DEV Community

Cover image for The Art of Recon: What Happens When a Target Only Has One Door?
Samuel Adeduntan
Samuel Adeduntan

Posted on

The Art of Recon: What Happens When a Target Only Has One Door?

1. Introduction: The Importance of Reconnaissance

A penetration tester must respond to the basic query, "What is there to attack?" before launching any exploit. This procedure, sometimes referred to as footprinting or reconnaissance, is the most crucial stage of an engagement. This article will illustrate a practical Nmap scanning technique against a target that exemplifies a crucial defensive principle: reducing the attack surface.

2. Executive Summary

Target: testphp.vulnweb.com (a practice site)

Objective: The goal is to map every TCP service that is accessible and to collect intelligence.

Key Finding: The target host's attack surface is incredibly small. Even after thoroughly scanning all 65,535 TCP ports, just one service, HTTP on port 80 is visible.

Implication: The implication is that an attacker is forced to concentrate solely on web application exploits because their first alternatives are extremely limited. This exemplifies effective network hardening.

3. The Step-by-Step Nmap Methodology

A layered scanning strategy, beginning broadly and getting increasingly more specific, is used in professional assessments.

Step 1: The Basic Ping Sweep
Objective: To verify if the host is online and determine which ports are most frequently used.

Command:
nmap testphp.vulnweb.com

Finding:
The host is on the internet. Only port 80/tcp, out of the 1,000 common ports scanned, is accessible for HTTP traffic. A firewall is present since the remaining 999 ports are filtered.

Screenshot 1 Description:
The output of the basic Nmap scan is displayed in a terminal. The only open port is emphasized by the line 80/tcp open http.

Screenshot 1

Step 2: Service & OS Fingerprinting (-A)

The objective is to try to identify the operating system and collect comprehensive information about the discovered service.

Command:
nmap -A testphp.vulnweb.com

Finding:
The service is identified as nginx 1.19.0 by Nmap. Although OS detection estimates a Linux kernel, it is unreliable because there are no other open ports to correlate with. The host is verified to be an AWS EC2 instance (us-west-2) via a traceroute.

Screenshot 2 Description:
A terminal displaying the output of the A-scan. The rDNS record ec2-44-228-249-3.us-west-2.compute.amazonaws.com and the lines exposing nginx 1.19.0 are highlighted. Additionally noticeable is the warning regarding faulty OS detection.

Screenshot 2

Step 3: The Full Port Scan (-p-)

Goal: Investigate every possibility. All 65,535 TCP ports should be scanned to make sure no obscure services are active.

Command:
nmap -p- testphp.vulnweb.com

Finding:
The outcome is clear: only port 80 is open after 65,534 ports were filtered. This validates the initial finding and filters out any services on high-numbered ports.

Screenshot 3 Description:
A terminal window displaying the results of a thorough port scan. This statistic Not displayed The starkness of 65534 filtered TCP ports should be accentuated to emphasize the importance of a minimal surface.

Screenshot 3

Step 4: Version Detection on All Ports (-sV -p-)

Objective: To obtain the most precise version information on port 80 and confirm that no services with an unknown version are being concealed by the filtered ports.

Command:
nmap -p- -sV testphp.vulnweb.com

Finding:
Port 80 is now marked as tcpwrapped by Nmap. This is an important piece of knowledge. It indicates that the service is shielded from automated attacks and banner-grabbing by a firewall or wrapper that imitates the behavior of an actual service. This method conceals the nginx version.

Screenshot 4 Description:
The version scan is displayed in a terminal. The transition from http to tcpwrapped on port 80 is the essential takeaway and should be noted.

Screenshot 4

Step 5: Scripting Engine (-sC)
Objective: Use Nmap's built-in scripts to test the open port for typical vulnerabilities or setup errors.

Command:
nmap -sC testphp.vulnweb.com

Finding:
For this specific target, the default scripts did not offer any extra useful information because they were probably unable to function properly due to the tcpwrapped service.

Screenshot 5 Description:
The target revealed virtually nothing, as seen by a terminal displaying the output of the simple script scan, which closely resembles the basic scan.

Screenshot 5

4. Analysis and Key Findings: A Limited Surface Area for Attack

From a network standpoint, the scans clearly show a host that has been well-hardened:

- Significantly Reduced Attack Surface: Since there is only one open port, defenders may concentrate on protecting the web server.
- Firewall in Place: A host-based or network-based firewall is actively preventing connection requests, which is a basic security measure, demonstrated by the filtered state on all other ports.
- Service Hardening: Tcpwrapped indicates more hardening to hide service banners, which annoys automated scanners and makes targeted attacks a little more challenging.

Since all other network-based options are now closed, an attacker must instantly switch to web application testing methods (such as the directory enumeration we carried out in the other post).

5. Protective Lessons Learned: Hardening Principles

An example of fundamental network security is this target:

- Network Least Privilege Principle: Only permit network traffic that is absolutely required for business operations.
- Employ a firewall: Establish stringent inbound and outgoing regulations. Allow specified traffic while expressly denying all by default.
- Obscure Banners: To help attackers identify exploits, stop services from disclosing version information.
- Frequent Audits: To make sure no unexpected services have been exposed, run network scans against your own systems on a regular basis.

6. Conclusion: In recon, quality matters more than quantity

This reconnaissance experiment demonstrates that depth, not breadth, is frequently the deciding factor in a successful penetration test. Although a network scan revealed almost nothing about the target, the admin panel article demonstrates that the single open port was eventually the key to a substantial result. It supports the notion that by putting in place straightforward, efficient network hardening procedures, defenders can dramatically raise the bar for attackers, compelling them to adopt a more complex and targeted strategy.

Top comments (0)