Firewall and IDS/IPS Evasion - Medium Lab

dfgdfdfgdfd · August 23, 2022, 6:42am

Im kinda stuck on this.
I have tried to run commands to get bind.version but I can’t get it.

sudo nmap -sSU -p 53 --script dns-nsid 10.129.105.141
sudo nmap -sSU -p 53 --script dns-nsid 10.129.105.141 --packet-trace -D RND:5
sudo nmap -sSU -p 53 --script dns-nsid 10.129.105.141/24 --packet-trace -D RND:5
sudo nmap -sSU -p 53 --script dns-nsid 10.129.105.141 -Pn -n --disable-arp-ping --packet-trace -D RND:5
sudo nmap -sSU -p 53 --script dns-nsid 10.129.105.141 -Pn -n --disable-arp-ping --packet-trace -D RND:5 -A

I feel like im hitting a hard wall here.

Do I need to do host discovery so I can find other computers on same subnet with the given address?

GuyKazuya · August 23, 2022, 7:41pm

If this is from what I think it’s from, I’ll give you a couple hints:

You’re on the right track. What options can ensure you’re getting AS MUCH data as you can from server responses when looking for the version?

dfgdfdfgdfd · August 23, 2022, 10:29pm

I still can’t get it right.
I tried adding -A and/or -sV but It cant fetch bind version.

sudo nmap -sSU -p 53 --script dns-nsid 10.129.175.0 -Pn -n --disable-arp-ping --packet-trace -D RND:50 --max-retries 50 -sV

GuyKazuya · August 23, 2022, 11:45pm

If UDP is your only option to communicate with the server, then what options does NMAP offer to get as much detail from the data as possible? Is there a way to increase the scans intensity?

dfgdfdfgdfd · August 23, 2022, 11:50pm

I also tried -sU. But it doesn’t still show bind version.

GuyKazuya · August 23, 2022, 11:55pm

I remember this one. Be mindful of using the SYN option; is that for UDP? Look in the man page for nmap. There should be something related to intensity.

There’s a couple option configurations I found that get you what you’re looking for. Remember to be patient. Take a moment to clear your head, then come back to it.

dfgdfdfgdfd · August 24, 2022, 4:27am

sudo nmap -sSU -p 53 --script dns-nsid 10.129.113.182 -Pn -n --disable-arp-ping --packet-trace -D RND:50 --max-retries 50 --version-intensity 9 -sV

Tried to run command as above. Still no luck
Im losing hope

GuyKazuya · August 24, 2022, 5:19pm

If you’re using packet trace, you can run the scan and direct the output to a file. Cat and grep the file through pipes to see what responses you’re getting from that target IP. Could be the IPS/Firewall is dropping packets received from you due to the number of decoys(look up SYN flooding). If you notice you’re not getting any responses, you might need to reset the target.

Again, you’re very close to the scan I used to get what you’re looking for. I’ll give you another hint: Look for a ‘script’ that can ‘trace’ all data sent and received.

EDIT: So I went back to try this and I’m not getting the answer using the same scan I used before. Very possible something was changed. I’ll keep messing with it and let you know.

2nd EDIT: Make sure you are using the VPN key provided by the questions near the bottom of the page.

dfgdfdfgdfd · August 24, 2022, 10:23pm

I tried as you said. But still can’t get it.
Did you manage to get results the same as before when you finished the module?

GuyKazuya · August 24, 2022, 10:40pm

Yes I did manage to get the results like before. I decided to delete the VPN key I had, then re-download it. After connecting, I got the answer with the first try. Kinda strange.

It took me a while to get the answer when I first took the module, so don’t feel bad.

If you’re still struggling, I’d drop the sS scan, and make it -sUV. I’m not entirely sure if the bind script is necessary either. I could be wrong about that, though.

dfgdfdfgdfd · August 24, 2022, 11:16pm

■■■!
The VPN redownload method actually works!
Kinda weird actually!
The Flag is written on the version field.

thank you so so so so so so muchhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh!!!

GuyKazuya · August 24, 2022, 11:32pm

Awesome! It was my pleasure. God speed.

Darthmaul0x0 · September 9, 2022, 3:55pm

–packet-trace

czechmate · September 25, 2022, 7:59pm

I spent 2 days trying to solve this challenge. It turns out it couldn’t be solved using the VPN connected to my own Kali box. As soon as I used the built in parrot OS workstation, I got the flag. I recommend using the Parrot OS workstation provided by HTB if you are stuck.

Mr_Pachin · October 1, 2022, 7:50pm

Just a little frustrating but finally I resolved it… Don’t forget --source-port at this one…

f3l4 · January 22, 2023, 10:18pm

The second edit is key

anotherdude · March 21, 2023, 10:11am

got stuck too.
also solved it with machine reset and new vpn connection file on own machine and the nse part.
before getting new vpn file, i only saw the name of the dns server, but no “version” or flag.
think before reset that i had the problem on the parrot box too.

br4inz · April 7, 2023, 2:39am

Spent a couple of hours trying to get the flag just to realize I needed to download the VPN connection file again (from the lab page)

nintend00x · May 22, 2023, 4:30pm

I also needed to re download the vpn file.

To solve it i didnt needed any decoys or --source-port, also no masking of source address was needed. It was just UDP related. Dont know if its intended like this.

j0k3rrr · August 2, 2023, 10:41pm

Worked for me in Parrot and not in my own VM, weird…