Share
## https://sploitus.com/exploit?id=06A631DB-ED13-5F15-9C5E-74187856CD84
# Network Scanning & Host Enumeration with Nmap

Host discovery, service enumeration, and exploitation of an intentionally-vulnerable target inside an isolated, firewall-segmented lab network. This project documents a full penetration-testing loop โ€” from mapping what a target runs, to identifying a vulnerable service, to gaining root access โ€” the way a real engagement proceeds.

All testing was performed against machines I built and own, on a network with no route to any production or public system.

---

## What this demonstrates

- Building a segmented, firewalled lab where offensive testing is safely isolated
- Host discovery and service/version enumeration with Nmap
- Reading and interpreting scan output โ€” mapping open ports to real services and known vulnerabilities
- Cross-segment scanning through a firewall (attacker and target on different subnets, routed via OPNsense)
- Identifying a vulnerable service version and confirming it with searchsploit
- Manual exploitation of the vsftpd 2.3.4 backdoor (CVE-2011-2523) to gain root access
- The full reconnaissance-to-exploitation methodology of an authorized engagement

---

## Lab topology

```
                 Internet
                    |
              [ Home router ]
                    |  (vmbr0)
              [ OPNsense firewall ]
               /                \
         LAN (vmbr4)         OPT1 (vmbr5)
        10.10.40.0/24        10.10.50.0/24
              |                    |
        [ Kali attacker ]   [ Metasploitable 2 ]
         10.10.40.180         10.10.50.50
```

- **Attacker:** Kali Linux, on the LAN segment (`10.10.40.0/24`)
- **Target:** Metasploitable 2, on the isolated internal segment (`10.10.50.0/24`)
- **Firewall/router:** OPNsense routes and filters between segments; the target has no path to the internet or the real network
- **Hypervisor:** Proxmox VE, with isolated Linux bridges providing network separation

The attacker and target are on **different subnets** โ€” Kali reaches the target only *through* the OPNsense firewall, which mirrors a real network where you pivot across segments rather than sitting on the same LAN as your target.

---

## Tools used

| Tool | Purpose |
|------|---------|
| Nmap | Host discovery, port scanning, service/version detection |
| Kali Linux | Attack platform |
| OPNsense | Firewall / inter-segment routing |
| Proxmox VE | Virtualization / network isolation |

---

## Method

### 1. Host discovery
Sweep the target segment to find live hosts before scanning services.

```bash
nmap -sn 10.10.50.0/24
```

`-sn` is a ping sweep โ€” host discovery only, no port scan. It answers "which addresses are alive?" across the whole `/24` subnet.

![Nmap ping sweep of the target segment](screenshots/nmap-network-sweep.png)

### 2. Service and version enumeration
The core scan โ€” identify open TCP ports and fingerprint the software behind each.

```bash
nmap -sV 10.10.50.50
```

`-sV` performs version detection: rather than just reporting that a port is open, it probes each service to identify the exact software and version โ€” which is what turns a list of ports into a list of *potential vulnerabilities*.

![Nmap service/version scan of the target](screenshots/nmap-scan.png)

![Nmap scan results โ€” full service list](screenshots/nmap-scan-results.png)

Full output is saved in [`scans/metasploitable-sV.txt`](scans/metasploitable-sV.txt).

### 3. Interpreting the results
See [`docs/findings.md`](docs/findings.md) for the full walkthrough โ€” each open service, what it is, and the known vulnerabilities associated with the identified versions.

### 4. Exploitation
The scan flagged **vsftpd 2.3.4** on port 21 โ€” a version carrying a known backdoor. See [`docs/exploitation.md`](docs/exploitation.md) for the full recon-to-root walkthrough: confirming the vulnerability with searchsploit, triggering the backdoor manually with netcat, and gaining a root shell (`uid=0(root)`) on the target.

![Root shell on the target โ€” uid=0(root)](screenshots/root-shell-proof.png)

---

## Key findings (summary)

The scan revealed a target running numerous outdated, deliberately-vulnerable services. Highlights:

| Port | Service | Version | Note |
|------|---------|---------|------|
| 21/tcp | FTP | vsftpd 2.3.4 | Version carrying a known backdoor (CVE-2011-2523) |
| 22/tcp | SSH | OpenSSH 4.7p1 | Very old, multiple CVEs |
| 139,445/tcp | SMB | Samba 3.x | `usermap_script` RCE (CVE-2007-2447) |
| 1524/tcp | bindshell | "root shell" | Root shell left listening โ€” instant access |
| 3306/tcp | MySQL | 5.0.51a | Weak/blank default credentials |
| 6667/tcp | IRC | UnrealIRCd | Backdoored build (CVE-2010-2075) |
| 8180/tcp | HTTP | Tomcat/Coyote | Default manager credentials |

Full table and analysis in [`docs/findings.md`](docs/findings.md).

---

## What I learned

Reconnaissance is where an engagement is won or lost. A clean service-version map tells you exactly where to focus โ€” every version number in the scan is a lead you can cross-reference against a vulnerability database. This project also reinforced practical networking: getting a scan to succeed *across a firewall boundary* required understanding routing between segments, stateful firewall behavior, and the "implicit deny" that blocks an interface with no pass rules until you explicitly permit traffic.

---

## Ethics & scope

Every system in this project was built and owned by me, on an isolated lab network with no connection to any production, public, or third-party system. Scanning or enumerating systems you do not own or have **explicit written authorization** to test is illegal under the U.S. Computer Fraud and Abuse Act and equivalent laws. This repository is for education and portfolio purposes only.