Summary

In this post, we covered Nmap scanning commands and techniques from beginners to advanced. We explained TCP connect scan, stealth scan, UDP scan, ACK scan, Decoy scan, Fragmented scan,etc. This was part of TryHackMe Junior Penetration Tester pathway.

This post covers the answers for

  1. Nmap Live Host Discovery
  2. Nmap Basic Port Scans
  3. Nmap Advanced Port Scans
  4. Nmap Post Port Scans

Challenge Description

When we want to target a network, we want to find an efficient tool to help us handle repetitive tasks and answer the following questions:

  1. Which systems are up?
  2. What services are running on these systems?

The tool that we will rely on is Nmap. The first question about finding live computers is answered in this room. This room is the first in a series of four rooms dedicated to Nmap. The second question about discovering running services is answered in the next Nmap rooms that focus on port-scanning.

Get OSCP Certificate Notes

Challenge Answers

How many devices can see the ARP Request?

Did computer6 reply to the ARP Request? (Y/N)

What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target?

How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125?

Send a packet with the following:

  • From computer1
  • To computer3
  • Packet Type: “Ping Request”

What is the type of packet that computer1 sent before the ping?

What is the type of packet that computer1 received before being able to send the ping?

How many computers responded to the ping request?

Send a packet with the following:

  • From computer2
  • To computer5
  • Packet Type: “Ping Request”

What is the name of the first device that responded to the first ARP Request?

What is the name of the first device that responded to the second ARP Request?

Send another Ping Request. Did it require new ARP Requests? (Y/N)

We will be sending broadcast ARP Requests packets with the following options:

 

 

  • From computer1
  • To computer1 (to indicate it is broadcast)
  • Packet Type: “ARP Request”
  • Data: try all the possible eight devices (other than computer1) in the network: computer2, computer3, computer4, computer5, computer6, switch1, switch2, and router.

How many devices are you able to discover using ARP requests?

What is the option required to tell Nmap to use ICMP Timestamp to discover live hosts?

What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts?

What is the option required to tell Nmap to use ICMP Echo to discover life hosts?

Which TCP ping scan does not require a privileged account?

Which TCP ping scan requires a privileged account?

What option do you need to add to Nmap to run a TCP SYN ping scan on the telnet port?

We want Nmap to issue a reverse DNS lookup for all the possibles hosts on a subnet, hoping to get some insights from the names. What option should we add?
Which service uses UDP port 53 by default?

Which service uses TCP port 22 by default?

How many port states does Nmap consider?

Which port state is the most interesting to discover as a pentester?

What 3 letters represent the Reset flag?

Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?

Launch the VM. Open the AttackBox and execute nmap -sT MACHINE_IP via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?

What is Nmap’s guess about the newly installed service?

Launch the VM. Some new server software has been installed since the last time we scanned it. On the AttackBox, use the terminal to execute nmap -sS MACHINE_IP. What is the new open port?

What is Nmap’s guess of the service name?

Launch the VM. On the AttackBox, use the terminal to execute nmap -sU -F -v MACHINE_IP. A new service has been installed since the last scan. What is the UDP port that is now open?

What is the service name according to Nmap?

What is the option to scan all the TCP ports between 5000 and 5500?

How can you ensure that Nmap will run at least 64 probes in parallel?

What option would you add to make Nmap very slow and paranoid?

In a null scan, how many flags are set to 1?

In a FIN scan, how many flags are set to 1?

In a Xmas scan, how many flags are set to 1?

Start the VM and load the AttackBox. Once both are ready, open the terminal on the AttackBox and use nmap to launch a FIN scan against the target VM. How many ports appear as open|filtered?

Repeat your scan launching a null scan against the target VM. How many ports appear as open|filtered?

In the Maimon scan, how many flags are set?
In TCP Window scan, how many flags are set?

You decided to experiment with a custom TCP scan that has the reset flag set. What would you add after --scanflags?

The VM received an update to its firewall ruleset. A new port is now allowed by the firewall. After you make sure that you have terminated the VM from Task 2, start the VM for this task. Launch the AttackBox if you haven’t done that already. Once both are ready, open the terminal on the AttackBox and use Nmap to launch an ACK scan against the target VM. How many ports appear unfiltered?

What is the new port number that appeared?

Is there any service behind the newly discovered port number? (Y/N)

What do you need to add to the command sudo nmap MACHINE_IP to make the scan appear as if coming from the source IP address 10.10.10.11 instead of your IP address?

What do you need to add to the command sudo nmap MACHINE_IP to make the scan appear as if coming from the source IP addresses 10.10.20.21 and 10.10.20.28 in addition to your IP address?

If the TCP segment has a size of 64, and -ff option is being used, how many IP fragments will you get?
You discovered a rarely-used network printer with the IP address 10.10.5.5, and you decide to use it as a zombie in your idle scan. What argument should you add to your Nmap command?
Launch the AttackBox if you haven’t done so already. After you make sure that you have terminated the VM from Task 4, start the VM for this task. Wait for it to load completely, then open the terminal on the AttackBox and use Nmap with nmap -sS -F --reason MACHINE_IP to scan the VM. What is the reason provided for the stated port(s) being open?

Start the target machine for this task and launch the AttackBox. Run nmap -sV --version-light MACHINE_IPvia the AttackBox. What is the detected version for port 143?

Which service did not have a version detected with --version-light?
Run nmap with -O option against MACHINE_IP. What OS did Nmap detect?
Knowing that Nmap scripts are saved in /usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for?

Can you figure out the name for the script that checks for the remote code execution vulnerability MS15-034 (CVE2015-2015-1635)?

Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts -sC against MACHINE_IP. You will notice that there is a service listening on port 53. What is its full version value?

Based on its description, the script ssh2-enum-algos “reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by MACHINE_IP?

Terminate the target machine of the previous task and start the target machine for this task. On the AttackBox terminal, issue the command scp pentester@MACHINE_IP:/home/pentester/* . to download the Nmap reports in normal and grepable formats from the target virtual machine.

Note that the username pentester has the password THM17577

Check the attached Nmap logs. How many systems are listening on the HTTPS port?

What is the IP address of the system listening on port 8089?

Video Walk-through

About the Author

Cybersecurity Instructor & Swimmer

View Articles