Hi, In lab Linux Exploitation (Remote Exploitation & Post-Exploitation) when I run scan against 172.16.80.22 to find RMI service I find that 1099 port is filtered. I thought that Java RMI service was running on uncommon port so I found 1999 and from the solutions, I determined that Java RMI was running on that port. The name of the service that runs on port 1999 is “tcp-id-port” I googled about this service but I could not find anything about RMI service. My question is how can we find out that Java RMI service is running on port 1999 when scanning shows that it is “tcp-ip-port” service.
without the -sV (service scan), nmap only gives the “known port” service.
So, you have to run a -sV (service scan) to know the true name of the service running as you did in your second scan.
But, I want to add to this to save you some hassle later on as well from my experience. Some of these labs and their answers are a nightmare currently if you try follow their commands to a T. You’re kind of set up to fail from the beginning with:
nmap -sT -O -sV --version-all 172.16.80.1/24
You will find that the addition of -p- will get you the results you need for later on scanning all ports vs the nmap defaults.
For example on 172.16.80.24 nmap only finds 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 with a default scan but will also find 4433/tcp open ssl/http nginx 1.1.19 with the -p- switch
So, without doing that you also wouldn’t have known to specify that port they tell you to later as shown in the answers in this:
sudo nmap --script +vuln -p4433 172.16.80.24
Note also that some commands like the above may not give full results without sudo (at least that was the case on my updated kali VM)
Unfortunately some of the port numbers simply don’t match up regardless with the lab answers. (I never saw 35316 on the .22 machine)
The silver lining with the un-updated labs is it forces you to research and figure out why things are different…