Bastion: A Red Team's Guide To Information Gathering

Dec 8, 2025 by Alex Johnson 53 views

Welcome, aspiring penetration testers and cybersecurity enthusiasts! In the intricate world of red teaming, information gathering is the bedrock upon which successful engagements are built. It's not just about running tools; it's about understanding the target, identifying vulnerabilities, and crafting a strategic approach. Today, we're diving deep into a scenario where we'll explore the crucial initial steps of reconnoitering a target system, codenamed "Bastion." This phase is all about meticulous observation and leveraging the right tools to unveil the system's surface area and potential entry points.

🧐 Nmap Reconnaissance: Unveiling the Network Landscape

The journey begins with Nmap, the indispensable network scanner. Our first step is a comprehensive TCP port scan across the target IP address, 10.129.136.29. We use --min-rate 1000 to ensure a swift and efficient scan, pushing Nmap to send probes as quickly as possible while maintaining stability. The results paint a picture of an active system, revealing a surprising number of open TCP ports.

┌──(root㉿MJ)-[/tmp/test]
└─# nmap --min-rate 1000 -p- 10.129.136.29
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-08 12:42 CST
Nmap scan report for 10.129.136.29 (10.129.136.29)
Host is up (0.20s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 76.57 seconds

This initial scan highlights several key services: SSH (22), SMB (139, 445), MSRPC (135), and importantly, WinRM (5985, 47001). The presence of WinRM is particularly interesting, as it often signifies a Windows environment with remote management capabilities.

To gain deeper insights, we follow up with a more detailed scan using -sV for service version detection, -sC for default script execution, and -O for OS detection.

┌──(root㉿MJ)-[/tmp/test]
└─# nmap -sV -sC -O -p$port 10.129.136.29
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-08 12:45 CST
Nmap scan report for 10.129.136.29 (10.129.136.29)
Host is up (0.14s latency).

PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        Microsoft Windows RPC
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 or 2012 R2 (97%), Microsoft Windows Server 2012 (95%), ...
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

The service version scan confirms our initial findings and provides more context. The SSH server is identified as OpenSSH for Windows, and the SMB service points to Windows Server 2016 Standard. Crucially, ports 5985 and 47001 are reported as http with Microsoft HTTPAPI httpd 2.0. This is a common indicator for WinRM. While Nmap identifies the underlying HTTP stack, the presence of these ports on a Windows system almost universally signifies WinRM. The OS detection suggests a Windows environment, likely a server version.

1. 🧐 Nmap 结果分析：5985 端口

Nmap's service detection reporting Microsoft HTTPAPI httpd 2.0 for port 5985 is technically correct but can be misleading if not understood in context. This message indicates that the system is using the Windows HTTP API as the underlying mechanism for the service listening on that port. For port 5985, which is the standard HTTP port for WinRM, this is expected behavior. WinRM (Windows Remote Management) utilizes the WS-Management protocol, which is typically transported over HTTP (port 5985) or HTTPS (port 5986). Therefore, when you see Microsoft HTTPAPI httpd 2.0 on port 5985 or 47001 on a Windows machine, you can confidently infer that WinRM is likely running and accessible. The Nmap output is identifying the foundational technology stack rather than the specific application protocol in this instance. This detail is vital for a red team, as it guides the next steps towards exploiting remote management capabilities.

2. UDP Reconnaissance: A Complementary View

While TCP ports often reveal the most direct attack vectors, a UDP scan provides a more complete picture of the target's exposed services. We perform a scan of the top 20 UDP ports.

┌──(root㉿MJ)-[/tmp/test]
└─# nmap -sU --top-ports 20 10.129.136.29
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-08 12:42 CST
Nmap scan report for 10.129.136.29 (10.129.136.29)
Host is up (0.17s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    closed        dhcpc
69/udp    closed        tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   open|filtered isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  open|filtered nat-t-ike
49152/udp closed        unknown

Nmap done: 1 IP address (1 host up) scanned in 48.71 seconds

The UDP scan reveals several ports in an open|filtered state, such as 123/udp (NTP), 137/udp (NetBIOS Name Service), 138/udp (NetBIOS Datagram Service), 500/udp (ISAKMP), and 4500/udp (NAT-T IPSec). While these might not immediately present direct exploitation vectors, they provide valuable information about network services and potential misconfigurations that could be exploited later in the engagement. The closed ports confirm that Nmap received a