Nmap basics challenge exercise - Task 6

Hi, I’m struggling with Task 6
" 1. Alright, investigate one more host – the one you identified as being behind a firewall in step 2.

Three of the following ports are open, can you determine which? 80, 445 2600, 53, 23, 3389. You may run a SYN or TCP connect scan. You will have to slow your scan down to avoid the packet. (Hint: you may have to slow down your scans)"

I’m finding 6 -not 3- ports, and all of them are filtered

Suggestions are appreciated, thanks!

Good day! Hope you are doing well. Maybe you should tried a config that doesn’t do a complete hand shake. Discard -Pn and look other option. The other config are ok :slight_smile:

Hey @Nenya!

You are looking at the wrong host; otherwise, you have the right idea.

In the second step (run a SYN scan on the hosts you identified in step 1) you will have found one host with most of its ports reporting as filtered (hmm… maybe behind a firewall?). This is the host you’ll want to target in step 6.

Happy hacking!

2 Likes

Hi @Lu0ro
I’ve tried every possibility I can think of, such as -sS, -sU, -sV, -sN, -sF, -sX
But it seems I can’t find the right config:

Any new ideas? This lab is really holding me up… :s

Thanks!

Hi @raggetd

You’re right, I was looking at the wrong host. I assumed the most lilkely to be behind the firewall would be the one with all the ports filtered. Apparently I wasn’t getting it at all xD

Thank you!

2 Likes

Hi @Nenya

Glad to hear it!

And re: “I assumed the most lilkely to be behind the firewall would be the one with all the ports filtered,”
That would be a reasonable assumption as long as you know that host exists to begin with. For example, I can confirm no host exists at 172.16.0.33, but if I perform a port scan on it, I’ll see that all ports are supposedly filtered. This means there is likely a firewall, but not necessarily a host at that IP.


However, if we see all ports are filtered except for one or more, then we can confirm something lives at that IP.

To this end, I’m curious about how you discovered the 172.16.0.54 address. I’ll also confirm that nothing lives there, so it shouldn’t have shown up in your ping scan (step 1) that you perform to gather the initial set of hosts for further analysis. If you found some indication that something does live there, please DM me with a screenshot, because that would be confusing, and indicate some lab edits are required!

Hope this helps - happy hacking!

1 Like

Hi @raggetd,

I don’t think there’s anything wrong with the lab, it’s just that I’m not used to using nmap and I got the concept wrong.

In fact, I’m seeing now that I missed just a tiny little “2” xD, what led me to believe that 172.16.0.54 was the host behind the fw.

[redacted]

I understand now that even with that “2” my assumption regarding the existence of a fw would have been incorrect.

Thanks both for the clue and the extended explanation :slight_smile:

And Happy New Year too!

1 Like