PBQ 2: Nmap Command Construction

Network Port Scanning with Nmap

Aufgabenstellung

A penetration tester ran an Nmap scan against a target server and received the output shown below.

INSTRUCTIONS:
Part 1: Select the Nmap flags that would produce the given scan output.
Part 2: Based on the scan results, identify ALL applicable attack vectors for further investigation.

Szenario

You are a penetration tester running port scans on a target server during the reconnaissance phase. Target Information: - IP Address: 192.168.2.2 - Organization: Medium-sized financial services company - Objective: Identify open ports, running services, and potential attack vectors Part 1: Construct the Nmap command that generated the provided scan output Part 2: Based on the scan results, identify potential attack vectors for further investigation

Anleitung

Drag and drop the appropriate Nmap flags and parameters to construct the correct command. Then select all applicable attack vectors based on the scan output.

Nmap Scan Output

Nmap scan report for 192.168.2.2
Host is up (0.00079s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE      VERSION
88/tcp  open  kerberos-sec?
139/tcp open  netbios-ssn
389/tcp open  ldap?
445/tcp open  microsoft-ds?
MAC Address: 08:00:27:81:81:DF (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4.21
OS details: Linux 2.4.21
Network Distance: 1 hop
Nmap done: 1 IP address (1 host up) scanned in 26.80 seconds

Teil 1: Konstruiere den Nmap-Befehl

Wähle die richtigen Flags aus, um den Befehl zu erstellen, der diesen Output erzeugt hat

Teil 2: Identifiziere Attack Vectors

Basierend auf dem Scan-Output, wähle alle zutreffenden Attack Vectors aus

Weak SMB file permissions

Port 445 (microsoft-ds) suggests SMB file sharing may be enabled with potentially weak permissions, allowing unauthorized access to sensitive files.

FTP anonymous login

FTP service may allow anonymous login, but port 21 is not open in this scan.

Webdav file upload

WebDAV allows file uploads via HTTP, but no web ports are open in this scan.

Weak Apache Tomcat Credentials

Tomcat manager may have default credentials, but port 8080 is not open.

Null session enumeration

SMB null sessions can enumerate users/shares, but Weak SMB file permissions is the primary concern here.

Fragmentation attack

IP fragmentation attacks target packet reassembly - not applicable to this scan output.

SNMP enumeration

SNMP can leak system info, but port 161 is not open in this scan.

ARP spoofing

ARP spoofing is a Layer 2 attack - not identified through port scanning.