«
◀
OP-21 // SWEEP
CAMPAIGN 3 // THE GHOST PROTOCOL // PORT SCANNING
0
XP
T1
RANK
0%
DETECT
↻
RESET
0🔥
STREAK
CAMPAIGN 3 — THE GHOST PROTOCOL
PORT SCANNING // RECON // VANTAGE SYSTEMS PERIMETER
OP-21
NETWORK RECON // PORT SCANNING
SWEEP
PASSIVE VS ACTIVE · NMAP TERMINAL · SERVICE CLASSIFIER · NETWORK ARCHITECT
OPERATION SWEEP — CAMPAIGN 3 OPENER
🔌
MISSION BRIEFING
INTEL OP
Vantage Systems. Private intelligence contractor. Zurich registration. The clean corporate face of the Syndicate — Director Kane’s laundromat for every breach the crew has been chasing since Op 11. Operational infrastructure across seventeen countries. They are auctioning everything in seventy-two hours.
The target is
A legitimate security consultancy shouldn’t have fourteen services exposed on infrastructure that officially doesn’t exist. Your job: scan the perimeter. Map what they left open. The shape of this network will tell you everything about what they’re hiding.
The target is
vantage-ops.net — a domain registered through a Luxembourg shell, fronted on bulletproof iron in an Amsterdam data-haven. You have the address.A legitimate security consultancy shouldn’t have fourteen services exposed on infrastructure that officially doesn’t exist. Your job: scan the perimeter. Map what they left open. The shape of this network will tell you everything about what they’re hiding.
WHAT IS PORT SCANNING?
FEYNMAN PRIMER
Imagine someone walking through a building with many doors. They do not enter any room. They simply check which doors respond or show activity. From this, they learn which rooms are active.
🔌 Vantage Systems thought their address was secret. The address is not a lock. Once you have it, the corridor is open. They forgot to close the doors.
▶
SECURITY INFRASTRUCTURE AS A PUBLIC GOOD
“Our infrastructure is not publicly advertised for a reason. Security through obscurity is a legitimate operational choice for an organisation working at the sensitivity level Vantage operates at.”
◈ MENDAX’S ANNOTATION: “Security through obscurity. He said that at a conference.”
MENDAX — DARK CHANNEL // THE REVEAL
00:00
MENDAX
“Shadow — Kane didn’t just run the Ghost Protocol. He owned the company underneath it. Everything we’ve hit for twenty operations — NEXUS, the bank, the front companies — all reported to one parent. I finally have the name.”
MENDAX
“Vantage Systems. Private intelligence contractor. Zurich registration. Operational infrastructure across seventeen countries. NEXUS was their laundering arm — you’ve been climbing their tree the whole time without knowing it. This is the trunk.”
MENDAX
“They are auctioning everything in seventy-two hours. You have the address. Scan it.”
TARGET
nexus-internal.nexus-global.int (subnet)
IP ADDRESS
10.47.0.0/24
OS / SERVER
Mixed: Ubuntu 22.04 + Windows Server 2019
KEY SERVICES
SSH, RDP, HTTP, SMB, FTP, Telnet — mixed open ports
ATTACK SCOPE
Active port scan of full NEXUS subnet — all hosts in scope
ATTACKER NODE
shadow@sigma9 · 10.99.0.1
📋 ROOM TASKS
01
✓
Understand why open ports reveal exploitable attack surface
02
▶
Run a full subnet sweep and identify critical exposed services
03
○
Classify open services by severity of exposure
04
○
Identify the fix (firewall hardening + service minimisation)
05
○
Submit the capture-the-flag token
CAPTURE THE FLAG
Complete the exploit lab. The flag appears below once Phase 2 is done. Copy and submit it here for +50 XP.
PHASE 01
RECON DECISION
CLASSIFY
MENDAX
ENCRYPTED
Before you scan anything, understand what you are choosing.
Passive recon watches traffic that already exists. You do not touch the target. No packets sent. No trace left. Like reading a newspaper about someone instead of knocking on their door.
Active recon sends packets directly to the target. The target’s systems receive them. You get answers — but you also leave evidence. Every probe has a return address.
Two scenarios below. Classify each correctly.
Passive recon watches traffic that already exists. You do not touch the target. No packets sent. No trace left. Like reading a newspaper about someone instead of knocking on their door.
Active recon sends packets directly to the target. The target’s systems receive them. You get answers — but you also leave evidence. Every probe has a return address.
Two scenarios below. Classify each correctly.
SIGMA-9 CAPTURE LOG — HOW WE FOUND IT
02:47 UTC
> pulled vantage-ops.net from public DNS, WHOIS and cert-transparency logs — zero packets to them
> cert log leaked a forgotten host: staging.vantage-ops.net resolving to the same /24
> FOUND: a live edge block (203.0.113.0/24) advertised but never hardened
MENDAX: "Vantage told the whole internet where their doors are — certificates, DNS, registration. None of that touched their servers. But now we know where to knock. Carefully."
MENDAX — HOW THIS IS ACTUALLY DONE
LIVE
MENDAX
Passive recon told us the addresses. To learn which services are actually listening, we have to send a packet — and the moment we do, we leave a return address in their logs. nmap is the standard tool. A SYN scan half-opens each port: ask "anyone home?", note the reply, send RST before the ESTABLISHED state — leaving the port in a half-open state without completing the three-way handshake.
$ nmap -sS -sV -T2 vantage-ops.net
# -sS half-open SYN scan, -sV fingerprint each service, -T2 polite/quiet timing
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4
443/tcp open https nginx 1.14.0
8080/tcp open http Jetty 9.2.14 (admin console, unauth)
MENDAX
There it is — an old admin console wide open on 8080. That's the lead. And the defence is just as plain, Shadow: this whole map is something their IDS could flag in seconds if they were watching, and a firewall should never have exposed 8080 at all. They aren't. So first, classify what's noisy and what isn't.
► SCENARIO A — WHAT KIND OF RECON?
Shadow monitors public DNS records, WHOIS registration data, and SSL certificate transparency logs for vantage-ops.net. No connection attempt is made to any Vantage server.
✓
CORRECT — PASSIVE RECON
DNS, WHOIS, and certificate logs are public infrastructure. Reading them leaves no trace on Vantage’s systems. This is passive recon — you are listening to what is already in the air.
The trade-off: Passive recon is invisible but limited. You learn what Vantage chose to publish. What they hid, you cannot see this way. To find the fourteen services, Shadow must go active.
PHASE 02
TERMINAL COMMANDER
INTERACTIVE
Passive recon confirmed the address. Now we go active — four scan objectives, each one drilling deeper into Vantage's exposed surface. Stay quiet.
MENDAX
ENCRYPTED
You have an IP address:
You are going to find out.
nmap is a network mapping tool used by penetration testers and intelligence operatives worldwide. It sends specially crafted packets to a target and reads what comes back. An open port responds. A closed port refuses. A filtered port says nothing.
Four objectives, increasing in detail and stealth:
▪ Objective 1: Find which ports are open — the basic sweep
▪ Objective 2: Identify exact software versions on each port — your attack surface
▪ Objective 3: Fingerprint the operating system — choose your exploits
▪ Objective 4: Repeat everything — quietly. Same result, zero IDS alert.
Objective 4 is the lesson. The same information gathered loudly burns your position. Gathered quietly, Vantage never knows you were there.
Tap a flag combination below to run that scan. Complete them in order.
185.220.101.47. It resolves to vantage-ops.net — registered through a Luxembourg shell company, paid in full with cryptocurrency. No public record of what it runs.You are going to find out.
nmap is a network mapping tool used by penetration testers and intelligence operatives worldwide. It sends specially crafted packets to a target and reads what comes back. An open port responds. A closed port refuses. A filtered port says nothing.
Four objectives, increasing in detail and stealth:
▪ Objective 1: Find which ports are open — the basic sweep
▪ Objective 2: Identify exact software versions on each port — your attack surface
▪ Objective 3: Fingerprint the operating system — choose your exploits
▪ Objective 4: Repeat everything — quietly. Same result, zero IDS alert.
Objective 4 is the lesson. The same information gathered loudly burns your position. Gathered quietly, Vantage never knows you were there.
Tap a flag combination below to run that scan. Complete them in order.
► OBJECTIVES — COMPLETE IN ORDER
□ 1. Find open ports — which flag does a basic port sweep?
□ 2. Which flag reads the software version on each open port?
□ 3. Which flag fingerprints the operating system?
□ 4. Run everything — quietly. No IDS alert. Pick the right combo.
MISSION OBJECTIVEFour scan objectives in sequence: find open ports, identify service versions, fingerprint the OS, then repeat the full scan quietly with no IDS alert. Pick the correct nmap flag combination for each objective.
► TARGET: vantage-ops.net // 185.220.101.47
Choose the right flag combination below to run each scan.
Wrong choice = feedback. Right choice = output. Learn by doing.
Choose the right flag combination below to run each scan.
Wrong choice = feedback. Right choice = output. Learn by doing.
► OBJECTIVE 1: Which flag finds open ports?
Objective 1 of 4 — choose the right flag
💡 MENDAX — ACTIVE HINT
Start with -sS for a basic SYN scan to find open ports.
✓
TERMINAL COMMANDER — ALL OBJECTIVES COMPLETE
Fourteen services mapped. Service versions fingerprinted. OS identified. Stealth scan completed without triggering the IDS.
Key lesson:
Holt’s “security through obscurity” failed the moment someone looked.
Key lesson:
-T2 -D RND:5 is the difference between a loud knock and a whisper. Same information. Vantage’s IDS saw noise, not a scan.Holt’s “security through obscurity” failed the moment someone looked.
Why timing matters: Aggressive scans (-T4, -T5) send thousands of packets per second. IDS signatures catch the pattern. Slow scans (-T1, -T2) spread probes over minutes — they look like normal internet noise. Decoys (-D) fake source addresses, making attribution impossible.
PHASE 03
SERVICE FINGERPRINT CLASSIFIER
CLASSIFY
Fourteen services mapped — quietly. Now we sort them. Not every open port is a door worth kicking. Find the high-value targets and the entry points before we move to Op 22.
MENDAX
ENCRYPTED
Fourteen services. The scan returned all of them.
Your job: classify each one. Three categories:
▪ HIGH-VALUE TARGET — credentials, data, or admin access
▪ LOW-VALUE — no useful attack surface
▪ ENTRY POINT — exploitable path into the network
Think like an attacker. Not every open port is interesting. Some are traps. Some are treasure.
Your job: classify each one. Three categories:
▪ HIGH-VALUE TARGET — credentials, data, or admin access
▪ LOW-VALUE — no useful attack surface
▪ ENTRY POINT — exploitable path into the network
Think like an attacker. Not every open port is interesting. Some are traps. Some are treasure.
MISSION OBJECTIVEFourteen services returned from the sweep. Classify each one: HIGH-VALUE TARGET, LOW-VALUE, or ENTRY POINT. Correctly classify all 14 to complete the port map and move to network defence.
Classified: 0 / 14
✓
14 SERVICES CLASSIFIED — PORT MAP COMPLETE
Shadow sends the full port map to MENDAX.
MENDAX: “Fourteen services. They never expected anyone to look. Begin Op 22.”
High-value targets: database ports, admin panels, and the SSH service tell the story. Vantage runs surveillance infrastructure — the database ports are where the collected data lives.
Entry points: The outdated FTP, telnet, and the backup node on 8443 are the doors left unlocked.
MENDAX: “Fourteen services. They never expected anyone to look. Begin Op 22.”
High-value targets: database ports, admin panels, and the SSH service tell the story. Vantage runs surveillance infrastructure — the database ports are where the collected data lives.
Entry points: The outdated FTP, telnet, and the backup node on 8443 are the doors left unlocked.
The backup node on port 8443: Running older software. Less hardened than primary. MENDAX has noted it. This is where Op 22 begins.
PHASE 04
NETWORK ARCHITECT
DEFENSE
Fourteen services. All of them visible. Vantage thought the address was enough. One final question before we close: which network configuration would have made this scan return nothing?
MENDAX
ENCRYPTED
Fourteen services found. None should have been visible.
Three network configurations below. One would have hidden every service from the scan. The other two would have failed.
Pick the configuration that would have stopped you.
Three network configurations below. One would have hidden every service from the scan. The other two would have failed.
Pick the configuration that would have stopped you.
MISSION OBJECTIVEThree network configurations below. One would have made all 14 services invisible to our scan. The other two would have failed. Select the configuration that stops Operation SWEEP cold.
A
FIREWALL WITH REJECT RULES
All incoming traffic blocked by a firewall. Unauthorised connection attempts receive an explicit
REJECT response: “Connection refused.” Services run normally behind the firewall.B
FIREWALL WITH DROP RULES + NETWORK SEGMENTATION
All incoming traffic silently
DROPped — no response at all. Services moved to isolated internal network segments with no direct internet route. No port responds. No banner exposed. The scanner receives silence.C
VPN-GATED ACCESS ONLY
All services require an authenticated VPN connection before any port is reachable. External scanning reaches only the VPN endpoint. Nothing behind it is visible without valid credentials.
💡 MENDAX — HINT (−20 XP)
A REJECT response tells the scanner a port exists — just blocked. A DROP response gives the scanner nothing to see. Think about what silence looks like to nmap versus a “connection refused” message.
🔌
OPERATION 21 — COMPLETE
SWEEP — SUCCESS
VANTAGE SYSTEMS PERIMETER MAPPED
+0
XP EARNED THIS OPERATION
14 services mapped. Vantage Systems runs surveillance infrastructure across seventeen countries on servers they believe are invisible. They are not invisible. They are merely unaddressed.
The backup node on port 8443 runs older software — less hardened than primary. If the primary node were disrupted, Vantage fails over automatically. The auction platform connects through the backup during failover.
Marcus Holt’s security through obscurity failed on first contact. The address was private. The services were open. Every door was unlocked.
The backup node on port 8443 runs older software — less hardened than primary. If the primary node were disrupted, Vantage fails over automatically. The auction platform connects through the backup during failover.
Marcus Holt’s security through obscurity failed on first contact. The address was private. The services were open. Every door was unlocked.
MENDAX — DARK CHANNEL // POST-SWEEP
00:18
MENDAX
“Fourteen services. They never expected anyone to look. Begin Op 22.”
00:18 — DARK CHANNEL // SHADOW + MENDAX
SHADOW
Port 8443. Backup communications node. Running older software.
MENDAX
The backup node. They fall back to it if the primary is disrupted. We need them on the primary. Disrupt the backup.
SHADOW
How?
MENDAX
Op 22. FLOOD GATE. Move.
DEBRIEF — REFLECTION QUESTION
The scan revealed 14 services across infrastructure the target believed was private. What is the difference between keeping an address secret and keeping a service hardened?
► INTEL — OP-21 // SWEEP
NEXUS Internal Network — 10.10.10.0/24
Classification: TOP SECRET // Campaign 3 Ghost Protocol
MENDAX — CHANNEL BRIEFING
PRE-OP
MENDAX
Internal recon maps the attack surface. NMAP TCP SYN scan, service version detection, and OS fingerprinting on the target subnet establishes the full picture of exploitable services.
📓
OWASP CLASSIFICATION
INTELNetwork recon: port scanning identifies open services and their versions. Each open port is a potential attack vector.
⚖
GLOSSARY TERMS: Port Scanning, NMAP, SYN Scan, Service Enumeration, OS Fingerprinting, Banner Grabbing. All terms auto-logged to your Field Manual.
SIGMA-9 ACADEMY
OPERATION 21 // PORT SCANNING // COMPLETE REFERENCE
◈ WHAT IS PORT SCANNING?
Every computer on a network has 65,535 numbered doors called ports. Each port is a channel for a specific type of service — port 80 for web traffic, port 22 for SSH, port 443 for HTTPS. Port scanning means knocking on every door and noting which ones open.
nmap (Network Mapper) is the standard tool for this. It sends carefully constructed packets and interprets the responses. An open port replies. A closed port says “not here.” A filtered port says nothing at all.
In Operation SWEEP, the scan revealed fourteen services running on infrastructure Vantage believed was private. They confused address privacy with service security. These are completely different things.
◈ THE NMAP FLAG SYSTEM
1
-sS (SYN scan): Sends a SYN packet and waits for SYN-ACK. Never completes the TCP handshake. Fast, quiet, and the most common scan type.
2
-sV (version detection): Probes open ports to identify exact software versions. Louder than -sS but gives you the CVE attack surface.
3
-O (OS detection): Sends specific probes to fingerprint the operating system from response patterns. Very useful for selecting the right exploit.
4
-T0 to -T5 (timing): Controls speed. -T0 is paranoid-slow (one probe every five minutes). -T5 is insane-fast. -T2 looks like background internet noise.
5
-D RND:5 (decoys): Generates five random fake source IPs. The IDS logs all six sources and cannot determine which is real. Attribution becomes impossible.
◈ WHY DROP IS SAFER THAN REJECT
✗ REJECT: The firewall sends a TCP RST or ICMP unreachable back. nmap receives confirmation: “a service exists here, just blocked.” The port is still visible — just unreachable.
✓ DROP: The firewall silently discards the packet. No response. nmap marks the port as “filtered” — which, from outside, looks identical to a port that does not exist. The service is invisible.
Combined with network segmentation (moving services off the routable internet entirely), DROP rules make a host effectively invisible to external scanning. Vantage had neither. Their firewall rejected rather than dropped, and their services were directly internet-routable.
❓
FIELD QUESTIONS — OPERATION SWEEP
What is the difference between a SYN scan and a full connect scan?
A SYN scan sends a SYN packet and stops. If it gets SYN-ACK back, the port is open — but nmap sends RST before completing the handshake. No full connection is logged by the target application. A full connect scan completes the three-way handshake (SYN → SYN-ACK → ACK). The target application logs a real connection. Full connect scans are louder and leave evidence in application logs, not just firewall logs.
What does nmap show if a port is filtered vs closed?
Closed: The host responds with a TCP RST. nmap knows the port exists but is not in use. Filtered: No response, or an ICMP unreachable message. nmap cannot determine if a service is running. From the attacker’s perspective, filtered ports are more interesting than closed ones — something is blocking the probe, which suggests something worth protecting may be behind it.
How does service version detection (-sV) work?
nmap connects to open ports and collects the service banner — the text a service sends when you first connect to it. For example, an SSH server might say
SSH-2.0-OpenSSH_7.4. nmap matches this against a database of thousands of known service signatures. The result: exact software name and version, which maps directly to a list of known vulnerabilities (CVEs).What is security through obscurity and why does it fail?
Security through obscurity means relying on secrecy of design or location instead of genuine hardening. Vantage kept their IP address private — but the services were still open and responding. Once an attacker has the address (through any means: OSINT, DNS leaks, third-party exposure), all fourteen services are immediately visible. Real security: assume the address will be discovered. Harden the services as if the address is public. Drop-rule firewalls and network segmentation work whether the address is known or not.
What is the backup node on port 8443 and why does it matter?
The backup communications node runs older, less-patched software than the primary. Vantage patched their primary infrastructure and forgot the backup. This is a classic enterprise failure: the primary gets hardened; the failover doesn’t. The backup node is where Vantage’s auction platform connects during a failover event. If Shadow can force a failover (Op 22 — Denial of Service), the auction platform lands on weaker infrastructure. Then the real work begins.
REAL-WORLD TOOLS — RECON & SCANNING
WHAT PROFESSIONALS USE
🔍
Nmap
FREE / OPEN SOURCE
The standard port and service scanner. SYN scan with version detection maps exposed services on an authorised target.
nmap -sS -sV -T2 target.example
🌐
Amass
FREE / OPEN SOURCE
Passive asset discovery from public DNS, certificate transparency and WHOIS — recon that touches no packets of the target.
amass enum -passive -d example.com
🛡
Nessus / OpenVAS
FREE TIER
Vulnerability scanners that flag exposed and misconfigured services so defenders can close them before attackers find them.
openvas-cli -T target.example
LEAVE MISSION?
Progress is saved. You can resume from the mission select screen at any time.
RESET MISSION?
This wipes all progress for this operation only. XP in other operations is unaffected.
ARE YOU SURE?
Final confirmation -- all progress for this operation will be permanently erased.