Nmap Room Tryhackme Walkthrough✔️
Welcome to my writeup📃
🔐:Questions
🔑:Answers
This machine is for scanning purposes only “Nmap”
⭐️-Task 2: Introduction
- 🔐What networking constructs are used to direct traffic to the right application on a server❓
🔑Ports
- 🔐How many of these are available on any network-enabled computer❓
🔑65535
- 🔐How many of these are considered “well-known”❓ (These are the “standard” numbers mentioned in the task)
🔑1024
⭐️-Task 3: Nmap Switches
- 🔐What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)❓
🔑-sS
- 🔐Which switch would you use for a “UDP scan”❓
🔑-sU
- 🔐If you wanted to detect which operating system the target is running on, which switch would you use❓
🔑-O
- 🔐Nmap provides a switch to detect the version of the services running on the target. What is this switch❓
🔑-sV
- 🔐The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity❓
🔑-v
- 🔐Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two❓
🔑-vv
- 🔐What switch would you use to save the nmap results in three major formats❓
🔑-oA
- 🔐What switch would you use to save the nmap results in a “normal” format❓
🔑-oN
- 🔐A very useful output format: how would you save results in a “grepable” format❓
🔑-oG
Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
- 🔐How would you activate this setting❓
🔑-A
- 🔐How would you set the timing template to level 5❓
🔑-T5
- 🔐How would you tell nmap to only scan port 80❓
🔑-p 80
- 🔐How would you tell nmap to scan ports 1000–1500❓
-p 1000–1500
- 🔐How would you tell nmap to scan all ports❓
🔑-p-
- 🔐How would you activate a script from the nmap scripting library (lots more on this later!)❓
🔑— script
- 🔐How would you activate all of the scripts in the “vuln” category❓
🔑— script=vuln
Scan Types
⭐️-Task 5: TCP Connect Scans
- 🔐Which RFC defines the appropriate behaviour for the TCP protocol❓
🔑RFC 793 (“For example, if a port is closed, RFC 793 states …”)
- 🔐If a port is closed, which flag should the server send back to indicate this❓
🔑RST (“the target server will respond with a TCP packet with the RST (Reset) flag set”)
⭐️-Task 6: SYN Scans
- 🔐There are two other names for a SYN scan, what are they❓
🔑Half-open, Stealth (“SYN scans are sometimes referred to as “Half-open” scans, or “Stealth” scans.”)
- 🔐Can Nmap use a SYN scan without Sudo permissions (Y/N)❓
🔑N (“They require sudo permissions”)
⭐️-Task 7: UDP Scans
- 🔐If a UDP port doesn’t respond to an Nmap scan, what will it be marked as❓
🔑open|filtered (‘If there is still no response then the port is marked open|filtered and Nmap moves on.’)
- 🔐When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so❓
🔑ICMP (“When a packet is sent to a closed UDP port, the target should respond with an ICMP (ping) packet containing a message that the port is unreachable.”)
⭐️-Task 8: NULL, FIN and Xmas
- 🔐Which of the three shown scan types uses the URG flag❓
🔑Xmas (“It’s referred to as an xmas scan as the flags that it sets (PSH, URG and FIN)”)
- 🔐Why are NULL, FIN and Xmas scans generally used❓
🔑firewall evasion (“That said, the goal here is, of course, firewall evasion.”)
- 🔐Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port❓
🔑Microsoft Windows (“In particular Microsoft Windows (and a lot of Cisco network devices) are known to respond with a RST”)
⭐️-Task 9: ICMP Network Scanning
- 🔐How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap❓ (CIDR notation)
(Netmask: 255.255.0.0)
🔍: The CIDR notation uses a slash/then the number of bits that need to be turned on in the mask. So for a Class A it would be /8, for Class B it would be /16, and finally for a Class C it would be /24.
🔑nmap -sn 172.16.0.0/16 (“i recommended to you guys the room Networking, for more informations”)
NSE Scripts
⭐️-Task 10: Overview
- 🔐What language are NSE scripts written in❓
🔑Lua (“NSE Scripts are written in the Lua programming language”)
- 🔐Which category of scripts would be a very bad idea to run in a production environment❓
🔑intrusive (“
intrusive
:- Not safe: likely to affect the target”)
⭐️-Task 11: Working with the NSE
- 🔐What optional argument can the
ftp-anon.nse
script take❓
maxlist
⭐️-Task 12: Searching for Scripts
- 🔐Search for “smb” scripts in the
/usr/share/nmap/scripts/
directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server❓
🔑smb-os-discovery.nse
- 🔐Read through this script. What does it depend on❓
🔑smb-brute (“cmd: cat /usr/share/nmap/scripts/smb-os-discovery.nse”)
⭐️-Task 13: Firewall Evasion
- 🔐Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the
-Pn
switch❓
🔑ICMP (“…This means that Nmap will always treat the target host(s) as being alive, effectively bypassing the ICMP block”)
- 🔐Which Nmap switch allows you to append an arbitrary length of random data to the end of packets❓
🔑— data-length
⭐️-Task 14: Practical
- 🔐Does the target (
MACHINE_IP
)respond to ICMP (ping) requests (Y/N)❓
🔑N
- 🔐Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered❓
🔑999
- 🔐There is a reason given for this — what is it❓
🔑No Response
- 🔐Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open❓
🔑5
- 🔐Deploy the
ftp-anon
script against the box. Can Nmap login successfully to the FTP server on port 21❓ (Y/N)
🔑Y
hope you guys enjoy this walkthrough follow my profile for more wirteup and see you soon …👌