TryHackMe Room: Nmap [Task1-15]

So you wanna become a hacker heh ? 🙂 You probably found and now trying to complete some rooms and flex off to friends, but you are lost.

In this post I will offer you all the answers you need to get your first (easy) completed room. However, I don’t recommend you simply copy-paste the answers without actually reading anything because then you will not learn anything.

The answers posted here should be used if you are really stuck on a task and you need help.

NOTE: I take no responsibility what you have in mind to do with these questions/answers. I am simply posting them for learning purposes. Please think twice before you try to become all “anonymous hacker” and start scanning commercial/production applications.

Task 1: Deploy

No answer needed here, simply click “Question Done” after you deployed your machine.

Task 2: Introduction

What networking constructs are used to direct traffic to the right application on a server?


How many of these are available on any network-enabled computer?


[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)


Task 3: Nmap Switches

What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?


Which switch would you use for a “UDP scan”?


If you wanted to detect which operating system the target is running on, which switch would you use?


Nmap provides a switch to detect the version of the services running on the target. What is this switch?


The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?


Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?


What switch would you use to save the nmap results in three major formats?


What switch would you use to save the nmap results in a “normal” format?


A very useful output format: how would you save results in a “grepable” format?


How would you activate this setting?


How would you set the timing template to level 5?


How would you tell nmap to only scan port 80?

-p 80

How would you tell nmap to scan ports 1000-1500?

-p 1000-1500

How would you tell nmap to scan all ports?


How would you activate a script from the nmap scripting library?


How would you activate all of the scripts in the “vuln” category?


Task 4: Overview

No answer needed here, simply click “Question Done” after you deployed your machine.

Task 5: TCP Connect Scans

Which RFC defines the appropriate behaviour for the TCP protocol?

RFC 793

If a port is closed, which flag should the server send back to indicate this?


Task 6: SYN Scans

There are two other names for a SYN scan, what are they?

Half-Open, Stealth

Can Nmap use a SYN scan without Sudo permissions (Y/N)?


Task 7: UDP Scans

If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?


When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?


Task 8: NULL, FIN & XMAS

Which of the three shown scan types uses the URG flag?


Why are NULL, FIN and Xmas scans generally used?

Firewall Evasion

Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

Microsoft Windows

Task 9: ICMP Network Scanning

How would you perform a ping sweep on the 172.16.x.x network (Netmask: using Nmap? (CIDR notation)

nmap -sn

Task 10: Overview

What language are NSE scripts written in?


Which category of scripts would be a very bad idea to run in a production environment?


Task 11: Working with NSE

What optional argument can the ftp-anon.nse script take?


Task 12: Searching for Scripts

What is the filename of the script which determines the underlying OS of the SMB server?


What does it depend on?


Task 13: Firewall Evasion

Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?


[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?


Task 14: Practical

Does the target ( to ICMP (ping) requests (Y/N)?


Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?


There is a reason given for this — what is it?

No Response

Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?


Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)


Task 15: Deploy

No answer needed here, simply click “Question Done” after you deployed your machine.

Liked it? Support me on Patreon with a coffee 😀

Leave a comment

Your email address will not be published. Required fields are marked *