First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.
target="10.10.10.116"
ports=$(sudo nmap -p- --min-rate=1000 -T4 $target | grep "^[0-9]" | cut -d '/' -f 1 | tr '\\n' ',' | sed s/,$//)
sudo nmap -p$ports -sC -sV $target -vvv
Nmap scan report for 10.10.10.116
Host is up (0.017s latency).
All 65535 scanned ports on 10.10.10.116 are filtered
Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds
Similarly, we run an nmap scan with the -sU flag enabled to run a UDP scan.
sudo nmap -Pn -sU --open -p- --min-rate 10000 $target
We have two open ports.
Let’s get deeper with those two ports, running nmap scripts againts them.
sudo nmap -Pn -sU --open -p161,500 -sC -sV --min-rate 10000 $target
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server (public)
| snmp-processes:
| 1:
| Name: System Idle Process
| 4:
| Name: System
| 304:
| Name: smss.exe
| 380:
| Name: Memory Compression
| 400:
| Name: csrss.exe
| 476:
| Name: wininit.exe
| 484:
| Name: csrss.exe
| 544:
| Name: winlogon.exe
| 620:
| Name: services.exe
| 628:
| Name: lsass.exe
| Path: C:\\Windows\\system32\\
| 684:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k LocalServiceNoNetwork
| 712:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k DcomLaunch
| 732:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k LocalService
| 736:
| Name: fontdrvhost.exe
| 744:
| Name: fontdrvhost.exe
| 756:
| Name: svchost.exe
| 840:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k RPCSS
| 920:
| Name: dwm.exe
| 956:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k netsvcs
| 1000:
| Name: svchost.exe
| Path: C:\\Windows\\System32\\
| Params: -k LocalServiceNetworkRestricted
| 1008:
| Name: svchost.exe
| Path: C:\\Windows\\System32\\
| Params: -k LocalSystemNetworkRestricted
| 1080:
| Name: svchost.exe
| Path: C:\\Windows\\System32\\
| Params: -k NetworkService
| 1108:
| Name: vmacthlp.exe
| Path: C:\\Program Files\\VMware\\VMware Tools\\
| 1248:
| Name: svchost.exe
| Path: C:\\Windows\\System32\\
| Params: -k LocalServiceNetworkRestricted
| 1356:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k LocalServiceNetworkRestricted
| 1364:
| Name: svchost.exe
| Path: C:\\Windows\\System32\\
| Params: -k LocalServiceNetworkRestricted
| 1460:
| Name: msdtc.exe
| Path: C:\\Windows\\System32\\
| 1528:
| Name: spoolsv.exe
| Path: C:\\Windows\\System32\\
| 1624:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k appmodel
| 1732:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k apphost
| 1740:
| Name: svchost.exe
| Path: C:\\Windows\\System32\\
| Params: -k utcsvc
| 1752:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k ftpsvc
| 1836:
| Name: SecurityHealthService.exe
| 1844:
| Name: snmp.exe
| Path: C:\\Windows\\System32\\
| 1892:
| Name: vmtoolsd.exe
| Path: C:\\Program Files\\VMware\\VMware Tools\\
| 1900:
| Name: VGAuthService.exe
| Path: C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\
| 1912:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k iissvcs
| 1928:
| Name: ManagementAgentHost.exe
| Path: C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\
| 1940:
| Name: MsMpEng.exe
| 2124:
| Name: SearchIndexer.exe
| Path: C:\\Windows\\system32\\
| Params: /Embedding
| 2544:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k NetworkServiceNetworkRestricted
| 2716:
| Name: LogonUI.exe
| Params: /flags:0x0 /state0:0xa39c8855 /state1:0x41c64e6d
| 2752:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k LocalSystemNetworkRestricted
| 2836:
| Name: WmiPrvSE.exe
| Path: C:\\Windows\\system32\\wbem\\
| 3016:
| Name: dllhost.exe
| Path: C:\\Windows\\system32\\
| Params: /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
| 3432:
| Name: NisSrv.exe
| 3460:
| Name: WmiPrvSE.exe
| Path: C:\\Windows\\system32\\wbem\\
| 3696:
| Name: svchost.exe
| Path: C:\\Windows\\system32\\
| Params: -k LocalServiceAndNoImpersonation
| 4764:
| Name: svchost.exe
| Path: C:\\Windows\\System32\\
|_ Params: -k swprv
| snmp-interfaces:
| Software Loopback Interface 1\\x00
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 1 Gbps
| Traffic stats: 0.00 Kb sent, 0.00 Kb received
| vmxnet3 Ethernet Adapter\\x00
| IP address: 10.10.10.116 Netmask: 255.255.255.0
| MAC address: 00:50:56:b9:89:48 (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
| Traffic stats: 80.15 Kb sent, 25.17 Mb received
| vmxnet3 Ethernet Adapter-WFP Native MAC Layer LightWeight Filter-0000\\x00
| MAC address: 00:50:56:b9:89:48 (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
| Traffic stats: 80.15 Kb sent, 25.17 Mb received
| vmxnet3 Ethernet Adapter-QoS Packet Scheduler-0000\\x00
| MAC address: 00:50:56:b9:89:48 (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
| Traffic stats: 80.15 Kb sent, 25.17 Mb received
| vmxnet3 Ethernet Adapter-WFP 802.3 MAC Layer LightWeight Filter-0000\\x00
| MAC address: 00:50:56:b9:89:48 (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
|_ Traffic stats: 80.15 Kb sent, 25.17 Mb received
| snmp-win32-users:
| Administrator
| DefaultAccount
| Destitute
|_ Guest
| snmp-win32-services:
| Application Host Helper Service
| Background Intelligent Transfer Service
| Background Tasks Infrastructure Service
| Base Filtering Engine
| CNG Key Isolation
| COM+ Event System
| COM+ System Application
| Client License Service (ClipSVC)
| Connected Devices Platform Service
| Connected User Experiences and Telemetry
| CoreMessaging
| Cryptographic Services
| DCOM Server Process Launcher
| DHCP Client
| DNS Client
| Data Sharing Service
| Data Usage
| Device Setup Manager
| Diagnostic Policy Service
| Diagnostic Service Host
| Diagnostic System Host
| Distributed Link Tracking Client
| Distributed Transaction Coordinator
| Geolocation Service
| IKE and AuthIP IPsec Keying Modules
| IP Helper
| IPsec Policy Agent
| Local Session Manager
| Microsoft FTP Service
| Microsoft Software Shadow Copy Provider
| Network Connection Broker
| Network List Service
| Network Location Awareness
| Network Store Interface Service
| Plug and Play
| Power
| Print Spooler
| Program Compatibility Assistant Service
| RPC Endpoint Mapper
| Remote Procedure Call (RPC)
| SNMP Service
| SSDP Discovery
| Security Accounts Manager
| Security Center
| Server
| Shell Hardware Detection
| State Repository Service
| Storage Service
| Superfetch
| System Event Notification Service
| System Events Broker
| TCP/IP NetBIOS Helper
| Task Scheduler
| Themes
| Time Broker
| TokenBroker
| User Manager
| User Profile Service
| VMware Alias Manager and Ticket Service
| VMware CAF Management Agent Service
| VMware Physical Disk Helper Service
| VMware Tools
| WinHTTP Web Proxy Auto-Discovery Service
| Windows Audio
| Windows Audio Endpoint Builder
| Windows Connection Manager
| Windows Defender Antivirus Network Inspection Service
| Windows Defender Antivirus Service
| Windows Defender Security Centre Service
| Windows Driver Foundation - User-mode Driver Framework
| Windows Event Log
| Windows Firewall
| Windows Font Cache Service
| Windows Management Instrumentation
| Windows Process Activation Service
| Windows Push Notifications System Service
| Windows Search
| Windows Time
| Windows Update
| Workstation
|_ World Wide Web Publishing Service
| snmp-win32-software:
| Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161; 2021-03-17T15:16:36
| Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161; 2021-03-17T15:16:36
|_ VMware Tools; 2021-03-17T15:16:36
| snmp-sysdescr: Hardware: AMD64 Family 23 Model 49 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
|_ System uptime: 20m12.09s (121209 timeticks)
| snmp-netstat:
| TCP 0.0.0.0:21 0.0.0.0:0
| TCP 0.0.0.0:80 0.0.0.0:0
| TCP 0.0.0.0:135 0.0.0.0:0
| TCP 0.0.0.0:445 0.0.0.0:0
| TCP 0.0.0.0:49664 0.0.0.0:0
| TCP 0.0.0.0:49665 0.0.0.0:0
| TCP 0.0.0.0:49666 0.0.0.0:0
| TCP 0.0.0.0:49667 0.0.0.0:0
| TCP 0.0.0.0:49668 0.0.0.0:0
| TCP 0.0.0.0:49669 0.0.0.0:0
| TCP 0.0.0.0:49670 0.0.0.0:0
| TCP 10.10.10.116:139 0.0.0.0:0
| UDP 0.0.0.0:123 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:500 *:*
| UDP 0.0.0.0:4500 *:*
| UDP 0.0.0.0:5050 *:*
| UDP 0.0.0.0:5353 *:*
| UDP 0.0.0.0:5355 *:*
| UDP 0.0.0.0:62729 *:*
| UDP 10.10.10.116:137 *:*
| UDP 10.10.10.116:138 *:*
| UDP 10.10.10.116:1900 *:*
| UDP 10.10.10.116:62453 *:*
| UDP 127.0.0.1:1900 *:*
|_ UDP 127.0.0.1:62454 *:*
500/udp open isakmp?
| fingerprint-strings:
| IKE_MAIN_MODE:
| "3DUfw
|_ XEW(
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port500-UDP:V=7.94SVN%I=7%D=4/29%Time=662FB8E0%P=x86_64-pc-linux-gnu%r(
SF:IKE_MAIN_MODE,D0,"\\0\\x11\\"3DUfw\\xa1WGk\\xb4<k\\xf3\\x01\\x10\\x02\\0\\0\\0\\0\\0\\
SF:0\\0\\0\\xd0\\r\\0\\x008\\0\\0\\0\\x01\\0\\0\\0\\x01\\0\\0\\0,\\x01\\x01\\0\\x01\\0\\0\\0\\$\\x01
SF:\\x01\\0\\0\\x80\\x01\\0\\x05\\x80\\x02\\0\\x02\\x80\\x04\\0\\x02\\x80\\x03\\0\\x01\\x80\\x0
SF:b\\0\\x01\\0\\x0c\\0\\x04\\0\\0\\0\\x01\\r\\0\\0\\x18\\x1e\\+Qi\\x05\\x99\\x1c}\\|\\x96\\xfc\\
SF:xbf\\xb5\\x87\\xe4a\\0\\0\\0\\t\\r\\0\\0\\x14J\\x13\\x1c\\x81\\x07\\x03XE\\\\W\\(\\xf2\\x0e\\
SF:x95E/\\r\\0\\0\\x14\\x90\\xcb\\x80\\x91>\\xbbin\\x08c\\x81\\xb5\\xecB{\\x1f\\r\\0\\0\\x14
SF:@H\\xb7\\xd5n\\xbc\\xe8\\x85%\\xe7\\xde\\x7f\\0\\xd6\\xc2\\xd3\\r\\0\\0\\x14\\xfb\\x1d\\xe
SF:3\\xcd\\xf3A\\xb7\\xea\\x16\\xb7\\xe5\\xbe\\x08U\\xf1\\x20\\0\\0\\0\\x14\\xe3\\xa5\\x96jv
SF:7\\x9f\\xe7\\x07\\"\\x821\\xe5\\xce\\x86R")%r(IPSEC_START,38,"1'\\xfc\\xb08\\x10\\x
SF:9e\\x89\\xe3\\xa4\\xc6\\x8b\\xac\\xbc\\x98\\x18\\x0b\\x10\\x05\\0lp\\xd2t\\0\\0\\x008\\0\\
SF:0\\0\\x1c\\0\\0\\0\\x01\\x01\\x10\\0\\x0e1'\\xfc\\xb08\\x10\\x9e\\x89\\xe3\\xa4\\xc6\\x8b\\
SF:xac\\xbc\\x98\\x18");
Service Info: Host: Conceal
There’s a bunch of information even just running nmap against it. In particular, netstat shows a bunch of open TCP ports, full process list, etc.
The service exposed over port 500/udp is the Internet Security Association and Key Management Protocol (ISAKMP), which is commonly called Internet Key Exchange (IKE). A lot of the documentation references configuring IPsec and ISAKMP standards to build VPNs.
This is totally coherent with the bunch of TCP ports we see to be open from the netstat output, but that we didn’t grasp from an external nmap scan. In fact, those ports will be visible only after we’ll establish a VPN connection.
In order to do that, we need some kind of key for authentication and since this is an HTB box, we have to find this key somewhere.