Nmap Firewall IDS/IPS Evasion Lab

I am needing some help with my nmap academy lab for firewall evasion. I have done a full network scan to look at the other hosts that are on the network. I have also spoofed the source address as well as source port and disabled arp ping to try and find the DNS server version. Though I keep on getting a filtered port.I have also tried slowing down the scan to T1 and put in a -Pn -n -sA with nmap. So one of my commands looks like this Sudo nmap $ip-address -p 53 -Pn -sA -sV -n -S ip-address --source-port 53 -T 1. Is there another port that I should mask as so I can view the dns version.

1 Like

Like so many of HTB Academy’s exercises, this question is completely misleading and has absolutely nothing to do with the content you just learned. All of the information you need to solve this can be found on the Host and Port scanning and Service Enumeration pages. You don’t need to use any of your Firewall/IDS/IPS evasion knowledge to answer this question

1 Like

My first thought was can I just ask the DNS server about what version is running. But I gave up because of the question mention IDS/IPS. Lesson learnt: do not trust HTB :wink:

1 Like

Did you have any progress on this? I am having a real hard time. I found the port but cant get the version with the -sV flag.
I try to use the “tcpdump + nc” trick but the command “nc -nv -p 53 ”
always returns a “bind failed:address already in use”. I google about it and doesnt seem to make it work.
I am going for a wrong approach altogether?

I don’t know if this is of any help to you but maybe can be helpful for others that try solving the problem using this method. The error “bind failed:address already in use” pops up because the port 53 is already in use by your own host system for the DNS, so before proceeding you need to free it up in some way.

I used my own Ubuntu vm for this problem so my naive solution was just to temporarily disable the service using “systemctl disable systemd-resolved”, reboot, solve the htb challenge and then re-enable the dns using “systemctl enable systemd-resolved” and reboot. Probably there is a better way, but i don’t know it and this did the trick for me.

i need help ,i use all i learned but i cant find it’s version,others service version can be looked.

1 Like

I think you cannot find the version because of IDS/IPS for that service. I am having issue too.

I think the port is filtered and you cannot ask the DNS server. DID you get your way around it? How did you do it?

Got only 29 alerts before OS was detected.
use Decoy method combined with fake port

Try -sT flag

1 Like

I’m a little late to the party and just getting started but I have noticed this a couple of times! Glad to hear I’m not crazy!

Hey guys. I am running out of options with the medium lab :sob:. tried with --script dns.nsid, checked the packets with tcdump/wireshark and I can see that the request for the version.bind is refused. I have tried -sSU, -sT flags on nmap but nothing beyond the name of the DNS service but I cannot get the version. Thank you for any tip :+1:

did you mean to put a period in the script name? version bind wasn’t refused for me…

–source-port is the key

2 Likes

Agreed. --source-port is the key for both easy and medium.

Review the following session of the lesson. In the past, TCP port 53 was only for Zone transfer in the past but now due to IPv6 and DNSSEC expansion, now, DNS requests are being done over the TCP 53 too. That means - firewall and improperly configured IPS/IDS will allow traffic from the source port 53.

*"
More and more, this is changing due to IPv6 and DNSSEC expansions.
These changes cause many DNS requests to be made via TCP port 53.

As another example, we can use TCP port 53as a source port (–source-port) for our scans. *

If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through. "

Please I am still stuck on ’ Firewall and IDS/IPS Evasion - Medium Lab’ with the question: “After the configurations are transferred to the system, our client wants to know if it is possible to find out our target’s DNS server version. Submit the DNS server version of the target as the answer.”
How do i get the answer?

-sSU --source-port 53 --script dns-nsid

please do you no the response for the last lab , Is been a week i am tryng to fine something

please have you solve the last lab?

Add these flags:
-sSU --source-port 53 --script dns-nsid