Summary
In this post, we covered Nmap scanning commands and techniques from beginners to advanced. We explained TCP connect scan, stealth scan, UDP scan, ACK scan, Decoy scan, Fragmented scan,etc. This was part of TryHackMe Junior Penetration Tester pathway.
This post covers the answers for
Challenge Description
When we want to target a network, we want to find an efficient tool to help us handle repetitive tasks and answer the following questions:
- Which systems are up?
- What services are running on these systems?
The tool that we will rely on is Nmap. The first question about finding live computers is answered in this room. This room is the first in a series of four rooms dedicated to Nmap. The second question about discovering running services is answered in the next Nmap rooms that focus on port-scanning.
Challenge Answers
10.10.12.13/29 as your target?How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125?
Send a packet with the following:
- From computer1
- To computer3
- Packet Type: “Ping Request”
What is the type of packet that computer1 sent before the ping?
What is the type of packet that computer1 received before being able to send the ping?
How many computers responded to the ping request?
Send a packet with the following:
- From computer2
- To computer5
- Packet Type: “Ping Request”
What is the name of the first device that responded to the first ARP Request?
What is the name of the first device that responded to the second ARP Request?
Send another Ping Request. Did it require new ARP Requests? (Y/N)
We will be sending broadcast ARP Requests packets with the following options:
- From computer1
- To computer1 (to indicate it is broadcast)
- Packet Type: “ARP Request”
- Data: try all the possible eight devices (other than computer1) in the network: computer2, computer3, computer4, computer5, computer6, switch1, switch2, and router.
How many devices are you able to discover using ARP requests?
What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts?
What is the option required to tell Nmap to use ICMP Echo to discover life hosts?
Which service uses TCP port 22 by default?
How many port states does Nmap consider?
Which port state is the most interesting to discover as a pentester?
Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?
nmap -sT MACHINE_IP via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?What is Nmap’s guess about the newly installed service?
nmap -sS MACHINE_IP. What is the new open port?What is Nmap’s guess of the service name?
nmap -sU -F -v MACHINE_IP. A new service has been installed since the last scan. What is the UDP port that is now open?What is the service name according to Nmap?
How can you ensure that Nmap will run at least 64 probes in parallel?
What option would you add to make Nmap very slow and paranoid?
In a FIN scan, how many flags are set to 1?
In a Xmas scan, how many flags are set to 1?
Start the VM and load the AttackBox. Once both are ready, open the terminal on the AttackBox and use nmap to launch a FIN scan against the target VM. How many ports appear as open|filtered?
Repeat your scan launching a null scan against the target VM. How many ports appear as open|filtered?
You decided to experiment with a custom TCP scan that has the reset flag set. What would you add after --scanflags?
The VM received an update to its firewall ruleset. A new port is now allowed by the firewall. After you make sure that you have terminated the VM from Task 2, start the VM for this task. Launch the AttackBox if you haven’t done that already. Once both are ready, open the terminal on the AttackBox and use Nmap to launch an ACK scan against the target VM. How many ports appear unfiltered?
What is the new port number that appeared?
Is there any service behind the newly discovered port number? (Y/N)
sudo nmap MACHINE_IP to make the scan appear as if coming from the source IP address 10.10.10.11 instead of your IP address?What do you need to add to the command sudo nmap MACHINE_IP to make the scan appear as if coming from the source IP addresses 10.10.20.21 and 10.10.20.28 in addition to your IP address?
-ff option is being used, how many IP fragments will you get?10.10.5.5, and you decide to use it as a zombie in your idle scan. What argument should you add to your Nmap command?nmap -sS -F --reason MACHINE_IP to scan the VM. What is the reason provided for the stated port(s) being open?Start the target machine for this task and launch the AttackBox. Run nmap -sV --version-light MACHINE_IPvia the AttackBox. What is the detected version for port 143?
--version-light?/usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for?Can you figure out the name for the script that checks for the remote code execution vulnerability MS15-034 (CVE2015-2015-1635)?
Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts -sC against MACHINE_IP. You will notice that there is a service listening on port 53. What is its full version value?
Based on its description, the script ssh2-enum-algos “reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by MACHINE_IP?
Terminate the target machine of the previous task and start the target machine for this task. On the AttackBox terminal, issue the command scp pentester@MACHINE_IP:/home/pentester/* . to download the Nmap reports in normal and grepable formats from the target virtual machine.
Note that the username pentester has the password THM17577
Check the attached Nmap logs. How many systems are listening on the HTTPS port?
What is the IP address of the system listening on port 8089?
