[WEB] Curious question, 88.198.233.174 block nmap port scan?

Hi,

does anybody know how HTB blocks nmap port scan? I tried to nmap scan 88.198.233.174 today and they all seem down.

[email protected]:~# nmap -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:23 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.18 seconds

[email protected]:~# nmap -p 37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:29 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.17 seconds

[email protected]:~# nmap -sT -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:30 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.11 seconds

[email protected]:~# nmap -sS -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:30 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.12 seconds

[email protected]:~# nmap -sA -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:30 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.13 seconds

eventhough curl gives result:

[email protected]:~# curl 88.198.233.174:37496
<html>
<head>
    <title>Login - Lernaean</title>
</head>
<body style="background-color: #cd4e7b;">
    <center>
        <br><br><br>
        <h1><u>Administrator Login</u></h1>
        <h2>--- CONFIDENTIAL ---</h2>
        <h2>Please do not try to guess my password!</h2>
        <form method="POST">
            <input type="password" name="password"><br><br>
            <input type="submit" value="Submit">
        </form>
    </center>
</body>

How can a webserver allow 3 Way Handshake from HTML Request but drop a SYN Package of a nmap scan?

Comments

  • By default nmap checks to see if the host is up by e.g. sending a icmp ping (echo-request) packet and a tcp syn to 80/tcp. If this fails it assumes the host is down. So, in this case it doesn't try the port 37496/tcp.

    We have the -Pn option to override this behaviour.

    Not sure if we should be port scanning that target (HTB admin's can confirm).

    m0noc

  • edited August 2018

    Well monoc said it all. Question why would you port scan that IP when it's clearly one of the IP'S running some of the web challenges and some of the pwnables, what are you trying to achieve by that?

    Hack The Box

  • Thx for the answer. I checked it with wireshark and its really the case. I did it out of curiosity tbh. I want to learn more about nmap and portscan as well.

Sign In to comment.