Malleum Knowledge Base

Baby_Try2

2 min read

  • 10.10.120.108
sudo nmap -sC -sV -T4 -oA baby 10.10.120.108 -Pn

By default Nmap performs half open scan -sS

With -Pn (No Ping)

By using -Pn, Nmap skips the ICMP Echo Request (ping) stage, which it typically uses to check if a host is up before scanning ports. Normally:

  • ICMP Echo Request: Nmap sends a ping to the target to see if it’s reachable.
  • ICMP Echo Reply: If the target responds, Nmap considers the host up.

With -Pn, Nmap assumes the host is up and directly starts the SYN scan without performing the ping.

Summary of the SYN-ACK Process During the Scan:

  1. SYN packet sent by Nmap to a target port.
  2. Target responds with:
    • SYN-ACK if the port is open.
    • RST if the port is closed.
    • No response or ICMP if the port is filtered.
  3. Nmap sends an RST to close the half-open connection if a SYN-ACK is received.
Windows VersionServer
10.0.20348Windows Server 2022 Version 21H2
Nmap_Results

Here as we don’t have any http or https service running, we usually start with enumeration with netexec, to check if we could have any anonymous access. maybe using ldap, smb. This could result in exposure of sensitive data.

nxc smb 10.10.66.196 -u 'a' -p '' --shares

nxc ldap 10.10.66.196 -u '' -p '' --users

Anonymous Binding in LDAP :

Description

  • Definition: Anonymous binding allows a client to connect and interact with the LDAP directory without providing valid credentials.
  • Default Behavior: Some LDAP servers are configured to allow anonymous access for compatibility or convenience, especially in internal networks.
  • Implications: When anonymous binding is permitted, unauthenticated users can query the directory for certain information, depending on the server’s access control policies.

Description

The host babydc.baby.vl has anonymous LDAP login enabled, which means that anyone can connect to the LDAP server without providing any authentication credentials. This allows unauthorized users to perform LDAP queries, potentially retrieving sensitive information such as user details, organizational data, or other critical information stored in the LDAP directory.

References

https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap

Impact

Attackers can exploit this vulnerability to gain unauthorized access to the LDAP server and retrieve sensitive information stored within the directory. Attackers can use the gathered information to perform further attacks, including privilege escalation, or targeted attacks against the system or its users.

System Host(s)

BABYDC

Affected Product(s) and Version(s)

LDAP

Steps to Reproduce

Graph View