🟢Firewall and IDS/IPS Evasion
Easy Lab
Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.
Medium Lab
After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.
Hard Lab
Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.
Nmap Arguments
DNS Proxying
By default, Nmap
performs a reverse DNS resolution unless otherwise specified to find more important information about our target. These DNS queries are also passed in most cases because the given web server is supposed to be found and visited. The DNS queries are made over the UDP port 53
. The TCP port 53
was previously only used for the so-called "Zone transfers
" between the DNS servers or data transfer larger than 512 bytes. More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.
However, Nmap
still gives us a way to specify DNS servers ourselves (--dns-server <ns>,<ns>
). This method could be fundamental to us if we are in a demilitarized zone (DMZ
). The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can use TCP port 53
as a source port (--source-port
) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.
Last updated