Entering the breach

Exploring systems and services

Network Diagram

Entering the breach

Your attack team has run initial reconnaissance on the target: Throwback Hacks Security. They find that there are 3 machines that are publicly facing: THROWBACK-PROD, THROWBACK-FW01, and THROWBACK-MAIL. Your team has informed you that these assets are publicly accessible, it is your job to perform additional reconnaissance on these machines and find the way in. To accomplish this, we'll be learning to use the tool nmap.

Actual NW Range: 10.200.136.0 /24

Nmap Command:

nmap -sV -sC -p- -v -oA full_scan 10.200.136.0/24 --min-rate 5000

nmap console output

xsltproc full_scan.xml -o full_scan.html

Identifying Assets and finding the attack surface

Enumerating THROWBACK-PROD Scans

When enumerating the nmap scan we find many open ports as well as a leaked domain name.

Note: Port 445 (SMB) and RDP (3389) is open

We also find that port 80 is running an IIS server this is good to note to visit and enumerate later.

Enumerating THROWBACK-MAIL Scans

We find that THROWBACK-MAIL is a Linux box running an Apache server on port 80 running a login page.

Enumerating THROWBACK-FW01 Scans

When looking at the scans we see that the box is more than likely running a pfSense firewall with a public pfSense login.

Questions