🔍 OverTheWire Bandit Level 17: Port Scanning with nmap and Finding SSL Services

Level 17 introduces port scanning—a fundamental skill in network reconnaissance. Instead of connecting to a known port, you'll need to discover which ports are open and which service is the right one. This teaches you how to systematically explore network services and identify the correct target.

Level 17 teaches you:

• Using nmap for port scanning
• Scanning port ranges efficiently
• Identifying SSL services
• Distinguishing between different service types
• Retrieving SSH keys from network services

This level combines network reconnaissance (finding open ports) with service interaction (connecting to the right service). This is real-world penetration testing—you'll constantly need to scan networks and identify services.

---

🎯 The Objective

After logging into bandit16, your goal is to find the credentials for Level 17. The credentials are retrieved by submitting the password of the current level (bandit16) to a port on localhost in the range 31000 to 32000.

What Level 17 teaches:

• Port scanning with nmap
• Identifying open ports in a range
• Distinguishing SSL from plaintext services
• Finding the correct service among multiple options
• Retrieving SSH private keys from services

The challenge: There are multiple ports open in the range 31000-32000. Most will just echo back what you send them. Only one port will give you the SSH key for the next level. You need to find which port is the right one.

---

🔍 Understanding the Problem

Let's start by connecting to Level 16 and seeing what we're dealing with:

sshpass -p `cat bandit16` ssh bandit16@bandit.labs.overthewire.org -p 2220

Once connected, you need to:

1. Find which ports in the range 31000-32000 are open
2. Identify which ports use SSL and which don't
3. Test the ports to find the one that gives credentials
4. Submit the bandit16 password to get an SSH key
5. Use that SSH key to access bandit17

The problem: How do you efficiently scan 1000 ports (31000-32000) to find the right service?

The answer: Use nmap to scan the port range, identify open ports, then test them systematically.

---

🧠 Understanding Port Scanning

Let's dive deeper into port scanning, because it's a core penetration testing skill:

What Is Port Scanning?

Port scanning is the process of:

• Discovering open ports — Which ports are listening for connections
• Identifying services — What services are running on those ports
• Gathering information — Service versions, banners, protocols

Why it matters: Before you can attack a service, you need to know it exists. Port scanning is the first step in network reconnaissance.

Why Use nmap?

nmap (Network Mapper) is the industry-standard port scanner:

• Fast — Efficient scanning algorithms
• Comprehensive — Many scanning options
• Informative — Service detection and version detection
• Flexible — Can scan ranges, specific ports, or entire networks

For Level 17: We use nmap to scan ports 31000-32000 and identify which ones are open.

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 16

sshpass -p `cat bandit16` ssh bandit16@bandit.labs.overthewire.org -p 2220

Step 2: Scan the Port Range

First, scan the port range to find open ports:

nmap -sC -p 31000-32000 localhost

Breaking this down:

• nmap — Network mapper (port scanner)
• -sC — Default script scan (runs common scripts)
• -p 31000-32000 — Port range to scan
• localhost — Target host (the same machine)

What this does: Scans ports 31000-32000 and identifies which ones are open. This narrows down the list from 1000 ports to just a few open ones.

What you'll see: A list of open ports. It might look something like:

PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Step 3: Identify Service Types

Now scan the open ports with service version detection:

nmap -sV -p 31046,31518,31691,31790,31960 localhost

Breaking this down:

• -sV — Service version detection (identifies what's running)
• -p 31046,31518,31691,31790,31960 — Specific ports to scan (use the ports you found in step 2)
• localhost — Target host

What this does: Identifies what services are running on the open ports. This helps you find which port uses SSL.

What you'll see: Service information for each port. Look for one that shows "SSL" or "ssl/unknown". For example:

PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo

Key finding: Port 31790 shows "ssl/unknown" — this is likely the SSL service you need!

Step 4: Test the SSL Port

Connect to the SSL port (31790 in this example) using OpenSSL:

openssl s_client -connect localhost:31790

Breaking this down:

• openssl s_client — SSL client (for encrypted connections)
• -connect localhost:31790 — Connect to port 31790

What you'll see: SSL certificate information will scroll by. After it stops, the service is ready for input.

Important: Just like previous levels, there's no prompt—the service is waiting for you to send the password.

Step 5: Submit the Password

Get the current level's password and submit it:

cat /etc/bandit_pass/bandit16

Then type that password and press Enter in the OpenSSL connection.

Alternative (automated):

cat /etc/bandit_pass/bandit16 | openssl s_client -connect localhost:31790 -ign_eof

What you'll see: If you connected to the correct port, you'll receive an SSH private key. It will look like:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
-----END RSA PRIVATE KEY-----

Step 6: Save the SSH Key

Copy the entire private key (from -----BEGIN to -----END) and save it to a file on your local machine:

On Linux/macOS:

# Create the file and paste the key
nano bandit17
# Or use your preferred editor

On Windows (PowerShell):

# Create the file and paste the key
notepad bandit17

Important: Make sure to include the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines!

Step 7: Set Proper Permissions

Set the correct permissions on the key file:

chmod 600 bandit17

Why: SSH requires private keys to have restrictive permissions (600 = read/write for owner only).

Step 8: Use the SSH Key to Connect

Now use the SSH key to connect to bandit17:

ssh -i bandit17 bandit17@bandit.labs.overthewire.org -p 2220

Breaking this down:

• ssh -i bandit17 — Use the private key file bandit17
• bandit17@bandit.labs.overthewire.org — User and host
• -p 2220 — Port number

What you'll see: You should be logged in as bandit17 without being prompted for a password!

Step 9: Read the Password

Once logged in as bandit17, read the password:

cat /etc/bandit_pass/bandit17

Copy this password and save it to your local machine for future use.

---

💡 Understanding nmap Options

Let's dive deeper into the nmap options used:

-sC (Default Script Scan)

What it does:

• Runs default scripts against discovered services
• Provides additional information about services
• Helps identify service types

Example:

nmap -sC -p 31000-32000 localhost

-sV (Service Version Detection)

What it does:

• Probes services to determine version
• Identifies service types (SSL, echo, etc.)
• Provides detailed service information

Example:

nmap -sV -p 31046,31518,31691,31790,31960 localhost

Port Range Syntax

Range:

-p 31000-32000

Specific ports:

-p 31046,31518,31790

For Level 17: We use a range first to find open ports, then specific ports for detailed scanning.

---

🛠️ Alternative Methods

Here are different ways to find and test the ports:

Method 1: Two-Step nmap Scan (Recommended)

# Step 1: Find open ports
nmap -sC -p 31000-32000 localhost

# Step 2: Identify services
nmap -sV -p <open_ports> localhost

# Step 3: Connect to SSL port
openssl s_client -connect localhost:31790

Pros: Efficient, systematic, identifies SSL services Cons: Requires two scans

Method 2: Single Comprehensive Scan

nmap -sC -sV -p 31000-32000 localhost

Pros: One command, comprehensive Cons: Slower, more output to parse

Method 3: Manual Port Testing

# Test each port manually
nc localhost 31046
openssl s_client -connect localhost 31518
# ... test each port

Pros: Simple, no nmap needed Cons: Very slow, tedious

For Level 17, use Method 1 — it's the most efficient and teaches you valuable reconnaissance skills.

---

🔒 Real-World Context

Why does this matter in penetration testing?

In real security assessments, port scanning is fundamental:

1. Network Reconnaissance

Discovering what's running on target networks:

• Finding open ports
• Identifying services
• Mapping network topology

Example: Scanning a target network:

nmap -sC -sV 192.168.1.0/24

2. Service Identification

Identifying services for targeted attacks:

• Finding web servers
• Locating database servers
• Discovering custom services

Example: Identifying services:

nmap -sV -p- target.com

3. SSL/TLS Detection

Finding encrypted services:

• HTTPS websites
• Encrypted APIs
• Secure services

Example: Finding SSL services:

nmap -sV --script ssl-enum-ciphers -p 443,8443 target.com

4. Port Range Scanning

Scanning specific port ranges:

• Common service ports
• Custom application ports
• High-numbered ports

Example: Scanning custom port range:

nmap -p 8000-9000 target.com

5. Echo Service Testing

Testing echo services (common in CTFs):

• Services that echo back input
• Testing connectivity
• Identifying service types

Example: Testing echo service:

echo "test" | nc target.com 7

The skill you're learning: How to systematically scan networks and identify services. This is essential when:

• Performing network reconnaissance
• Identifying attack surfaces
• Finding vulnerable services
• Mapping network infrastructure
• Discovering custom applications

---

🚨 Common Mistakes

Mistake 1: Scanning All Ports Manually

Wrong:

nc localhost 31000
nc localhost 31001
nc localhost 31002
# ... 1000 ports later

Right:

nmap -sC -p 31000-32000 localhost
# Scans all ports efficiently

Why: Manual scanning is extremely slow. nmap is designed for this and is much faster.

Mistake 2: Not Identifying SSL Services

Wrong:

nc localhost 31790
# Tries plaintext connection to SSL service

Right:

openssl s_client -connect localhost:31790
# Uses SSL for encrypted service

Why: SSL services need openssl s_client, not plain netcat. Use nmap -sV to identify which ports use SSL.

Mistake 3: Testing Wrong Ports

Wrong:

# Tests echo services that just echo back
echo "password" | nc localhost 31046
# Gets password echoed back, thinks it's wrong

Right:

# Finds SSL service first, then tests it
nmap -sV -p 31000-32000 localhost
# Identifies SSL port, then connects

Why: Most ports are echo services that just echo back what you send. Only the SSL port gives credentials. Use nmap -sV to identify the SSL service.

Mistake 4: Not Saving the Complete SSH Key

Wrong:

# Saves only part of the key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
# Missing the END line

Right:

# Saves complete key with BEGIN and END lines
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
-----END RSA PRIVATE KEY-----

Why: SSH requires the complete key including BEGIN and END markers. Missing parts will cause authentication to fail.

Mistake 5: Wrong Key Permissions

Wrong:

ssh -i bandit17 bandit17@bandit.labs.overthewire.org -p 2220
# Error: Permissions too open

Right:

chmod 600 bandit17
ssh -i bandit17 bandit17@bandit.labs.overthewire.org -p 2220
# Works!

Why: SSH requires private keys to have 600 permissions (read/write for owner only). This is a security feature.

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. Scan a port range:

   nmap -sC -p 31000-31010 localhost
   # Scans small range for practice
   

2. Identify services:

   nmap -sV -p 22,80,443 localhost
   # Identifies common services
   

3. Test SSL connection:

   openssl s_client -connect localhost:443
   # Tests HTTPS (if available)
   

4. Save and use SSH key:

   chmod 600 test_key
   ssh -i test_key user@host
   

---

🎓 Understanding Port Scanning Techniques

This is a good time to understand different scanning techniques:

TCP Connect Scan

Basic connection scan:

nmap -sT target

What it does: Completes full TCP handshake

SYN Scan (Stealth)

Half-open scan:

nmap -sS target

What it does: Sends SYN, doesn't complete handshake (requires root)

Service Detection

Identify services:

nmap -sV target

What it does: Probes services to determine versions

For Level 17: We use default scans (-sC) and service detection (-sV) to find and identify services.

---

🔗 What's Next?

Level 18 introduces password file permissions—understanding how file permissions work and how to read files you don't have direct access to. You'll learn about SUID binaries and privilege escalation techniques.

Before moving on, make sure you:

• ✅ Successfully used nmap to scan port ranges
• ✅ Can identify SSL services with nmap -sV
• ✅ Know how to connect to SSL services with openssl s_client
• ✅ Can save and use SSH private keys
• ✅ Understand the difference between echo services and credential services

---

📚 Key Takeaways

After completing Level 17, you should understand:

1. Port scanning — Using nmap to discover open ports
2. Service identification — Using -sV to identify service types
3. SSL detection — Finding SSL services in scan results
4. SSH key retrieval — Getting SSH keys from network services
5. Systematic approach — Scanning ranges, then testing specific ports

---

🎯 Quick Reference

Problem	Solution	Example
Scan port range	Use nmap -sC	nmap -sC -p 31000-32000 localhost
Identify services	Use nmap -sV	nmap -sV -p <ports> localhost
Connect to SSL	Use openssl s_client	openssl s_client -connect localhost:31790
Save SSH key	Include BEGIN/END	Save complete key with markers
Set key permissions	Use chmod 600	chmod 600 keyfile

---

Questions about Level 17 or port scanning with nmap? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice