Enumerating host subnets efficiently using nmap.

Yes, yes nmap should be a staple for a pentester but you would be surprised how powerful nmap actually is when used correctly. The objective of this post is to describe nmap operation in a manner which would useful and compliant to PWK and OSCP testing requirements (I.e. no automated scripts).

During a pentest, particularly a commercial engagement, time is usually a factor which determines the mode of enumeration. For this reason I’ll be discussing a process where several nmap scans are run in succession and in-parallel in order to give you a more efficient scan and results.

First of all, to profile a target you need to be able to identify the potential targets. So doing a quick host discovery within your accessible subnet is usually a good idea. This can be a relatively quick process, but it would be a good idea to export the discovery scan to an xml or csv for further processing.

For this example I will be enumerating the Free HTB machines available through HackTheBox. But I will also be switching to the VIP mode when I am satisfied I have profiled the machines appropriately (this is to avoid potential of other users interfering with the box when I move to exploitation).

nmap -sU -sV -sT --top-ports 100 10.10.10.0/24 -oA /mnt/hgfs/VM_Shared/HTB_Machines --stats-every 10

This nmap scan will attempt to probe all network hosts within the target network, and instead of using ping, instead attempt to open a connection with the top 100 ports of each host.

We could make this a stealthy scan as well to detect those hosts which are configured to not respond to ICMP requests, however I believe in this scenario the hosts involved on HTB are configured to respond to pings.

The –top-ports 100 switch is an internal flag within nmap which will probe the top 100 occurring ports which are identified for use according to nmap. This should identify the commonly used ports, and on each of the hosts and allow us to formulate a plan of attack to work through the network.

If you were curious to know what the order to top occurring ports are according to nmap, you can pull this list from the nmap-services file (usually located /usr/share/nmap/nmap-services). The third column is a ratio value which needs to be sorted in descending order for the most commonly occurring ports.

To validate this approach, I’ve applied this to the Free access plan for HackTheBox and the following screenshot shows how this produces an overview of what machines exist, and their advertised services.
This scan will take some time, so it might be a good idea now to let the scan run and get your tools and documentation processes ready in the background while this runs.

In my example, we are enumerating 23 live hosts within the HTB Free Tier access – so these hosts will be busy, and I am connected through the VPN to HTB, so likely this will be going slower than you can expect in an onsite engagement.

Now that we have a number of host discovery outputs, we need to move to the next stage of the pentest process – Threat Modelling and Vulnerability Analysis.
To do this, we will be converting and ingesting the nmap produced reports into a more friendly format for evaluation. The objective we are looking for is to find the more easily exploitable boxes and prioritise our efforts on them.

You will also notice, I am not giving preference to a particular level of difficulty box ahead of another, I am doing this blind from a HTB naming and feedback perspective.

There are some interesting boxes in this particular list, so for starters I will look into something relatively simple, such as something with a HTTP and SSH port open. And since I cannot see the system difficulty, this could either be an easy box, or a very difficult one.