Unlocking OSCP Lab 6.3.3–5: Essential Nmap Port Scanning Techniques
Lab Description:
The NMAP Scripting Engine (NSE) offers over 100 discovery scripts for enhanced reconnaissance, including scripts to enumerate HTTP titles on web servers. This capability can reveal valuable information about a target, such as website purpose, software versions, and login pages. The challenge involves using an NSE script to find a web server titled “Under Construction” within a public lab network and locate a flag on its index.html page.
Solution
To find a web server with the title “Under Construction” using Nmap’s Scripting Engine (NSE), you can use the http-title script. This script is specifically designed to fetch the titles of HTTP services running on scanned hosts. Here's how you can use Nmap and this script to identify the target web server and potentially find the flag:
Step 1: Install Nmap
Ensure Nmap is installed on your machine. Nmap is available for Linux, Windows, and macOS.
Step 2: Use the http-title NSE Script
Execute an Nmap scan with the http-title script against your target network. You can scan the common web server ports (e.g., 80, 443) or the entire port range if you're not sure which ports the web servers might be running on. For a broader search, you can use the following command:
nmap -p 80,443,8000-8999 --script=http-title <target-network>Replace <target-network> with the network range or IP addresses of the Module Exercises VM Group 1. This command scans ports 80, 443, and the 8000-8999 range, which are common for web services, and uses the http-title script to fetch the titles of any detected HTTP services.
Step 3: Analyze the Scan Results
Look through the Nmap scan results for a web server with the title “Under Construction”. The output will list the IP addresses or hostnames of the scanned servers and the titles of their default web pages.
Step 4: Visit the Identified Web Server
Once you’ve identified the host with the target web page title, visit the index.html page of that web server. You can use a web browser or a command-line tool like curl or wget to access the page. For example:
curl http://<target-host>/Replace <target-host> with the IP address or hostname of the web server you identified.
Step 5: Find the Flag
On the “Under Construction” page, look for the flag. Flags usually follow a specific format, such as flag{some_text_here} or something similar, depending on the challenge guidelines.
This method is an effective way to use Nmap’s scripting capabilities for reconnaissance, especially when trying to identify web servers with specific characteristics across a network. Always make sure you have authorization before scanning and interacting with networks and systems to avoid legal and ethical issues.
