Has anyone figured this out? I just signed up and I’m going through the labs simultaneously while working through the CEH course, and this is the first real “task” I’m completing which is super easy (I’ve worked with nmap for quite some time already, so I’m very comfortable with the tool for numerous use cases), but I was stumped on this very first task…
First of all, it’s extremely unclear; am I supposed to launch a box somewhere?
I looked everywhere but couldn’t find a box I’m supposed to launch, so I decided to just try against the ip address from the example, but of course the host is down.
Next I decided to ping sweep the network to see what hosts are available with:
nmap -sn 10.129.2.0/24 -oA tnet | grep for | cut -d" " -f5
and here are the results (note that 10.129.2.18
is NOT even live on the network):
10.129.2.49
10.129.2.80
10.129.2.141
10.129.2.219
Hmm… okay so I tried nmap -Pn -O 10.129.2.18
instead to just treat it as if it’s up and got this:
Nmap scan report for 10.129.2.18
Host is up (3.7s latency).
All 1000 scanned ports on 10.129.2.18 are in ignored states.
Not shown: 916 filtered tcp ports (no-response), 84 filtered tcp ports (host-unreach)
Too many fingerprints match this host to give specific OS details
So… I decided to just scan against every single up host from the ping sweep earlier to see what OS each is running with this command:
nmap -O -sT 10.129.2.49 10.129.2.80 10.129.2.141 10.129.2.219
and the results I got from this also say that Too many fingerprints match this host to give specific OS details
…
Finally, I tried nmap -O --osscan-guess -Pn 10.129.2.49 10.129.2.80 10.129.2.141 10.129.2.219
and got the same non-results…
NOTE: I’ve been on their VPN doing this from my own custom Kali VM, but yes I also tried using the box they provide and same results…
Seems really weird that they’d ask us to do this on a host that is not up unless you specify to treat it as if it’s up, and performing an OS scan on it that doesn’t return any useable information for literally ANY host up on the network…
So I just decided to guess based of the TTL (Windows’ default TTL is 128 and that’s what we can see in their example), and guess what? It’s correct!
Yikes lol seems really weird that they would expect people to figure that out without any prior knowledge of default TTLs, especially when this is geared towards nmap specifically which has a few OS options to use (which don’t work)…
Not sure how I’m feeling about HTB after this…