NETWORK ENUMERATION WITH NMAP - Question about HOST DISCOVERY

Hello
Please help me…
Question
Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.

I used instance provided by hackthebox academy.
On “last result” about qeustion, host is 10.129.2.18
What should I do when the host 10.129.2.18 is down while conducting “sudo nmap -O 10.129.2.18”?
Good luck!

I also get the same result when trying the same sudo nmap 10.129.2.18 host seems down , but host is up when pinged , im stumped lol anyone help

SOLVED i added the -Pn command and it now works fine

1 Like

sudo nmap -sT 10.129.88.129 -sV -sC
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-30 13:55 EDT
Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 71.31% done; ETC: 13:57 (0:00:19 remaining)
Stats: 0:02:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 85.71% done; ETC: 13:58 (0:00:07 remaining)
Nmap scan report for 10.129.88.129
Host is up (0.31s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
| 256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_ 256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP CAPA UIDL SASL PIPELINING RESP-CODES AUTH-RESP-CODE
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: listed more have ID LITERAL+ LOGIN-REFERRALS post-login capabilities Pre-login ENABLE LOGINDISABLEDA0001 OK IDLE SASL-IR IMAP4rev1
445/tcp open p�QJ�U Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
31337/tcp open Elite?
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|clock-skew: mean: -38m01s, deviation: 1h09m16s, median: 1m57s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: nix-nmap-default
| NetBIOS computer name: NIX-NMAP-DEFAULT\x00
| Domain name: \x00
| FQDN: nix-nmap-default
|
System time: 2023-07-30T20:02:09+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|nbstat: NetBIOS name: NIX-NMAP-DEFAUL, NetBIOS user: , NetBIOS MAC: (unknown)
| smb2-time:
| date: 2023-07-30T18:02:09
|
start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required

Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
Nmap done: 1 IP address (1 host up) scanned in 275.45 seconds

sudo nmap -sT 10.129.88.129 -sV -sC
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-30 13:55 EDT
Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 71.31% done; ETC: 13:57 (0:00:19 remaining)
Stats: 0:02:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 85.71% done; ETC: 13:58 (0:00:07 remaining)
Nmap scan report for 10.129.88.129
Host is up (0.31s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
| 256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_ 256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP CAPA UIDL SASL PIPELINING RESP-CODES AUTH-RESP-CODE
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: listed more have ID LITERAL+ LOGIN-REFERRALS post-login capabilities Pre-login ENABLE LOGINDISABLEDA0001 OK IDLE SASL-IR IMAP4rev1
445/tcp open p�QJ�U Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
31337/tcp open Elite?
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|clock-skew: mean: -38m01s, deviation: 1h09m16s, median: 1m57s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: nix-nmap-default
| NetBIOS computer name: NIX-NMAP-DEFAULT\x00
| Domain name: \x00
| FQDN: nix-nmap-default
|
System time: 2023-07-30T20:02:09+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|nbstat: NetBIOS name: NIX-NMAP-DEFAUL, NetBIOS user: , NetBIOS MAC: (unknown)
| smb2-time:
| date: 2023-07-30T18:02:09
|
start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required

Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
Nmap done: 1 IP address (1 host up) scanned in 275.45 sec

i tried sudo nmap -sT 10.129.2.18 -sV -sC
i also tried sudo nmap -O -Pn 10.129.2.18
also pingi 10.129.2.18

nothing is working, seems the host is really down.

Has anyone figured this out? I just signed up and I’m going through the labs simultaneously while working through the CEH course, and this is the first real “task” I’m completing which is super easy (I’ve worked with nmap for quite some time already, so I’m very comfortable with the tool for numerous use cases), but I was stumped on this very first task…

First of all, it’s extremely unclear; am I supposed to launch a box somewhere?
I looked everywhere but couldn’t find a box I’m supposed to launch, so I decided to just try against the ip address from the example, but of course the host is down.
Next I decided to ping sweep the network to see what hosts are available with:

nmap -sn 10.129.2.0/24 -oA tnet | grep for | cut -d" " -f5

and here are the results (note that 10.129.2.18 is NOT even live on the network):

10.129.2.49
10.129.2.80
10.129.2.141
10.129.2.219

Hmm… okay so I tried nmap -Pn -O 10.129.2.18 instead to just treat it as if it’s up and got this:

Nmap scan report for 10.129.2.18
Host is up (3.7s latency).
All 1000 scanned ports on 10.129.2.18 are in ignored states.
Not shown: 916 filtered tcp ports (no-response), 84 filtered tcp ports (host-unreach)
Too many fingerprints match this host to give specific OS details

So… I decided to just scan against every single up host from the ping sweep earlier to see what OS each is running with this command:

nmap -O -sT 10.129.2.49 10.129.2.80 10.129.2.141 10.129.2.219

and the results I got from this also say that Too many fingerprints match this host to give specific OS details

Finally, I tried nmap -O --osscan-guess -Pn 10.129.2.49 10.129.2.80 10.129.2.141 10.129.2.219 and got the same non-results…

NOTE: I’ve been on their VPN doing this from my own custom Kali VM, but yes I also tried using the box they provide and same results…

Seems really weird that they’d ask us to do this on a host that is not up unless you specify to treat it as if it’s up, and performing an OS scan on it that doesn’t return any useable information for literally ANY host up on the network…

So I just decided to guess based of the TTL (Windows’ default TTL is 128 and that’s what we can see in their example), and guess what? It’s correct!

Yikes lol seems really weird that they would expect people to figure that out without any prior knowledge of default TTLs, especially when this is geared towards nmap specifically which has a few OS options to use (which don’t work)…

Not sure how I’m feeling about HTB after this…