Hello, I am new to hackthebox. I was just checking out their beginners guide which you get at your first login. I followed it’s instructions, connect to htb network, ran the nmap port scan as written in the guide ( nmap -sC -sV -p$ports 10.10.10.27 ). But, it’s been almost 5 minutes and it’s just stuck there. No result or output. Can anyone help me?
I’d suggest running nmap always with -vvv so that you get as much output on the way as possible. Other than that, you can also press SPACE to get a status update.
@cronta44 said:
Hello, I am new to hackthebox. I was just checking out their beginners guide which you get at your first login. I followed it’s instructions, connect to htb network, ran the nmap port scan as written in the guide ( nmap -sC -sV -p$ports 10.10.10.27 ). But, it’s been almost 5 minutes and it’s just stuck there. No result or output. Can anyone help me?
Did you run ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) first?
I am not a huge fan of this approach to using nmap, I get that it feels like it has sped up the process but it generates an awful lot of errors.
You might be better using:
nmap -Pn -sC -sV -p- -vvvvvvv --reason --min-rate=1000 -T4 -oA all_tcp 10.10.10.27
(ymmv)
Type your comment> @cronta44 said:
Hello, I am new to hackthebox. I was just checking out their beginners guide which you get at your first login. I followed it’s instructions, connect to htb network, ran the nmap port scan as written in the guide ( nmap -sC -sV -p$ports 10.10.10.27 ). But, it’s been almost 5 minutes and it’s just stuck there. No result or output. Can anyone help me?
I agree with @Homesen that the verbose can help. I just personally think that out-of-the-box it clutters the screen so much it becomes hard to read and limits what other information you could gather in the mean while.
And I like the direction of what @TazWake is suggesting.
These are the first two stages of my nmap scan. I have 5 stages in total, but just to give a hint:
–code start
ip=10.10.10.27; sudo nmap --top-ports 100 -oA scantop100 $ip && sudo nmap -sC -sV -p grep -oP "^[0-9]*" scantop100.nmap | tr "\n" "," | sed 's/.$//' -oA scantop100 $ip;
–code end
This will give you a first result in probably under 3 seconds and list the versions of the services in probably under a minute.
So after 3 seconds you can start to do some manual poking and after a minute you can come back to your scan to find the scripts and versions results.
Mind you
This is only scanning the top 100 ports, which is far from a complete scan. So I do not recommend using this without all other stages that should follow. Here’s what I do after that:
-
My stage 3, I chain the nmap results into my vulnfetcher script (GitHub - gnothiseautonlw/vulnfetcher: Searchsploit alternative. It differs in that it uses searchengines, can run unattended in the background, plays well with nmap and is able to process large lists of packages or services on it's own. It supports a simple search, nmap xml's, tab-separated files and debian packages list files ('dpkg -l > file'))
so after about a minute, it googled for me all known vulnerabilities for the found services and throws that on my screen. -
Then I do a stage 4 (very much like the stage 1, but against all ports)
This runs verbose, but I made it so that it only shows when it finds a port (and hides all the rest of the ■■■■), but I can still press a button and get a status. As a results I only see ‘I found this port’ and if I press a button, I get a statusupdate and in the end it prints just the results. Clean and tight. -
The I do my stage 5, where I run a ‘–script vuln’ for all ports found in stage 4
What I end up with is one command, I fire it
- After 3 seconds I see a first result
- Ater a minute it googled for all known vulnerabilities of the found services for the top100 ports
- After about half an hour, I have a list of all ports (and I see it potentially faster, since it runs verbose)
- After about between half an hour to an hour, depending, It tested pretty much all nmap vulnerability scripts against all known ports
It’s just one command that runs by itself in the background and it keeps building, while I do my manual work.
I hope this can inspire you to think in terms of having both ‘fast’ results and ‘complete’ results.
The only way you can have both is to think in terms of ‘stages’, a command that continuously builds more results, but focuses on the most important things first.
In that department I find tutorials often misleading. They ‘happen’ to do a full scan if some mystery port is used and do only fasts scans when they know there’s no exotic ports… in the real world, you need a process that covers everything, always. But you can make it so that it doesn’t keep you waiting for results. Best of both worlds.
Good luck!
Type your comment> @gnothiseauton said:
- My stage 3, I chain the nmap results into my vulnfetcher script (GitHub - gnothiseautonlw/vulnfetcher: Searchsploit alternative. It differs in that it uses searchengines, can run unattended in the background, plays well with nmap and is able to process large lists of packages or services on it's own. It supports a simple search, nmap xml's, tab-separated files and debian packages list files ('dpkg -l > file'))
so after about a minute, it googled for me all known vulnerabilities for the found services and throws that on my screen.
Thanks for sharing this agenda I’m definitely going to try this next time
Awesome suggestions and I love seeing how people built their own workflows.
One thing I’d add, and it really does depend on the environment/objective etc, but its good to know the what responses nmap gets. If you are doing a SYN scan (which I assume almost all of these will be) there is a difference between RST and no-response. If you only look for nmap’s assumption of open (SYN/ACK), you might miss this.
Caveat it only actually matters in some edge cases and I dont think I’ve ever seen an HTB box where it mattered.
Thank you all of you for the suggestions! Will try it. P.S, @TazWake that’s the mistake I did. I didn’t ran the command you told. Thanks a lot!