The command I was using is:
“nmap -T4 -A -v 10.129.2.80 -D RND:5 --stats-every=5s”
Let me explain some options:
-T4: Set scanning rate is rank “4”, it’s an aggressive mode. When using ‘-T4’ instead of using some softer mode such as ‘-T3’, ‘-T2’… I was a little concerned because I kind of doubting that the IDS system would detect it and the operation would be not allowed by IPS system. However it seems that the outcome would not be affected by IDS/IPS system;
-A: Enable OS detection, version detection, script scanning, and traceroute. In my opinion I think ‘OS detection’ is which one of those operations I need. And I do not really care about ‘version detection’, ‘script scanning’ and ‘traceroute’;
-v: Increase verbosity level (use -vv or more for greater effect). I guess with this option, nmap would give us more information in the terminal;
10.129.2.80: The target IP address;
-D RND:5: Sets the number of random Decoys that will be used to scan the target. I don’t know the meaning of ‘decoys’, but I guess that with this option, our nmap scanning would be much softer and more silent;
–stats-every=5s: This is the most important option as far as I am concerned, because with this option, I can get some information about the operation we are conducting. I am not a calm person. If the terminal doesn’t return something back in one or two minutes, I would be pretty anxious and angry.
the only thing that is incorrect is the following quote:
you see what we are actually doing is finding the version of SSH running on the device and in order to do that we must use the -sV operator.
so, you see we can replace the -A operator (which is considered noisy) with a nice quiet -sV
it’s quiet because it’s less interacting with the target
furthermore, to speed up the process we can limit the number of retries --max-retries=0 and we can run this attack against the common ports through a few ways but i used the -F operator we can also use the -T4 operator but that would be noisy so I wouldn’t, but for the sake of not waiting I usually do
you are correct we need to add the -D RND:5 operator
Using --source-port 53 will make any scan silent so you can use any nmap scan in combination with port 53 in order to get the required information for this lab.
“For learning purposes and to get a feel for how IDS/IPS can behave, we have access to a status web page at: http:///status.php”. This indicates that at least one port is open, which is 80 that’s serving the webserver. So no need to perform a scan on all ports or the default 1000 ports. Instead, use the following script to determine the operating system nmap -sV -T2 -p80,443 -D RND:5
Hello, friends. Thank you so much for sharing all these great insights on the challenge. I’m sorry to gravedig this topic, but I’m really curious: what does the hint have to do with the process of finding the answer? Particularly the last sentence.
“Remember, you don’t need to provide a version of it. Think about which services can give you information about the operating system. After interviewing the administrators, we found out that they want to prevent neighboring hosts of their /24 subnet mask from communicating with each other.”
