Nmap | TryHackMe Walkthrough

 

An in-depth look at scanning with Nmap, a powerful network scanning tool.

This room was created by DarkStar and MuirlandOracle, as it provides a great way to learn and start practicing nmap. I encourage you to give it a try by yourself since the hands-on practice will give you more understanding of the topic (take advantage of the manual page man nmap).

Task2:

What networking constructs are used to direct traffic to the right application on a server?

Ports

How many of these are available on any network-enabled computer?

65535

[Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task)

1024

Task3:

What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)?

-sS

Which switch would you use for a "UDP scan"?

-sU

If you wanted to detect which operating system the target is running on, which switch would you use?

-O

Nmap provides a switch to detect the version of the services running on the target. What is this switch?

-sV

The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?

-v (you can click v on the keyboard to increase verbosity and Shift+v to decrease it)

Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it's highly advisable to always use at least this option)

-vv

What switch would you use to save the nmap results in three major formats?

-oA

What switch would you use to save the nmap results in a "normal" format?

-oN

A very useful output format: how would you save results in a "grepable" format?

-oG

Sometimes the results we're getting just aren't enough. If we don't care about how loud we are, we can enable "aggressive" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
How would you activate this setting?

-A

Nmap offers five levels of "timing" template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!
How would you set the timing template to level 5?

-T5

We can also choose which port(s) to scan.
How would you tell nmap to only scan port 80?

-p 80

How would you tell nmap to scan ports 1000-1500?

-p 1000-1500

A very useful option that should not be ignored:
How would you tell nmap to scan all ports?

-p-

How would you activate a script from the nmap scripting library (lots more on this later!)?

--script

How would you activate all of the scripts in the "vuln" category?

--script=vuln

Task5:

Which RFC defines the appropriate behaviour for the TCP protocol?

RFC 793

If a port is closed, which flag should the server send back to indicate this?

RST

Task6:

There are two other names for a SYN scan, what are they?

Half-Open, Stealth

Can Nmap use a SYN scan without Sudo permissions (Y/N)?

N

Task7:

If a UDP port doesn't respond to an Nmap scan, what will it be marked as?

open|filtered

When a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so?

ICMP

Task8:

Which of the three shown scan types uses the URG flag?

xmas

Why are NULL, FIN and Xmas scans generally used?

Firewall Evasion

Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

Microsoft Windows

Task9:

How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)

nmap -sn 172.16.0.0/16

Task10:

What language are NSE scripts written in?

Lua

Which category of scripts would be a very bad idea to run in a production environment?

intrusive

Task11:

What optional argument can the ftp-anon.nse script take?

maxlist

Task12:

Search for "smb" scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server?

smb-os-discovery.nse

Read through this script. What does it depend on?

smb-brute

Task13:

Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?

ICMP

[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

--data-length

Task14:

Does the target respond to ICMP (ping) requests (Y/N)?

N

Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?

999

There is a reason given for this -- what is it?

No Response

Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open?

5

Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

Y

-----------------------------------------------------------------------

Comments

Post a Comment

Popular posts from this blog

OpenVas: Vulnerability Scanning | Installation Guide

Image
  Introduction: OpenVAS is a vulnerability scanner that analyzes endpoints and web apps to uncover and detect flaws. Corporations frequently employ it as part of their mitigation strategies to initially identify any weaknesses in their operational or testing servers and apps. This isn't an ultimate solution, but it can assist in the elimination of any common weaknesses that may have sneaked through the gaps. Installation: There are three methods to install GreenBone openVas: 1- Install from Kali/OpenVas repositories:  This way varies in difficulty because of the needed configurations, you can simply install it with apt. sudo apt-get update -y &&  sudo apt-get upgrade -y &&  sudo apt-get dist-upgrade -y sudo apt-get install openvas sudo gvm-setup sudo gvm-check-setup 2- Install from source (Manually): This way is not the best for beginners due to prerequisite installations and error handling can be challenging. github.com/greenbone/openvas-scanner 3- Run from docker:
Read more

Azure Sentinel: Use Microsoft's SIEM to map global attacks

Image
 in this tutorial, we will display attacks from all over the globe on a world map using Microsoft cloud SIEM (Security Information and Event Management) this is a step-by-step guided lab so it will be a long tutorial. Project steps this project needs multiple stages to be completed, when you finish this guide you will be able to: create and configure a Virtual Machine using Azure configure a cloud network security group and create firewall rules create and configure a Logs Analytics Workspace collect data from Virtual Machines into Azure get familiar with PowerShell scripting and APIs use (KQL) Kusto Query Language (the Azure data exporter language)  Let's get started First of all, go ahead and create a free Azure account at  https://azure.microsoft.com/en-us/free/   When you're done with that go to your dashboard at  https://portal.azure.com/ Ps: Just a quick note before we begin, you will notice in Azure as in GCP or AWS that the search bar is your b
Read more