Intro to Nmap

Intro to Nmap

Difficulty: ❄ ❄ ❄ ❄ ❄
Meet Eric in the hotel parking lot for Nmap know-how and scanning secrets. Help him connect to the wardriving rig on his motorcycle!

Hints

Ncat Documentation

You may also want to check out the Ncat Guide.

Nmap Documentation

Nmap is pretty straightforward to use for basic port scans. Check out its documentation!

Solution

Welcome to the Intro to Nmap terminal!  We will learn some Nmap basics by running commands to answer the questions asked, which will guide us in finding and connecting to the wardriving rig's service. 
Run the command "hint" to receive a hint.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Type [y]es to begin: y

1) When run without any options, nmap performs a TCP port scan of the top 1000 ports. Run a default nmap scan of 127.0.12.25 and see which port is open.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
elf@484e5762e44f:~$ nmap 127.0.12.25
Starting Nmap 7.80 ( https://nmap.org ) at 2025-11-05 21:56 UTC
Nmap scan report for 127.0.12.25
Host is up (0.000063s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

2) Sometimes the top 1000 ports are not enough. Run an nmap scan of all TCP ports on 127.0.12.25 and see which port is open.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
elf@0921dbbac7b0:~$ nmap 127.0.12.25 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2025-11-05 22:02 UTC
Nmap scan report for 127.0.12.25
Host is up (0.000050s latency).
Not shown: 65534 closed ports
PORT      STATE SERVICE
24601/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.74 seconds

3) Nmap can also scan a range of IP addresses.  Scan the range 127.0.12.20 - 127.0.12.28 and see which has a port open.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
elf@0921dbbac7b0:~$ nmap 127.0.12.20-28 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2025-11-05 22:03 UTC
Nmap scan report for 127.0.12.20
Host is up (0.00025s latency).
All 65535 scanned ports on 127.0.12.20 are closed

Nmap scan report for 127.0.12.21
Host is up (0.000068s latency).
All 65535 scanned ports on 127.0.12.21 are closed

Nmap scan report for 127.0.12.22
Host is up (0.00039s latency).
All 65535 scanned ports on 127.0.12.22 are closed

Nmap scan report for 127.0.12.23
Host is up (0.00023s latency).
All 65535 scanned ports on 127.0.12.23 are closed

Nmap scan report for 127.0.12.24
Host is up (0.00026s latency).
All 65535 scanned ports on 127.0.12.24 are closed

Nmap scan report for 127.0.12.25
Host is up (0.00013s latency).
Not shown: 65534 closed ports
PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap scan report for 127.0.12.26
Host is up (0.00018s latency).
All 65535 scanned ports on 127.0.12.26 are closed

Nmap scan report for 127.0.12.27
Host is up (0.00019s latency).
All 65535 scanned ports on 127.0.12.27 are closed

Nmap scan report for 127.0.12.28
Host is up (0.00027s latency).
All 65535 scanned ports on 127.0.12.28 are closed

Nmap done: 9 IP addresses (9 hosts up) scanned in 16.08 seconds

4) Nmap has a version detection engine, to help determine what services are running on a given port. What service is running on 127.0.12.25 TCP port 8080?
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
elf@0921dbbac7b0:~$ nmap 127.0.12.25 -p 8080 -sV 
Starting Nmap 7.80 ( https://nmap.org ) at 2025-11-05 22:06 UTC
Nmap scan report for 127.0.12.25
Host is up (0.000086s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    SimpleHTTPServer 0.6 (Python 3.10.12)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.66 seconds

5) Sometimes you just want to interact with a port, which is a perfect job for Ncat!  Use the ncat tool to connect to TCP port 24601 on 127.0.12.25 and view the banner returned.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
elf@0921dbbac7b0:~$ ncat 127.0.12.25 24601
Welcome to the WarDriver 9000!
Terminated

Congratulations, you finished the Intro to Nmap and found the wardriving rig's service!
Type "exit" to close...
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
elf@0921dbbac7b0:~$ exit

Dissecting the attack

graph TD
    subgraph LocalRecon [1. Local Reconnaissance]
        A["Local Port Scanning<br/>(Nmap against Loopback)"]
        B["Service Identification<br/>(Ports 8080 and 24601 Open)"]
    end

    subgraph Analysis [2. Vulnerability Analysis]
        C["Banner Analysis<br/>(Python 3.10.12 / WarDriver 9000)"]
        D["CWE-200: Info Exposure<br/>(Directory Listing and Version Leak)"]
    end

    subgraph Exploitation [3. Unauthorized Access]
        E["Connection Attempt<br/>(Ncat to Port 24601)"]
        F["CWE-306: Missing Authentication<br/>(Immediate Access Granted)"]
    end

    %% Flow Connections
    A -->|Discover Targets| B
    B -->|Grab Banners| C
    C -->|Identify Insecure Server| D
    B -->|Connect No Auth| E
    E -->|Interact with Service| F

    %% Styling
    style A fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fff
    style B fill:#9a3412,stroke:#f97316,stroke-width:2px,color:#fff
    style C fill:#9a3412,stroke:#f97316,stroke-width:2px,color:#fff
    style D fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fff
    style E fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fff
    style F fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fff

Phase	Vulnerability (CWE)	Mitigation
1. Access	CWE-306 Missing Authentication for Critical Function (Unrestricted Local Connection)	Authentication (Implement Challenge-Response / API Key)
2. Discovery	CWE-200 Exposure of Sensitive Information (Precise Version Disclosure)	Hardening (Suppress Server Banners)
3. Architecture	CWE-1188 Initialization of Resource with Insecure Default (Python SimpleHTTPServer)	Production Server (Use Gunicorn/Nginx/Apache)

Fixing the Insecure Web Server (CWE-1188)

Vulnerability: The service on port 8080 is running SimpleHTTPServer (or http.server in Python 3). This module is designed strictly for development and testing. By default, it:

• Enables Directory Listing: If an index.html is missing, it lists all files in the directory, potentially exposing source code or sensitive data.
• Is Single-Threaded: It handles requests sequentially, making it trivial to crash or hang with a simple DoS attack.
• Lacks Security Headers: It does not send headers like X-Content-Type-Options or Content-Security-Policy.

Fix: Replace the development server with a production-grade WSGI application server (like Gunicorn or uWSGI) sitting behind a robust reverse proxy (like Nginx or Apache).
Vulnerable Command:

# FLAW: Do not use in production
python3 -m http.server 8080

Secure Command:

# FIX: Use a production WSGI server
gunicorn -w 4 myapp:app -b 127.0.0.1:8080

Impact: Eliminates the directory listing risk, provides concurrency to handle multiple connections, and allows for proper security header configuration.

Fixing the Unauthenticated Access (CWE-306)

Vulnerability: The “WarDriver 9000” service on port 24601 accepts connections from 127.0.12.25 without any form of authentication. In a localhost context (127.0.0.0/8), this means any user or malicious process running on the system can connect to and control the rig. Binding to loopback restricts remote attackers but does nothing to stop local attackers.
Fix: Implement an Authentication Mechanism at the application layer. This could be a simple password prompt upon connection, an API Key header, or mTLS.
Vulnerable Code (Concept):

# FLAW: Accepts connection and immediately trusts the client
client_socket, addr = server.accept()
client_socket.send(b"Welcome to WarDriver 9000!\n")
process_commands(client_socket)

Secure Code:

# FIX: Require a shared secret before allowing commands
client_socket, addr = server.accept()
client_socket.send(b"Auth Required: ")
password = client_socket.recv(1024).strip()

if password == SECRET_KEY:
    client_socket.send(b"Welcome to WarDriver 9000!\n")
    process_commands(client_socket)
else:
    client_socket.close()

Impact: Prevents unauthorized local users from accessing the control interface.

Fixing the Version Leakage (CWE-200)

Vulnerability: The web service on port 8080 explicitly identifies itself as SimpleHTTPServer 0.6 (Python 3.10.12). This gives a local attacker precise knowledge of the runtime environment, allowing them to verify if the system is vulnerable to specific local privilege escalation exploits targeting that Python version.
Fix: Suppress or Obfuscate the server banners. Production services should not reveal version numbers.
Secure Configuration (Python):

import http.server

class SecureHandler(http.server.SimpleHTTPRequestHandler):
    # FIX: Override default version headers
    server_version = "GenericWebSrv"
    sys_version = "" 

# ... init server with SecureHandler ...

Impact: Forces an attacker to spend time fuzzing or guessing the environment, increasing the likelihood of detection before they can launch a successful exploit.