TryHackMe: Nmap Walkthrough

-

Nmap is short for Network Mapper. It is an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to detect installed applications. Nmap allows network admins to find which devices are running on their network, discover open ports and services, and detect vulnerabilities

Task 1 - Deploy

No answer needed.

Task 2 - Introduction

  1. What networking constructs are used to direct traffic to the right application on a server?

    Answer: ports

  2. How many of these are available on any network-enabled computer?

    Answer: 65535

  3. [Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)

    Answer: 1024

Task 3 - Nmap Switches

  1. What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?

    Answer: -sS

  2. Which switch would you use for a “UDP scan”?

    Answer: -sU

  3. If you wanted to detect which operating system the target is running on, which switch would you use?

    Answer: -O

  4. Nmap provides a switch to detect the version of the services running on the target. What is this switch?

    Answer: -sV

  5. The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?

    Answer: -v

  6. Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?

    Answer: -vv

  7. What switch would you use to save the nmap results in three major formats?

    Answer: -oA

  8. What switch would you use to save the nmap results in a “normal” format?

    Answer: -oN

  9. A very useful output format: how would you save results in a “grepable” format?

    Answer: -oG

  10. Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.

    How would you activate this setting?

Answer: -A

  1. Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!

    How would you set the timing template to level 5?

    Answer: -T5

  2. We can also choose which port(s) to scan.

    How would you tell nmap to only scan port 80?

    Answer: -p 80

  3. How would you tell nmap to scan ports 1000-1500?

    Answer: -p 1000-1500

  4. A very useful option that should not be ignored:

    How would you tell nmap to scan all ports?

    Answer: -p-

  5. How would you activate a script from the nmap scripting library (lots more on this later!)?

    Answer: –script

  6. How would you activate all of the scripts in the “vuln” category?

    Answer: –script=vuln

Task 4 - [Scan Types] Overview

No answer needed.

Task 5 - [Scan Types]

  1. hich RFC defines the appropriate behaviour for the TCP protocol?

    Answer: RFC 793

  2. If a port is closed, which flag should the server send back to indicate this?

    Answer: RST

Task 6 - [Scan Types] SYN Scans

  1. There are two other names for a SYN scan, what are they?

    Answer: Half-Open, Stealth

  2. Can Nmap use a SYN scan without Sudo permissions (Y/N)?

    Answer: N

Task 7 - [Scan Types] UDP Scans

  1. If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?

    Answer: open|filtered

  2. When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?

    Answer: ICMP

Task 8 - [Scan Types] NULL, FIN and Xmas

  1. Which of the three shown scan types uses the URG flag?

Answer: xmas

  1. Why are NULL, FIN and Xmas scans generally used?

Answer: Firewall Evasion

  1. Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

Answer: Microsoft Windows

             Task 9 - [Scan Types] ICMP Network Scanning

  1. How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)

Answer: nmap -sn 172.16.0.0/16

Task 10 - [NSE Scripts] Overview

  1. What language are NSE scripts written in?

Answer: Lua

  1. Which category of scripts would be a very bad idea to run in a production environment?

Answer: intrusive

Task 11 - [NSE Scripts] Working with the NSE

  1. What optional argument can the ftp-anon.nse script take?

    Answer: maxlist

Task 12 - [NSE Scripts] Searching for Scripts

  1. Search for “smb” scripts in the /usr/share/nmap/scripts/directory using either of the demonstrated methods. What is the filename of the script which determines the underlying OS of the SMB server?

    Answer: smb-os-discovery.nse

  2. Read through this script. What does it depend on?

    Answer: smb-brute

Task 13 - Firewall Evasion

  1. Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?

    Answer: ICMP

  2. [Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

    Answer: –data-lenght

Task 14 - Practical

  1. Does the target (MACHINE_IP) respond to ICMP (ping) requests (Y/N)?

    Answer: N

  2. Perform an Xmas scan on the first 999 ports of the target – how many ports are shown to be open or filtered?

    Answer: 999

  3. There is a reason given for this – what is it?

    Answer: no response

  4. Perform a TCP SYN scan on the first 5000 ports of the target – how many ports are shown to be open?

    Answer: 5

  5. Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

    Answer: Y

Task 15 - Conclusion

No answer needed.

Comments

Post a Comment

Popular posts from this blog

Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign

-
Image
A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers. Mobile security firm Zimperium dubbed the malware family  ABCsoup , stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores." The rogue browser add-ons come with the same extension ID as that of Google Translate — " aapbdbdomjkkjkaonfhkkikfgjllcleb " — in an attempt to trick users into believing that they have installed a legitimate extension. The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim's web browser. In the event the targeted user already has the Google Translate extension...
Read more

Unpatched Travis CI API Bug Exposes Thousands of Secret User Access Tokens

-
Image
An unpatched security issue in the Travis CI API has left tens of thousands of developers' user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks. "More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub," researchers from cloud security firm Aqua  said  in a Monday report. Travis CI is a  continuous integration  service used to build and test software projects hosted on cloud repository platforms such as GitHub and Bitbucket. The issue, previously reported in 2015 and  2019 , is rooted in the fact that the  API  permits access to historical logs in cleartext format, enabling a malicious party to even "fetch the logs that were previously unavailable via the API." The logs go...
Read more

Technical Details Released for 'SynLapse' RCE Vulnerability Reported in Microsoft Azure

-
Image
Microsoft has incorporated additional improvements to address the recently disclosed  SynLapse  security vulnerability in order to meet comprehensive  tenant isolation   requirements  in Azure Data Factory and Azure Synapse Pipelines. The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client certificate to access other tenants' information. "This means that if an attacker could execute code on the  integration runtime , it is never shared between two different tenants, so no sensitive data is in danger," Orca Security said in a  technical report  detailing the flaw. The high-severity issue, tracked as  CVE-2022-29972  (CVSS score: 7.8) and disclosed early last month, could have allowed an attacker to perform remote command execution and gain access to another Azure client's cloud environment. Originally reported by the cloud sec...
Read more