Answer of "Firewall and IDS/IPS Evasion - Medium Lab"

Let’s see the background information at first:

“After we conducted the first test and submitted our results to our client, the administrators made some changes and improvements to the IDS/IPS and firewall. We could hear that the administrators were not satisfied with their previous configurations during the meeting, and they could see that the network traffic could be filtered more strictly.”

It says that “the network traffic could be filltered more strictly”. So when we conduct our nmaping operation, the most important thing for us is to be quieter than the former operation “Answer of "Firewall and IDS/IPS Evasion - Easy Lab"”.

Furthermore, it says that we should find out versions of DNS server. Where can we find out it? I remember that the topic of this section is “NMAP”, which is a tool used to scan ports. So I guess there must be a port running DNS server. By searching in website, I find out a page " Understanding DNS Port 53 with Examples - howtouselinux". So I guess that I need to scan a specific port 53.

At beginning, the command I used was:
“nmap -T4 -A -v 10.129.67.225 -D RND:5 --stats-every=5s”
However, something about port 53 is shown “filtered”, just as below:

MaterialsPreparedForHTBForum61920×1080 184 KB

So how can I see information about port 53? Since this operation was banned when scanning every ports. Why don’t we just scan the single port 53? Following this idea, I upgraded the command into:
“nmap -T4 -p53 -A -v 10.129.67.225 -D RND:5 --stats-every=5s”

Finally, I can see information about port 53, and I know the DNS server version. Later I submit the answer and get one cube.

MaterialsPreparedForHTBForum71920×1080 185 KB

MaterialsPreparedForHTBForum81920×1080 271 KB

hi,

I’m really stuck on this. I have followed what you have done, but I dont get the same results.
I’m using VMware and Kali. Connected to the VPN.
I tried your last command and get this output:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-15 03:58 EDT
You have specified some options that require raw socket access.
These options will not be honored without the necessary privileges.
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:58
Completed NSE at 03:58, 0.00s elapsed
Initiating NSE at 03:58
Completed NSE at 03:58, 0.00s elapsed
Initiating NSE at 03:58
Completed NSE at 03:58, 0.00s elapsed
Initiating Ping Scan at 03:58
Scanning 10.129.57.157 [2 ports]
Completed Ping Scan at 03:58, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:58
Completed Parallel DNS resolution of 1 host. at 03:58, 0.01s elapsed
Initiating Connect Scan at 03:58
Scanning 10.129.57.157 [1 port]
Completed Connect Scan at 03:58, 0.20s elapsed (1 total ports)
Initiating Service scan at 03:58
NSE: Script scanning 10.129.57.157.
Initiating NSE at 03:58
Completed NSE at 03:58, 0.01s elapsed
Initiating NSE at 03:58
Completed NSE at 03:58, 0.00s elapsed
Initiating NSE at 03:58
Completed NSE at 03:58, 0.00s elapsed
Nmap scan report for 10.129.57.157
Host is up (0.013s latency).

PORT STATE SERVICE VERSION
53/tcp filtered domain

NSE: Script Post-scanning.
Initiating NSE at 03:58
Completed NSE at 03:58, 0.00s elapsed
Initiating NSE at 03:58
Completed NSE at 03:58, 0.00s elapsed
Initiating NSE at 03:58
Completed NSE at 03:58, 0.00s elapsed
Read data files from: /usr/bin/…/share/nmap
Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds

As you can see its still showing as filtered.

Not sure what to try now.

Any tips?

Never mind, I got there with this nmap -Pn -T4 -A -v -sV 10.129.57.157 -p 53 -D RND:5 --stats-every=5s

Thanks Gary!

I tried all the options that have been mentioned and did not obtain the desired result, however with “nmap -sV --version-intensity 9 -p 53 --script dns-service-discovery 10.129.2.48” I did obtain it.

For me all the ones here failed. But this worked – > nmap 10.129.2.48 -p53 -sV -Pn -n --disable-arp-ping --packet-trace --script banner

In my case, I tried multiple times but none worked. By the time I was checking the “IP/status.php” page. when it was 0/75 meant no alert then I ran this command
“nmap 10.129.2.48 -p53 -sS -sV -Pn -n --disable-arp-ping --packet-trace”. Then it worked for me.

Got there with

sudo nmap 10.129.31.13 -p 53 -sV -v

-v seems to be the key

If you wanna try something different use
dig @ version.bind chaos txt

For Anyone still working on this, I used the following command

sudo nmap 10.129.2.48 -T4 -p53 -sU -sV -Pn -D RND:5 -stats-every=5s -vv -n

As it states. We are looking for DNS, so i sued the -sU switch for DNS scanning to get results

Apparently, there’s some discrepancies with Pwnbox and VPN.
Wasted so much time figuring that out.

Thanks for posting that. I had the answer (albeit it from VPN so it was wrong ) like 2 hours ago.
This is the second module that had breaking bugs on the assesment.

If anybody else is struggling with different results VPN versus pwnbox, you get different results on the hard challenge as well. You need to use pwnbox to get the flag, VPN just disconnects.

Hello Guys

Just use “–script banner” command to find hidden banner, if u cant find answer. It helps u a lot.

Another option is run the command under UDP as the post here Exploring DNS Port with Examples

Blockquote
UDP port 53: Most DNS queries and responses (UDP is the default protocol used for DNS queries and responses. It is lightweight and faster than TCP.)

explain that DNS also run over UDP so you can run the command :

and with that you gonna receive the version of DNS server.

the udp option worked for me!

sudo nmap -sU -p 53 --script dns-nsid,banner -Pn -n -disable-arp-ping -sV

config: connected via VPN