[WEB] Curious question, 88.198.233.174 block nmap port scan?

SocksDestroyer · August 20, 2018, 3:44pm

Hi,

does anybody know how HTB blocks nmap port scan? I tried to nmap scan 88.198.233.174 today and they all seem down.

root@osboxes:~# nmap -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:23 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.18 seconds

root@osboxes:~# nmap -p 37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:29 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.17 seconds

root@osboxes:~# nmap -sT -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:30 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.11 seconds

root@osboxes:~# nmap -sS -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:30 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.12 seconds

root@osboxes:~# nmap -sA -p37496 88.198.233.174
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 11:30 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.13 seconds

eventhough curl gives result:

root@osboxes:~# curl 88.198.233.174:37496
<html>
<head>
    <title>Login - Lernaean</title>
</head>
<body style="background-color: #cd4e7b;">
    <center>
        <br><br><br>
        <h1><u>Administrator Login</u></h1>
        <h2>--- CONFIDENTIAL ---</h2>
        <h2>Please do not try to guess my password!</h2>
        <form method="POST">
            <input type="password" name="password"><br><br>
            <input type="submit" value="Submit">
        </form>
    </center>
</body>

How can a webserver allow 3 Way Handshake from HTML Request but drop a SYN Package of a nmap scan?

m0noc · August 20, 2018, 3:59pm

By default nmap checks to see if the host is up by e.g. sending a icmp ping (echo-request) packet and a tcp syn to 80/tcp. If this fails it assumes the host is down. So, in this case it doesn’t try the port 37496/tcp.

We have the -Pn option to override this behaviour.

Not sure if we should be port scanning that target (HTB admin’s can confirm).

Frey · August 20, 2018, 4:09pm

Well monoc said it all. Question why would you port scan that IP when it’s clearly one of the IP’S running some of the web challenges and some of the pwnables, what are you trying to achieve by that?

SocksDestroyer · August 21, 2018, 5:50am

Thx for the answer. I checked it with wireshark and its really the case. I did it out of curiosity tbh. I want to learn more about nmap and portscan as well.