TryHackMe Room: Nmap [Task1-15]

So you wanna become a hacker heh ? 🙂 You probably found https://tryhackme.com/ and now trying to complete some rooms and flex off to friends, but you are lost.

In this post I will offer you all the answers you need to get your first (easy) completed room. However, I don’t recommend you simply copy-paste the answers without actually reading anything because then you will not learn anything.

The answers posted here should be used if you are really stuck on a task and you need help.

NOTE: I take no responsibility what you have in mind to do with these questions/answers. I am simply posting them for learning purposes. Please think twice before you try to become all “anonymous hacker” and start scanning commercial/production applications.

Task 1: Deploy

No answer needed here, simply click “Question Done” after you deployed your machine.

Task 2: Introduction

What networking constructs are used to direct traffic to the right application on a server?

Ports

How many of these are available on any network-enabled computer?

65535

[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)

1024

Task 3: Nmap Switches

What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?

-sS

Which switch would you use for a “UDP scan”?

-sU

If you wanted to detect which operating system the target is running on, which switch would you use?

-O

Nmap provides a switch to detect the version of the services running on the target. What is this switch?

-sV

The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?

-v

Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?

-vv

What switch would you use to save the nmap results in three major formats?

-oA

What switch would you use to save the nmap results in a “normal” format?

-oN

A very useful output format: how would you save results in a “grepable” format?

-oG

How would you activate this setting?

-A

How would you set the timing template to level 5?

-T5

How would you tell nmap to only scan port 80?

-p 80

How would you tell nmap to scan ports 1000-1500?

-p 1000-1500

How would you tell nmap to scan all ports?

-p-

How would you activate a script from the nmap scripting library?

--script

How would you activate all of the scripts in the “vuln” category?

--script=vuln

Task 4: Overview

No answer needed here, simply click “Question Done” after you deployed your machine.

Task 5: TCP Connect Scans

Which RFC defines the appropriate behaviour for the TCP protocol?

RFC 793

If a port is closed, which flag should the server send back to indicate this?

RST

Task 6: SYN Scans

There are two other names for a SYN scan, what are they?

Half-Open, Stealth

Can Nmap use a SYN scan without Sudo permissions (Y/N)?

N

Task 7: UDP Scans

If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?

open|filtered

When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?

ICMP

Task 8: NULL, FIN & XMAS

Which of the three shown scan types uses the URG flag?

xmas

Why are NULL, FIN and Xmas scans generally used?

Firewall Evasion

Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

Microsoft Windows

Task 9: ICMP Network Scanning

How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)

nmap -sn 172.16.0.0/16

Task 10: Overview

What language are NSE scripts written in?

Lua

Which category of scripts would be a very bad idea to run in a production environment?

intrusive

Task 11: Working with NSE

What optional argument can the ftp-anon.nse script take?

maxlist

Task 12: Searching for Scripts

What is the filename of the script which determines the underlying OS of the SMB server?

smb-os-discovery.nse

What does it depend on?

smb-brute

Task 13: Firewall Evasion

Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?

ICMP

[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

--data-length

Task 14: Practical

Does the target (10.10.107.167)respond to ICMP (ping) requests (Y/N)?

N

Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?

999

There is a reason given for this — what is it?

No Response

Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?

5

Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

Y

Task 15: Deploy

No answer needed here, simply click “Question Done” after you deployed your machine.

Congratulations

You’ve completed the room!

Liked it? Support me on Patreon with a coffee 😀

Leave a comment

Your email address will not be published. Required fields are marked *