📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • Win Attack Lab: Host and Service Discovery
  • 1. Introduction
  • 2. nmap Scanning
  • 3. Questions
  • 4. Answers

Was this helpful?

  1. Windows Hacking
  2. WinAttack LAB

Module 01

PreviousWinAttack LABNextModule 02

Last updated 3 years ago

Was this helpful?

Win Attack Lab: Host and Service Discovery

1. Introduction

In this challenge, we will familiarize ourself with the network situation in the Windows Attack Lab. We are particularly interested in which hosts are available, what services they offer and additional information we can collect about potential targets (like OS types, versions, etc.).

All steps below should be performed from your Linux attack host.

2. nmap Scanning

  1. Check IP address:

ip -c address list eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:22:48:7f:43:7c brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.15/24 brd 10.0.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::222:48ff:fe7f:437c/64 scope link 
       valid_lft forever preferred_lft forever

  1. Host discovery

nmap -n -sn 10.0.1.0/24 -oA host_discovery --min-rate=20000

The above scan will store its output in three different formats (.nmap, .xml and .gnmap). The .gnmap format contains "grep-able" data, which we can use to easily extract a list of live hosts:

cat host_discovery.gnmap | awk '/Up/ {print $2}' | sort -Vu > hosts.txt

cat hosts.txt

  1. Service discovery scan

nmap -n -sC -sV -iL hosts.txt -oA script_version_scan --min-rate=20000

3. Questions

  1. How many systems did you identify?

  2. What seems to be the purpose of the individual hosts (as far as you can tell from the services they offer)?

  3. Did the scan already reveal vulnerabilities / weaknesses?

  4. Explain the nmap options that make a difference between the first and the second scan

4. Answers

  1. nmap -n -sn 10.0.1.0/24 -oA host_discovery –min-rate=20000

cat hosts.txt
10.0.1.1
10.0.1.10
10.0.1.15
10.0.1.100
10.0.1.101
10.0.1.102
10.0.1.103
10.0.1.254

cat hosts.txt | wc -l
8

2. Based on the Service Discovery Scan we can identify the following most interesting systems/services (details file: script_version_scan.gnmap):

Host: 10.0.1.10 / Windows System / Microsoft Terminal Services
Host: 10.0.1.100 / Windows DC (Domain: winattacklab.local0) / AD DC services
Host: 10.0.1.102 / Windows System / NetBios, Microsoft Terminal Services
Host: 10.0.1.103 / Windows Web Server / Microsoft IIS httpd 10.0

3. On several hosts we can see that smb signing is enabled but not required. This opens a potential door for an attacker to perform a SMB Relay Attack. [1]

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

4.1. First scan (host discovery):

nmap -n -sn 10.0.1.0/24 -oA host_discovery –min-rate=20000

This scan performs a ping scan without a DNS lookup and writes the output in the three different file formats (xml, nmap, gnmap).

-n no DNS resolution -sn Ping Scan – disable port scan -oA Output in all supported formats (xml, nmap, gnmap) –min-rate Send packets no slower than per second

4.2. Second scan (service discovery):

nmap -n -sC -sV -iL hosts.txt -oA script_version_scan –min-rate=20000

With this scan a service discovery scan is performed with the standard NSE scripts. Furthermore a version discovery for the open ports are executed. The scan is only performed on the hosts which are provided with the input file.

-n no DNS resolution -sC Performs a script scan using the default set of scripts. It is equivalent to –script=default. -sV Probe open ports to determine service/version info -iL Reads target specifications from input filename. -oA Output in all supported formats (xml, nmap, gnmap) –min-rate Send packets no slower than per second

[1]

https://cqureacademy.com/blog/penetration-testing/smb-relay-attack