[WEB] Curious question, 88.198.233.174 block nmap port scan?

HTB Content Challenges
1

Hi,

does anybody know how HTB blocks nmap port scan? I tried to nmap scan 88.198.233.174 today and they all seem down.

root@osboxes:~# nmap -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:23 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.18 seconds

root@osboxes:~# nmap -p 37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:29 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.17 seconds

root@osboxes:~# nmap -sT -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:30 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.11 seconds

root@osboxes:~# nmap -sS -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:30 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.12 seconds

root@osboxes:~# nmap -sA -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:30 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.13 seconds

eventhough curl gives result:

root@osboxes:~# curl 88.198.233.174:37496
<html>
<head>
    <title>Login - Lernaean</title>
</head>
<body style="background-color: #cd4e7b;">
    <center>
        <br><br><br>
        <h1><u>Administrator Login</u></h1>
        <h2>--- CONFIDENTIAL ---</h2>
        <h2>Please do not try to guess my password!</h2>
        <form method="POST">
            <input type="password" name="password"><br><br>
            <input type="submit" value="Submit">
        </form>
    </center>
</body>

How can a webserver allow 3 Way Handshake from HTML Request but drop a SYN Package of a nmap scan?

2

By default nmap checks to see if the host is up by e.g. sending a icmp ping (echo-request) packet and a tcp syn to 80/tcp. If this fails it assumes the host is down. So, in this case it doesn’t try the port 37496/tcp.

We have the -Pn option to override this behaviour.

Not sure if we should be port scanning that target (HTB admin’s can confirm).

3

Well monoc said it all. Question why would you port scan that IP when it’s clearly one of the IP’S running some of the web challenges and some of the pwnables, what are you trying to achieve by that?

4

Thx for the answer. I checked it with wireshark and its really the case. I did it out of curiosity tbh. I want to learn more about nmap and portscan as well.