## https://sploitus.com/exploit?id=06A631DB-ED13-5F15-9C5E-74187856CD84
# Network Scanning & Host Enumeration with Nmap
Host discovery, service enumeration, and exploitation of an intentionally-vulnerable target inside an isolated, firewall-segmented lab network. This project documents a full penetration-testing loop โ from mapping what a target runs, to identifying a vulnerable service, to gaining root access โ the way a real engagement proceeds.
All testing was performed against machines I built and own, on a network with no route to any production or public system.
---
## What this demonstrates
- Building a segmented, firewalled lab where offensive testing is safely isolated
- Host discovery and service/version enumeration with Nmap
- Reading and interpreting scan output โ mapping open ports to real services and known vulnerabilities
- Cross-segment scanning through a firewall (attacker and target on different subnets, routed via OPNsense)
- Identifying a vulnerable service version and confirming it with searchsploit
- Manual exploitation of the vsftpd 2.3.4 backdoor (CVE-2011-2523) to gain root access
- The full reconnaissance-to-exploitation methodology of an authorized engagement
---
## Lab topology
```
Internet
|
[ Home router ]
| (vmbr0)
[ OPNsense firewall ]
/ \
LAN (vmbr4) OPT1 (vmbr5)
10.10.40.0/24 10.10.50.0/24
| |
[ Kali attacker ] [ Metasploitable 2 ]
10.10.40.180 10.10.50.50
```
- **Attacker:** Kali Linux, on the LAN segment (`10.10.40.0/24`)
- **Target:** Metasploitable 2, on the isolated internal segment (`10.10.50.0/24`)
- **Firewall/router:** OPNsense routes and filters between segments; the target has no path to the internet or the real network
- **Hypervisor:** Proxmox VE, with isolated Linux bridges providing network separation
The attacker and target are on **different subnets** โ Kali reaches the target only *through* the OPNsense firewall, which mirrors a real network where you pivot across segments rather than sitting on the same LAN as your target.
---
## Tools used
| Tool | Purpose |
|------|---------|
| Nmap | Host discovery, port scanning, service/version detection |
| Kali Linux | Attack platform |
| OPNsense | Firewall / inter-segment routing |
| Proxmox VE | Virtualization / network isolation |
---
## Method
### 1. Host discovery
Sweep the target segment to find live hosts before scanning services.
```bash
nmap -sn 10.10.50.0/24
```
`-sn` is a ping sweep โ host discovery only, no port scan. It answers "which addresses are alive?" across the whole `/24` subnet.

### 2. Service and version enumeration
The core scan โ identify open TCP ports and fingerprint the software behind each.
```bash
nmap -sV 10.10.50.50
```
`-sV` performs version detection: rather than just reporting that a port is open, it probes each service to identify the exact software and version โ which is what turns a list of ports into a list of *potential vulnerabilities*.


Full output is saved in [`scans/metasploitable-sV.txt`](scans/metasploitable-sV.txt).
### 3. Interpreting the results
See [`docs/findings.md`](docs/findings.md) for the full walkthrough โ each open service, what it is, and the known vulnerabilities associated with the identified versions.
### 4. Exploitation
The scan flagged **vsftpd 2.3.4** on port 21 โ a version carrying a known backdoor. See [`docs/exploitation.md`](docs/exploitation.md) for the full recon-to-root walkthrough: confirming the vulnerability with searchsploit, triggering the backdoor manually with netcat, and gaining a root shell (`uid=0(root)`) on the target.

---
## Key findings (summary)
The scan revealed a target running numerous outdated, deliberately-vulnerable services. Highlights:
| Port | Service | Version | Note |
|------|---------|---------|------|
| 21/tcp | FTP | vsftpd 2.3.4 | Version carrying a known backdoor (CVE-2011-2523) |
| 22/tcp | SSH | OpenSSH 4.7p1 | Very old, multiple CVEs |
| 139,445/tcp | SMB | Samba 3.x | `usermap_script` RCE (CVE-2007-2447) |
| 1524/tcp | bindshell | "root shell" | Root shell left listening โ instant access |
| 3306/tcp | MySQL | 5.0.51a | Weak/blank default credentials |
| 6667/tcp | IRC | UnrealIRCd | Backdoored build (CVE-2010-2075) |
| 8180/tcp | HTTP | Tomcat/Coyote | Default manager credentials |
Full table and analysis in [`docs/findings.md`](docs/findings.md).
---
## What I learned
Reconnaissance is where an engagement is won or lost. A clean service-version map tells you exactly where to focus โ every version number in the scan is a lead you can cross-reference against a vulnerability database. This project also reinforced practical networking: getting a scan to succeed *across a firewall boundary* required understanding routing between segments, stateful firewall behavior, and the "implicit deny" that blocks an interface with no pass rules until you explicitly permit traffic.
---
## Ethics & scope
Every system in this project was built and owned by me, on an isolated lab network with no connection to any production, public, or third-party system. Scanning or enumerating systems you do not own or have **explicit written authorization** to test is illegal under the U.S. Computer Fraud and Abuse Act and equivalent laws. This repository is for education and portfolio purposes only.