Grepping for Gold Challenge - 2021 SANS Holiday Hack Challenge

3 minute read

In this task, we have to search through a giant file that was created using nmap -oG.

Play the 2021 SANS Holiday Hack Challenge

We’re greeted with the following instructions at the top of the terminal:

Howdy howdy!  Mind helping me with this homew- er, challenge?
Someone ran nmap -oG on a big network and produced this bigscan.gnmap file.
The quizme program has the questions and hints and, incidentally,
has NOTHING to do with an Elf University assignment. Thanks!

Answer all the questions in the quizme executable:
- What port does 34.76.1.22 have open?
- What port does 34.77.207.226 have open?
- How many hosts appear "Up" in the scan?
- How many hosts have a web port open?  (Let's just use TCP ports 80, 443, and 8080)
- How many hosts with status Up have no (detected) open TCP ports?
- What's the greatest number of TCP ports any one host has open?

Check out bigscan.gnmap and type quizme to answer each question.

Note: the -oG flag in nmap specifies the output to be formatted in a way that makes grepping through it easier.

What port does 34.76.1.22 have open?

Let’s just cat out the file and grep for the ip address to see what we get:

cat bigscan.gnmap | grep 34.76.1.22

the output looks like this:

Host: 34.76.1.22 ()     Status: Up
Host: 34.76.1.22 ()     Ports: 62078/open/tcp//iphone-sync///      Ignored State: closed (999)

We can see that only port 62078 is open.

Answer: 62078

we can submit this answer by running quizme in the console.

What port does 34.77.207.226 have open?

Let’s run that same command, but with this new IP:

cat bigscan.gnmap | grep 34.77.207.226

output:

Host: 34.77.207.226 ()     Status: Up
Host: 34.77.207.226 ()     Ports: 8080/open/tcp//http-proxy///      Ignored State: filtered (999)

This time port 8080 is open

Answer: 8080

How many hosts appear “Up” in the scan?

Now we have to count the total number of occurences of something using grep. For this we can use the -c flag.

cat bigscan.gnmap | grep -c 'Status: Up'

output:

26054

Answer: 26054

How many hosts have a web port open? (Let’s just use TCP ports 80, 443, and 8080)

For this, we’ll use a regular expression to search for either 80, 443, or 8080, followed by /open and count the results.

cat bigscan.gnmap | grep -c -E '(80|443|8080)/open'

output:

14372

Answer: 14372

How many hosts with status Up have no (detected) open TCP ports?

We already know from the 3rd question how many hosts we have that are up (26054), so all we need to figure out is how many hosts have some port open. Then we just do this:

\[TotalHosts - HostsWithOpenPorts = HostsWithNoOpenPorts\]

to find the number of hosts with open ports, we can just find the number of lines where /open appears

cat bigscan.gnmap | grep -c '/open'

output:

25652

therefore: \(HostsWithNoOpenPorts = 26054 - 25652 = 402\)

Answer: 402

What’s the greatest number of TCP ports any one host has open?

This one was a bit trickier. It’s tough to get grep to do this just on its own. I ended up doing it the “dumb” way. (Although if it’s dumb and it works, is it really dumb?)

I ended up creating a bash script for this:

max=0
cat bigscan.gnmap | while read line
        do
                temp=$( echo $line | grep -o '/open' | wc -l)
                if (($temp>$max))
                        then
                                max=$temp
                                echo $max
                fi
        done

basically what it does is feed the file line-by-line into grep, which then counts the total number of occurences in that line and stores that in a temporary variable. It then compares that to the current maximum. If it is greater than the current max, it changes the max and prints it out.

Putting this all into one line so we can just copy it into the terminal:

max=0; cat bigscan.gnmap | while read line; do  temp=$( echo $line | grep -o '/open' | wc -l); if (($temp>$max)); then max=$temp; echo $max; fi; done

Running it in the terminal yeilds the following output:

5
6
9
10
11
12

12 is the last maximum it spit out, so that is our answer.

This takes a while to run, but it works.

Answer: 12

Updated: