Thanks to @tylerptl and @farstrider for their help. I finally got this one. The problem I was having is that the target port was not showing up on any of my nmap scans. for some reason if I used the default for ports to be scanned (top 1000), I only got output in summary form, not detail by port. so I was limiting my scans to the top 50 ports and the target port was not among them (so it didn’t jump out at me as tylerptl said it would). Never figured that out but I found a workaround. If you use the --open option, your output will show all open ports. Because of filters, you will initially only see the two unfiltered ports. But, if you work through the techniques suggested in the writeup (as hinted by farstrider), you will eventually use one that makes the target port visible as “open”. It really is straightforward from there as both helpers said. @akinamon@rpthomps
Thanks for prompt reply. My curiosity led me to try port 50000. I tried decoy, fragmentation, Syn scan from port 53, and sC on the filtered DNS port (53) but still remained filtered.
You are trying to find the version of the DNS server, which typically runs on port 53 and is typically a UDP port but can also be a TCP port. A client using both might filter one but forget to filter the other.
As is mentioned in another reply’s, the trick (if you can call it) it’s on the previous section, just before to start the labs, the hard lab it’s solved but keep trying to use all the scenarios mentioned in that section.
bro how did you pass medium one ? i mean i am using nc : nc -nvu 10.129.95.91 53 and it gives me nothing, nmap doesnt help as well with NSE script, correct me what am i doing wrong?