# Entering the breach

![Network Diagram ](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FUzXNAjuddir8KTNlEsyU%2FNetwork.PNG?alt=media\&token=acdb004d-45d5-4739-ae2d-d726ee178259)

### Entering the breach

Your attack team has run initial reconnaissance on the target: Throwback Hacks Security. They find that there are 3 machines that are publicly facing: **THROWBACK-PROD**, **THROWBACK-FW01**, and **THROWBACK-MAIL**. Your team has informed you that these assets are publicly accessible, it is your job to perform additional reconnaissance on these machines and find the way in. To accomplish this, we'll be learning to use the tool [nmap](https://cas-cyber.gitbook.io/cas-cybersecurity/scanning-and-enumeration#scanning-with-nmap).

Actual NW Range: 10.200.136.0 /24

Nmap Command:&#x20;

> nmap -sV -sC -p- -v -oA full\_scan 10.200.136.0/24 --min-rate 5000

![nmap console output](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FUKfiJFtpsWs9QR4PeL91%2Fnmap01.png?alt=media\&token=e857f545-839a-485a-ab82-717c2426e0c7)

> xsltproc full\_*scan.xml -o full*\_scan.html

### Identifying Assets and finding the attack surface

**Enumerating THROWBACK-PROD Scans**

When enumerating the nmap scan we find many open ports as well as a leaked domain name.

![Note: Port 445 (SMB) and RDP (3389) is open](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F78On9Jqqh9V2UhPTje0i%2Fnmap02.png?alt=media\&token=4a265516-3083-4dd3-ab04-064633ca61ec)

We also find that port 80 is running an IIS server this is good to note to visit and enumerate later.

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FAWNdM3sAyeUTW4TrHCuo%2Fnmap04.png?alt=media\&token=3e4a99ce-a48f-400f-8232-bf2c9d2c7297)

**Enumerating THROWBACK-MAIL Scans**

We find that THROWBACK-MAIL is a Linux box running an Apache server on port 80 running a login page.

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FpCqjH2Q2IyjyOqCoo8kV%2Fnmap05.png?alt=media\&token=e5781bf0-3f03-40f8-bad0-1c414eba571a)

**Enumerating THROWBACK-FW01 Scans**

When looking at the scans we see that the box is more than likely running a pfSense firewall with a public pfSense login.

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FXHAJcxF4PxXqKc6dqtuc%2Fnmap06.png?alt=media\&token=28521b8b-75d3-4db4-a173-b26153ff138c)

### Questions

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FSJsoG3rg680RW2BUklIZ%2Fquestions_task07.png?alt=media\&token=2060795a-50ec-4d6b-a8dd-4a0ef4cb22a3)