Linux Exploitation (Remote Exploitation & Post-Exploitation)

Hi, In lab Linux Exploitation (Remote Exploitation & Post-Exploitation) when I run scan against to find RMI service I find that 1099 port is filtered. I thought that Java RMI service was running on uncommon port so I found 1999 and from the solutions, I determined that Java RMI was running on that port. The name of the service that runs on port 1999 is “tcp-id-port” I googled about this service but I could not find anything about RMI service. My question is how can we find out that Java RMI service is running on port 1999 when scanning shows that it is “tcp-ip-port” service.


without the -sV (service scan), nmap only gives the “known port” service.
So, you have to run a -sV (service scan) to know the true name of the service running as you did in your second scan.


jmason is correct.

But, I want to add to this to save you some hassle later on as well from my experience. Some of these labs and their answers are a nightmare currently if you try follow their commands to a T. You’re kind of set up to fail from the beginning with:

nmap -sT -O -sV --version-all

You will find that the addition of -p- will get you the results you need for later on scanning all ports vs the nmap defaults.

sudo nmap -v -sT -O -sV -p- --version-all

For example on nmap only finds 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 with a default scan but will also find 4433/tcp open ssl/http nginx 1.1.19 with the -p- switch

So, without doing that you also wouldn’t have known to specify that port they tell you to later as shown in the answers in this:

sudo nmap --script +vuln -p4433

Note also that some commands like the above may not give full results without sudo (at least that was the case on my updated kali VM)

Unfortunately some of the port numbers simply don’t match up regardless with the lab answers. (I never saw 35316 on the .22 machine)

The silver lining with the un-updated labs is it forces you to research and figure out why things are different…

Thank you very much! @jmason-joshua17sc @ecpdubb


I also meant to mention that

smbclient -N \\\tmp -U “”


and I had to do:

smbclient --option=‘client min protocol=nt1’ -N \\\tmp -U “”

OR (I think) you can do something like:

sudo nano /etc/samba/smb.conf

and add: “client min protocol = NT1” under the global section of smb.conf

It looks like the initial command in the answer not working is to do with a change from like 2019:

1 Like

Yes, I added it in smb.conf with some other settings from NetBIOS lab.
Thank you