Firewall and IDS/IPS Evasion - Medium Lab

Im kinda stuck on this.
I have tried to run commands to get bind.version but I can’t get it.

sudo nmap -sSU -p 53 --script dns-nsid
sudo nmap -sSU -p 53 --script dns-nsid --packet-trace -D RND:5
sudo nmap -sSU -p 53 --script dns-nsid --packet-trace -D RND:5
sudo nmap -sSU -p 53 --script dns-nsid -Pn -n --disable-arp-ping --packet-trace -D RND:5
sudo nmap -sSU -p 53 --script dns-nsid -Pn -n --disable-arp-ping --packet-trace -D RND:5 -A

I feel like im hitting a hard wall here.

Do I need to do host discovery so I can find other computers on same subnet with the given address?

If this is from what I think it’s from, I’ll give you a couple hints:

You’re on the right track. What options can ensure you’re getting AS MUCH data as you can from server responses when looking for the version?

1 Like

I still can’t get it right.
I tried adding -A and/or -sV but It cant fetch bind version.

sudo nmap -sSU -p 53 --script dns-nsid -Pn -n --disable-arp-ping --packet-trace -D RND:50 --max-retries 50 -sV


If UDP is your only option to communicate with the server, then what options does NMAP offer to get as much detail from the data as possible? Is there a way to increase the scans intensity?

I also tried -sU. But it doesn’t still show bind version. :frowning:

I remember this one. Be mindful of using the SYN option; is that for UDP? Look in the man page for nmap. There should be something related to intensity.

There’s a couple option configurations I found that get you what you’re looking for. Remember to be patient. Take a moment to clear your head, then come back to it.

sudo nmap -sSU -p 53 --script dns-nsid -Pn -n --disable-arp-ping --packet-trace -D RND:50 --max-retries 50 --version-intensity 9 -sV

Tried to run command as above. Still no luck :frowning:
Im losing hope :frowning:

If you’re using packet trace, you can run the scan and direct the output to a file. Cat and grep the file through pipes to see what responses you’re getting from that target IP. Could be the IPS/Firewall is dropping packets received from you due to the number of decoys(look up SYN flooding). If you notice you’re not getting any responses, you might need to reset the target.

Again, you’re very close to the scan I used to get what you’re looking for. I’ll give you another hint: Look for a ‘script’ that can ‘trace’ all data sent and received.

EDIT: So I went back to try this and I’m not getting the answer using the same scan I used before. Very possible something was changed. I’ll keep messing with it and let you know.

2nd EDIT: Make sure you are using the VPN key provided by the questions near the bottom of the page.


I tried as you said. But still can’t get it.
Did you manage to get results the same as before when you finished the module?

Yes I did manage to get the results like before. I decided to delete the VPN key I had, then re-download it. After connecting, I got the answer with the first try. Kinda strange.

It took me a while to get the answer when I first took the module, so don’t feel bad.

If you’re still struggling, I’d drop the sS scan, and make it -sUV. I’m not entirely sure if the bind script is necessary either. I could be wrong about that, though.


The VPN redownload method actually works!
Kinda weird actually!
The Flag is written on the version field.

thank you so so so so so so muchhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh!!!


Awesome! It was my pleasure. God speed.

1 Like

–packet-trace :slight_smile:


I spent 2 days trying to solve this challenge. It turns out it couldn’t be solved using the VPN connected to my own Kali box. As soon as I used the built in parrot OS workstation, I got the flag. I recommend using the Parrot OS workstation provided by HTB if you are stuck.

Just a little frustrating but finally I resolved it… Don’t forget --source-port at this one…

The second edit is key


got stuck too.
also solved it with machine reset and new vpn connection file on own machine and the nse part.
before getting new vpn file, i only saw the name of the dns server, but no “version” or flag.
think before reset that i had the problem on the parrot box too.

Spent a couple of hours trying to get the flag just to realize I needed to download the VPN connection file again (from the lab page)

I also needed to re download the vpn file.

To solve it i didnt needed any decoys or --source-port, also no masking of source address was needed. It was just UDP related. Dont know if its intended like this.

Worked for me in Parrot and not in my own VM, weird…