NMAP — THM

lately I had started preparing for my comptia pentest+ exam and got to know there is this awesome track on tryhackme so today I started with the first room so lets get started let me deploy and head forward.
TASK1 [deploy]:-
>
just deploy the machine and you are good to go

Task2 [introduction]:-
>
heading to words task2 and start reading the things given there then i found out the most valuable line that is:-
“When it comes to hacking, knowledge is power. The more knowledge you have about a target system or network, the more options you have available.”
this line when ever I read hits me hard. enough of this and lets get back to solve the task 😉

Q) What networking constructs are used to direct traffic to the right application on a server?
A) ports

reason:- port is is network construct which helps in directing traffic to right application on a server.

Q) How many of these are available on any network-enabled computer?
A)65535

reason:- these are the exact number of ports available on any computer with a internet.

Q) [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task)
A)1024

reason:- these are the number of standard ports.

with this we completed our first task
summary:-
1) we got to know “why do we use NMAP”
2) we found out some basic info of ports.

TASK3:- [NMAP switches]:-
>
this task helps us to know the switches which is attached with for this task you can just type NMAPin terminal and it dumps all the switches available.

Q) What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)?
A) -sS

Q)Which switch would you use for a “UDP scan”?
A)-sU

Q)If you wanted to detect which operating system the target is running on, which switch would you use?
A)-o

Q) Nmap provides a switch to detect the version of the services running on the target. What is this switch?
A)-sV

Q)The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
A)-v

Q)Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
A)-vV

Q)We should always save the output of our scans — this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients.What switch would you use to save the nmap results in three major formats?
A)-oA

Q)What switch would you use to save the nmap results in a “normal” format?
A)-oN

Q) A very useful output format: how would you save results in a “grepable” format?
A) -oG

Q)Sometimes the results we're getting just aren't enough. If we don't care about how loud we are, we can enable "aggressive" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.How would you activate this setting?
A) -A

Q)Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!How would you set the timing template to level 5?
A) -T5

Q)We can also choose which port(s) to scan.How would you tell nmap to only scan port 80?
A)-p 80

Q) How would you tell nmap to scan ports 1000–1500?
A) -p 1000–1500

Q)How would you tell nmap to scan all ports?
A)-p-

Q)How would you activate a script from the nmap scripting library (lots more on this later!)?
A) — script

Q)How would you activate all of the scripts in the “vuln” category?
A) — script=vuln

with this we have completed our 3rd task to
summary:-
> we got to learn different switches which we can use in day to day life.

Task4 [[Scan Types] Overview]:-

When port scanning with Nmap, there are three basic scan types. These are:

  • TCP Connect Scans (-sT)
  • SYN “Half-open” Scans (-sS)
  • UDP Scans (-sU)

Additionally there are several less common port scan types, some of which we will also cover (albeit in less detail). These are:

  • TCP Null Scans (-sN)
  • TCP FIN Scans (-sF)
  • TCP Xmas Scans (-sX)

Most of these (with the exception of UDP scans) are used for very similar purposes, however, the way that they work differs between each scan. This means that, whilst one of the first three scans are likely to be your go-to in most situations, it’s worth bearing in mind that other scan types exist.

In terms of network scanning, we will also look briefly at ICMP (or “ping”) scanning.
> just go through this and submit.

TASK5 [Scan Types] TCP Connect Scans:-

Before doing this task complete the networking room that would make you to solve this task easy.

Q)Which RFC defines the appropriate behavior for the TCP protocol?
A)
RFC 793

Q)If a port is closed, which flag should the server send back to indicate this?
A) RST

done with TASK5;
summary:-
got to know about RFC and RST and also understood the types of TCP connection scan.

TASK6 [Scan Types] SYN Scans:-
just go through the topics given there nothing more to explain so lets just dive into questions.

Q)There are two other names for a SYN scan, what are they?
A)half-open,stealth

Q)Can Nmap use a SYN scan without Sudo permissions (Y/N)?
A) N

summary:-
> learnt about syn scan and concepts of syn.

TASK7 [Scan Types] UDP Scans:-
>
UDP scan is an another important scan which relies on transferring of packets.

Q)If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?
A)open|filtered

Q)When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
A)ICMP

summary:-
we got to learn about UDP scan and know why the scan is slow than other scans.

Task8 [Scan Types] NULL, FIN and Xmas:-
>
this task we will get to know about scans like NULL , FIN and Xmas.
so lets give a quick read and then dive into questions.

Q)Which of the three shown scan types uses the URG flag?
A) Xmas

Q)Why are NULL, FIN and Xmas scans generally used?
A)Firewall Evasion

Q)Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
A)Microsoft Windows

summary:-
this scan is very rarely used but its good to know stuff all the three scans are basically same.

Task9 [Scan Types] ICMP Network Scanning:-
>
this task will know the ICMP network and perform a ping sweep

Q)How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
A)nmap -sn 172.16.0.0/16

Task10[NSE Scripts] Overview:-
>so here we start with the “ — script” part in this task we will learn about Nmap Scripting Engine

Q)What language are NSE scripts written in?
A)Lua

Q)Which category of scripts would be a very bad idea to run in a production environment?
A)intrusive

summary:-
after reading the info present there I got to know many unknown things hope this also helps me in pentest+ exam.

TASK11 [NSE Scripts] Working with the NSE:-
> lets get started with theory part given and work with it.

Q)What optional argument can the ftp-anon.nse script take?
A) maxlist

Task12 [NSE Scripts] Searching for Scripts:-
> gona search for scripts bom bom….

Q)Search for “smb” scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server?
A)smb-os-discovery.nse

Q)Read through this script. What does it depend on?
A) smb-brute

note:- go through the process specified you will get the answer.

Task13 firewall Evasion:-

Q)Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
A)icmp

Q)[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
A) — data-length

Task14 Practical:-
>
the most awaited part so lets get hands on it 😉

Q)Does the target (10.10.131.144)respond to ICMP (ping) requests (Y/N)?
A) N

Q) Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?
A) 999

Q)Note: The answer will be in your scan results. Think carefully about which switches to use — and read the hint before asking for help!
A)no response

Q)Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?
A)5

Q)Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
A)Y

Task15 conclusion:-

so we are done with this room this was a great learning path.
do comment for any improvements required.
I appreciate your patience to read the blog happy hacking :) .
do like share and follow for more blogs.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Go charan

Go charan

Traveler && wanna be Hacker && foodie.