TryHackMe: Nmap room
Room - https://tryhackme.com/room/furthernmap
Nmap is one of the most used hacking tools, and its amazing. Nmap (Network Mapper) is usually used to check how many ports are open and which services use those port. This TryHackMe room is the beginner's guide to understand and get started with Nmap.
Task 1: No answer needed
Task 2:
Question 1- What networking constructs are used to direct traffic to the right application on a server?
Ports
Question 2- How many of these are available on any network-enabled computer?
65535
Question 3- [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task)
1024
Task 3:
Question 1- What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)?
[Command to use “nmap -h | grep ‘SYN’”]
-sS
Question 2- Which switch would you use for a "UDP scan"?
[command to use “nmap -h | grep ‘UDP’”
-sU
Question 3- If you wanted to detect which operating system the target is running on, which switch would you use?
[command to use “nmap -h | grep ‘OS’”]
-O
Question 4- Nmap provides a switch to detect the version of the services running on the target. What is this switch?
[command to use “nmap -h | grep ‘service’”
-sV
Question 5- The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
[command to use “nmap -h | grep ‘verbosity’”]
-v
Question 6- Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it’s highly advisable to always use at least this option)
[command to use “nmap -h | grep ‘verbosity’”]
-vv
Question 7- What switch would you use to save the nmap results in three major formats?
[command to use “nmap -h | grep ‘Output’”]
-oA
Question 8- What switch would you use to save the nmap results in a "normal" format?
[command to use “nmap -h | grep ‘normal’”]
-oN
Question 9- A very useful output format: how would you save results in a "grepable" format?
[command to use “nmap -h | grep ‘Output’”]
-oG
Question 10- How would you activate this setting?
[command to use “nmap -h | grep ‘OS’”]
-A
Question 11- How would you set the timing template to level 5?
[command to use “nmap -h | grep ‘timing’”]
-T5
Question 12- How would you tell nmap to only scan port 80?
[command to use “nmap -h | grep ‘port’”]
-p 80
Question 13- How would you tell nmap to scan ports 1000–1500?
-p 1000–1500
Question 14- How would you tell nmap to scan all ports?
-p-
Question 15- How would you activate a script from the nmap scripting library (lots more on this later!)?
[command to use “nmap -h | grep “script””]
— script
Question 16- How would you activate all of the scripts in the "vuln" category?
[command to use “nmap -h | grep “script””]
— script=vuln
Task 4: No answer needed
Task 5:
Question 1- Which RFC defines the appropriate behaviour for the TCP protocol?
Answer is provided in the source
RFC 793
Question 2- If a port is closed, which flag should the server send back to indicate this?
Answer is provided in the source
RST
Task 6:
Question 1- There are two other names for a SYN scan, what are they?
Answer is given in the source
Half-Open, Stealth
Questin 2- Can Nmap use a SYN scan without Sudo permissions (Y/N)?
Answer is given in the source
N
Task 7:
Question 1- If a UDP port doesn't respond to an Nmap scan, what will it be marked as?
Answer is given in the source
open|filtered
Question 2- When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
Answer is given in the source
ICMP
Task 8:
Question 1- Which of the three shown scan types uses the URG flag?
Answer is given in the source
xmas
Question 2- Why are NULL, FIN and Xmas scans generally used?
Answer is given in the source
firewall evasion
Question 3- Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Answer given in the source
Microsoft Windows
Task 9:
Question 1- How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
Answer given in the source
nmap -sn 172.16.0.0/16
Task 10:
Question 1- What language are NSE scripts written in?
Answer given in the source
Lua
Question 2- Which category of scripts would be a very bad idea to run in a production environment?
Answer given in the source
intrusive
Task 11:
Question 1- What optional argument can the ftp-anon.nse script take?
Answer is given in another resourse mentioned in the task source
maxlist
Task 12:
Question 1-What is the filename of the script which determines the underlying OS of the SMB server?
[command used “cd /usr/share/nmap/scripts && ls | grep ‘os’”]
smb-os-discovery.nse
Question 2- Read through this script. What does it depend on?
[command used “cat smb-os-discovery.nse | grep ‘depend’”]
smb-brute
Task 13:
Question 1- Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
Answer given in source
ICMP
Question 2- [Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
— data-lenght
Task 14:
Question 1- Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)?
[command used “nmap (machine-ip)” ]
N
Question 2- Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?
[command used “sudo nmap -Pn -sX -vv -p 0–900 (machine-ip)”]
explanation:
- sudo is used to give admin permission to nmap
- Pn is used because we know from the previous command that target does not respond to ICMP requests
- -sX is used because we want to do a Xmas scan
- -vv is used because level 2 verbosity is recommanded
- -p is used to specify port range, which in this case is from 0 to 900
999
Question 3- Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open?
[Command used “sudo nmap -Pn -sS (machine-ip)”]
explaination:
- sudo is used because TCP SYN scan requires admin privileges
- -Pn is used because we know from the previous command that target does not respond to ICMP requests
- -sS indicates that it is a TCP scan
5
Question 4- Open Wireshark (see Cryillic's Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what's going on.
No answer needed
Question 5-Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
[command used “nmap -Pn -sV -sC (machine-ip)”]
explaination:
- -Pn is used because we know from the previous command that target does not respond to ICMP requests
- -sV is used to determine the version of the service running on the port
- -sV is used to scan with defualt NSE scripts (which includes ftp-anon)
Y
Task 15:
No answer needed
That’s the end for the Nmap room. Here is a Cheat Sheet for future use :)
