remember that it isn’t about completing the modules as much as it is about internalizing the information and developing the skills.

1 Like

Thank you! Being patient is the best advice for me right now. I will let you know how it goes!

For some reason when I used my own VM instead of the browser-based PWN box when using Netcat. I did not run into getting libnsock errors. Also if I recall, the port for the running service for the Nmap hard lab is not DNS, it is something else (high port service). So keep on looking.

I would bet that you are logged in as root at home. On pwnbox you are not logged in as root but have sudo rights for running commands. This is why netcat works at home for this task.

As for the high port, that is the port he is scanning not his source port which is 53, default port for DNS.

When you are logged in as root, you are running commands the same as if you are using sudo as a regular user. Sudo just lets you run them as root.

Hi @Middle_aged
How did you found the port 50000?

If you look at my original post and format that command for all ports (-p-), you should see the new port added. I would highly advise going back to the module and reading the sections we already talked about in this post.

sudo nmap 10.129.165.103 -p- -sS -Pn -n -T3 --disable-arp-ping --source-port 53 is the command I used. There are many ways to find it. If I were you, I would use my command once, but then find look at each trigger to make sure that I fully understand what each part was (all of them are explained in the module).

Just doing exactly what the IPS/IDS module is walking you through and/or replacing IPs to test and see results is all that’s required of the Hard Module. You have to understand and actually test out stuff in modules and work through it and why certain things are done. Skipping over all the content is how you miss.

I personally run from my own local kali box just due to convenience and I can keep copies of diff modules in different folders along with scripts and tools acquired.

No disrespect meant @14mC4 ,but if you would read what has been posted, you would see that your reply does not apply to users on PWN box (which is what many are using). Yes, adding sudo to the commands is a small change, but for a beginner, it can be a very frustrating detail that they would not think to put.

Again, no disrespect but your comment implies we skipped over content, which I didn’t do, and that the commands work as listed for PWNBox users which I explicitly said we were using. On PwnBox, they do not work as posted. There are other chats with similar comments that really threw me off which is why I made this post so others wouldn’t waste time on misinformation.

Edit: I do realize they talk about sudo on nmap, but for netcat, it is not mentioned as making a difference especially with the detail of this post for understanding its relevance to the error you receive on PwnBox with source-port

It’s all part of the “active learning” process in which as you progress content you learn that sudo is commonly needed across the board for various functions to operate correctly. I dont disagree they could of listed it as “sudo” in their example but, that’s a conversation to submit to feedback and the response wasnt targeted at you. It was targeted at how 50000 was found.

1 Like