Module 01

Win Attack Lab: Host and Service Discovery

1. Introduction

In this challenge, we will familiarize ourself with the network situation in the Windows Attack Lab. We are particularly interested in which hosts are available, what services they offer and additional information we can collect about potential targets (like OS types, versions, etc.).

All steps below should be performed from your Linux attack host.

2. nmap Scanning

1. Check IP address:

ip -c address list eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:22:48:7f:43:7c brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.15/24 brd 10.0.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::222:48ff:fe7f:437c/64 scope link 
       valid_lft forever preferred_lft forever

1. Host discovery

nmap -n -sn 10.0.1.0/24 -oA host_discovery --min-rate=20000

The above scan will store its output in three different formats (.nmap, .xml and .gnmap). The .gnmap format contains "grep-able" data, which we can use to easily extract a list of live hosts:

cat host_discovery.gnmap | awk '/Up/ {print $2}' | sort -Vu > hosts.txt

cat hosts.txt

1. Service discovery scan

nmap -n -sC -sV -iL hosts.txt -oA script_version_scan --min-rate=20000

3. Questions

1. How many systems did you identify?

2. What seems to be the purpose of the individual hosts (as far as you can tell from the services they offer)?

3. Did the scan already reveal vulnerabilities / weaknesses?

4. Explain the nmap options that make a difference between the first and the second scan

4. Answers

1. nmap -n -sn 10.0.1.0/24 -oA host_discovery –min-rate=20000

cat hosts.txt
10.0.1.1
10.0.1.10
10.0.1.15
10.0.1.100
10.0.1.101
10.0.1.102
10.0.1.103
10.0.1.254

cat hosts.txt | wc -l
8

2. Based on the Service Discovery Scan we can identify the following most interesting systems/services (details file: script_version_scan.gnmap):

Host: 10.0.1.10 / Windows System / Microsoft Terminal Services
Host: 10.0.1.100 / Windows DC (Domain: winattacklab.local0) / AD DC services
Host: 10.0.1.102 / Windows System / NetBios, Microsoft Terminal Services
Host: 10.0.1.103 / Windows Web Server / Microsoft IIS httpd 10.0

3. On several hosts we can see that smb signing is enabled but not required. This opens a potential door for an attacker to perform a SMB Relay Attack. [1]

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

4.1. First scan (host discovery):

nmap -n -sn 10.0.1.0/24 -oA host_discovery –min-rate=20000

This scan performs a ping scan without a DNS lookup and writes the output in the three different file formats (xml, nmap, gnmap).

-n no DNS resolution -sn Ping Scan – disable port scan -oA Output in all supported formats (xml, nmap, gnmap) –min-rate Send packets no slower than per second

4.2. Second scan (service discovery):

nmap -n -sC -sV -iL hosts.txt -oA script_version_scan –min-rate=20000

With this scan a service discovery scan is performed with the standard NSE scripts. Furthermore a version discovery for the open ports are executed. The scan is only performed on the hosts which are provided with the input file.

-n no DNS resolution -sC Performs a script scan using the default set of scripts. It is equivalent to –script=default. -sV Probe open ports to determine service/version info -iL Reads target specifications from input filename. -oA Output in all supported formats (xml, nmap, gnmap) –min-rate Send packets no slower than per second

[1] https://cqureacademy.com/blog/penetration-testing/smb-relay-attack