Hacking Xmas
Day 8

jakec / dec 2020

If you’ve paid close attention to The Matrix Reloaded, you know that when Trinity shuts down the electrical grid she uses two programs: nmap and sshnuke. Nmap (“network mapper”) is a recon tool — by running different types of scans on an IP and its various ports, it can find out a lot about a target. In Trinity’s case, she finds out that her target is running SSH. What’s unrealistic about this scene is she doesn’t appear to have any information about how it’s running SSH before she goes straight to launching her exploit (sshnuke.) She apparently ran a very basic scan — she doesn’t really know if sshnuke is going to work, unless it’s a magical exploit that can break every type of SSH. Fortunately, it is running a version of SSH that the (fictional) sshnuke can exploit with a (real) vulnerability. CVE-2001-0144 was a real vulnerability when The Matrix Reloaded was released.

I know, you’re SCREAMING that the Matrix occupies a perpetual 1999, not 2001. But given the vulnerability is for SSHv1, it’s likely it would’ve worked in 1999 too. This raises all kinds of wild questions though. If you can use exploits from the future inside the Matrix, can you also Sports Almanac that shit and make yourself rich in Matrix bucks? Or, given how many kinds of encryption have been broken since 1999, could you jack in and steal state secrets all over the world?

Wait, sorry. So nmap. In today's scenario, intern Elf McEager wants to learn more about Santa's network, all the better to protect it. After some consideration, Elf McSkidy agrees to let McEager enroll in The Best Festival Company's skill-up program for network reconnaissance using nmap.

Once we launch our machine on THM, we can get the IP and start scanning. Let’s just run a scan and see how many of the questions for today’s challenge we can answer.

Here’s the command:

sudo nmap 10.10.178.238 -sS -sV -O -Pn -A --script=http-title

“sudo” means “run as Administrator”. nmap needs certain privileges to do its job.

“nmap” is the program name.

10.10.178.238 is the machine we deployed on THM. If you're doing this on your own, this address will be different for you.

“-sS” tells nmap to run a stealth scan. This works by not making a full connection to any port it’s scanning. It’s basically just twisting the door knob, not walking into the house.

“-sV” tells nmap to figure out which service is running on a given port.

“-O” tells nmap to figure out which operating system is running on the target.

“-Pn” tells it to ignore any blocked pings and automatically assume the target is up. Some machines (including Windows 10 machines, by default) will refuse ICMP requests; if you ping them, they’ll look like they’re offline. Using -Pn with nmap circumvents that.

“-A” is aggressive mode. Normally if you’re scanning someone, you wouldn’t include this. It’s going to make a LOT of traffic show up on someone’s firewall logs. But we’re in a test environment here and we wanna find out as much as we can as quickly as we can, so let’s hoon it.

“--script=http-title” tells nmap to run a script that will examine any services running HTTP (likely on port 80) and get the title of any websites, for example.

What say thee, nmap?

That might look like a whole lotta mess to you, so let's break down what's useful.

We can see there are three ports open on the target: 80, 2222, and 3389. Thanks to the “-sV” option, nmap has figured out that port 80 is running the Apache web server (version 2.4.29, useful to know when we’re searching for vulnerabilities), port 2222 is running a version of SSH, and port 3389 is running the Remote Desktop Protocol. RDP is a wonderful thing that lets you log in to a computer as if you were really there. If you’ve ever worked in an office and had to have someone from IT “remote in” to your computer and you got to watch them wiggle your mouse around and accidentally google ‘how to fix this problem” on your machine instead of theirs? That’s RDP. Needless to say, it’s also a juicy target. We won’t go after it here for a couple reasons.

For one, it’s outside the scope of our penetration test. When you’re engaged to test someone’s security, you might get a set of targets or vectors the client has declared out of bounds. Let’s keep to the spirit of this being an nmap challenge.

Also, we’ve got very little information about users or other machines on the network at this point. Without even a username to start with, it’s going to be difficult to brute-force, and a quick exploit search makes the potential vulnerabilities look like a lot of work. We could try probing SSH to find usernames or looking at the website on port 80 for clues. But after finishing this post, today’s challenge creator, CMNatic, mentioned that it’ll come up later. Let’s not get ahead of ourselves.

(Here’s a good breakdown of an RDP attack if you can stomach the product advocacy.)

We can also see that our http-title script returned “TBFC’s Internal Blog” as the name of the website running on port 80. And with that, we’ve got enough to answer all the questions for today’s challenge.

Celebratory post-script: I’ve been smashing THM challenges besides the Advent of Cyber lately. Surprised to find out I’m #3 on their leaderboard for Australia this month. Merry Xmas to me.