THM | Nmap
Network Exploitation Basics | Nmap | Summary:
This series of walkthroughs aims to help out complete beginners with finishing the Complete Beginner path on the TryHackMe website. It is based on the learning content provided in the Nmap room.
Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.
Task | 01 | Deploy
Question 1: Deploy the attached VM
No answer needed
Task | 02 | Introduction
Question 1: What networking constructs are used to direct traffic to the right application on a server?
Ports
Question 2: How many of these are available on any network-enabled computer?
65535
Question 3: [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task)
1024
Task | 03 | Nmap Switches
Question 1: What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)?
-sS
Question 2: Which switch would you use for a "UDP scan"?
-sU
Question 3: If you wanted to detect which operating system the target is running on, which switch would you use?
-O
Question 4: Nmap provides a switch to detect the version of the services running on the target. What is this switch?
-sV
Question 5: The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
-v
Question 6: Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
- Note: it's highly advisable to always use at least this option
-vv
Question 7: We should always save the output of our scans -- this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients. What switch would you use to save the nmap results in three major formats?
-oA
Question 8: What switch would you use to save the nmap results in a "normal" format?
-oN
Question 9: A very useful output format: how would you save results in a "grepable" format?
-oG
Question 10: Sometimes the results we're getting just aren't enough. If we don't care about how loud we are, we can enable "aggressive" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning. How would you activate this setting?
-A
Question 11: Nmap offers five levels of "timing" template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors! How would you set the timing template to level 5?
-T5
Question 12: We can also choose which port(s) to scan. How would you tell nmap to only scan port 80?
-p 80
Question 13: How would you tell nmap to scan ports 1000-1500?
-p 1000-1500
Question 14: A very useful option that should not be ignored: How would you tell nmap to scan all ports?
-p-
Question 15: How would you activate a script from the nmap scripting library (lots more on this later!)?
--script
Question 16: How would you activate all of the scripts in the "vuln" category?
--script=vuln
Task | 04 | Overview
Question 1: Read the Scan Types Introduction.
No answer needed
Task | 05 | TCP Connect Scans
Question 1: Which RFC defines the appropriate behaviour for the TCP protocol?
RFC 9293
Question 2: If a port is closed, which flag should the server send back to indicate this?
RST
Task | 06 | SYN Scans
Question 1: There are two other names for a SYN scan, what are they?
Half-Open, Stealth
Question 2: Can Nmap use a SYN scan without Sudo permissions (Y/N)?
N
Task | 07 | UDP Scans
Question 1: If a UDP port doesn't respond to an Nmap scan, what will it be marked as?
open|filtered
Question 2: When a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so?
ICMP
Task | 08 | NULL, FIN and Xmas
Question 1: Which of the three shown scan types uses the URG flag?
xmas
Question 2: Why are NULL, FIN and Xmas scans generally used?
Firewall Evasion
Question 3: Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Microsoft Windows
Task | 09 | ICMP Network Scanning
Question 1: How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
nmap -sn 172.16.0.0/16
Task | 10 | Overview
Question 1: What language are NSE scripts written in?
Lua
Question 2: Which category of scripts would be a very bad idea to run in a production environment?
intrusive
Task | 11 | Working with the NSE
Question 1: What optional argument can the ftp-anon.nse script take?
maxlist
Task | 12 | Searching for Scripts
Question 1: Search for "smb" scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods. What is the filename of the script which determines the underlying OS of the SMB server?
smb-os-discovery.nse
Question 2: Read through this script. What does it depend on?
smb-brute
Task | 13 | Firewall Evasion
Question 1: Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
ICMP
Question 2: [Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
--data-length
Task | 14 | Practical
Question 1: Does the target ip respond to ICMP echo (ping) requests (Y/N)?
N
Question 2: Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?
999
Question 3: There is a reason given for this -- what is it?
- Note: The answer will be in your scan results. Think carefully about which switches to use -- and read the hint before asking for help!
No Response
Question 4: Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open?
5
Question 5: Open Wireshark (see Cryillic's Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what's going on. Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
Y
Task | 15 | Conclusion
Question 1: Read the conclusion.
No answer needed