# Nmap: TryHackMe

In this article, I’ll be covering the THM challenges and answers related to Nmap Overview, Nmap Switches, Scan Types from the Overview, TCP Connect Scans, SYN Scans, UDP Scans, NULL, FIN, and Xmas to ICMP Networking Scanning, NSE Scripts from the Overview, Working with the NSE to Searching for Scripts and Firewall.

## Introduction to Nmap and PortScanning

Every computer has a total of `65535 available ports`; however, many of these are registered as standard ports. For example, an HTTP web service can nearly always be found on port 80 of the server. A HTTPS Webservice can be found on port 443. Windows NetBIOS can be found on port 139 and SMB can be found on port 445. It is important to note; however, that especially in a CTF setting, it is not unheard of for even these standard ports to be altered, making it even more imperative that we perform appropriate enumeration on the target.

If we do not know which of these ports a server has open, then we do not have a hope of successfully attacking the target; thus, it is crucial that we begin any attack with a port scan. This can be accomplished in a variety of ways – usually using a tool called `nmap`, which is the focus of this room. Nmap can be used to perform many different kinds of portscan – the most common of these will be introduced in upcoming tasks; however, the basic theory is this: nmap will connect to each port of the target in turn. Depending on how the port responds, it can be determined as being open, closed, or filtered (usually by a firewall). Once we know which ports are open, we can then look at enumerating which services are running on each port – either manually, or more commonly using nmap.

So, why `nmap`? The short answer is that it's currently the industry standard for a reason: no other port scanning tool comes close to matching its functionality (although some newcomers are now matching it for speed). It is an extremely powerful tool – made even more powerful by its scripting engine which can be used to scan for vulnerabilities, and in some cases even perform the exploit directly! Once again, this will be covered more in upcoming tasks.

## The THM Challenges

1. What networking constructs are used to direct traffic to the right application on a server? `Ports`
    
2. How many of these are available on any network-enabled computer? `65535`
    
3. **\[Research\]** How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task) `1024`
    
    Out of the total **65,535 available ports** on a computer, the **known or standard ports** are typically divided into three main categories:
    
    1. **Well-known ports**: Ports **0 to 1023**
        
        * These ports are reserved for common and widely used services (e.g., HTTP, FTP, DNS, SSH). They are officially assigned by the Internet Assigned Numbers Authority (IANA).
            
    2. **Registered ports**: Ports **1024 to 49151**
        
        * These ports are registered by software developers for specific services or applications. They are not as universally standardized as well-known ports, but they are commonly used for specific purposes.
            
    3. **Dynamic or private ports**: Ports **49152 to 65535**
        
        * These ports are not registered or assigned for any particular service and are often used dynamically for client-side communication or temporary services.
            
    
    Thus, the **well-known and registered ports** range from **0 to 49151**, meaning there are **49,152 known or standard ports** in total.
    
    **Nmap** To cover the next section from questions 4 to 19, we need to run `nmap —help` on our terminals. For this to be possible we need Nmap installed depending on our OS
    
    ```bash
    // on MacOs
    $ brew install nmap
    // Debian/Ubuntu-based Distributions 
    $ sudo apt update 
    $ sudo apt install nmap
    // Red Hat/CentOS/Fedora-based Distributions
    $ sudo dnf install nmap
    $ sudo yum install nmap
    // Arch Linux-based Distributions
    $ sudo pacman -S nmap
    // OpenSUSE
    $ sudo zypper install nmap
    ```
    
    Run the command and use the result to solve the challenges in this category.
    
    ```bash
    $ nmap --help
    ```
    
4. What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)? `-sS` (this covers 4 - 5)
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726418374376/f82ec324-bf8a-4b1a-8017-b0d9e422be6c.png align="center")
    
5. Which switch would you use for a "UDP scan"? `-sU`
    
6. If you wanted to detect which operating system the target is running on, which switch would you use? `-O`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726418400300/0f9c4250-5a49-46dd-a807-c316d6313cb4.png align="center")
    
7. Nmap provides a switch to detect the version of the services running on the target. What is this switch? `-sV`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726418425172/10ecb287-6266-49e5-92ce-8d58ac2471c6.png align="center")
    
8. The default output provided by Nmap often does not provide enough information for a pentester. How would you increase the verbosity? `-v`
    
    *(The image below covers 8 - 9)*
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726418480614/12c8034e-096d-48d3-88a6-3b176f067130.png align="center")

9. Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? (**Note**: it's highly advisable to always use *at least* this option) `-vv`
    
10. We should always save the output of our scans -- this means that we only need to run the scan once (reducing network traffic and thus the chance of detection), and gives us a reference to use when writing reports for clients. What switch would you use to save the Nmap results in three major formats? `-oA` *(The image below covers questions 10 - 12)*
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726419524865/1657a514-9c3c-4e7f-90ae-c0e66f293989.png align="center")
    
11. What switch would you use to save the Nmap results in a "normal" format? `-oN`
    
12. A very useful output format: how would you save results in a "grepable" format? `-oG`
    
13. Sometimes the results we're getting just aren't enough. If we don't care about how loud we are, we can enable "aggressive" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute, and common script scanning. How would you activate this setting? `-A`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726419624227/ae701735-d9f2-4c5e-8102-8b971d5cf6b5.png align="center")
    
14. Nmap offers five levels of "timing" templates. These are essentially used to increase the speed of your scan runs. Be careful though: higher speeds are noisier, and can incur errors! How would you set the timing template to level 5? `-T5`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726419696285/ccc89098-2a7c-4d0e-aead-f198d00be2e0.png align="center")
    
15. We can also choose which port(s) to scan. How would you tell Nmap to only scan port 80? `-p 80` (the image below covers question 15 - 17)
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726419777666/3503011f-a6cd-411d-a811-677607990141.png align="center")
    
16. How would you tell Nmap to scan ports 1000-1500? `-p 1000-1500`
    
17. A very useful option that should not be ignored: How would you tell Nmap to scan *all* ports? `-p-`
    
18. How would you activate a script from the Nmap scripting library (lots more on this later!)? `--script`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726419845636/6098fe32-b70c-4fd2-ad5f-3f2bbc802164.png align="center")
    
19. How would you activate all of the scripts in the "vuln" category? `--script=vuln`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726419894807/3f939ad4-fd98-4990-8c23-e1c296657bca.png align="center")
    
20. Which RFC defines the appropriate behavior for the TCP protocol? `RFC 9293`
    
21. If a port is closed, which flag should the server send back to indicate this? `RST` (reset)
    

For example, if a port is closed, [RFC 9293](https://datatracker.ietf.org/doc/html/rfc9293) states that: *"... If the connection does not exist (CLOSED), then a reset is sent in response to any incoming segment except another reset. A SYN segment that does not match an existing connection is rejected by this means."*

22. There are two other names for a SYN scan, what are they? `Half-Open, Stealth`
    
23. Can Nmap use a SYN scan without Sudo permissions (Y/N)? N
    

SYN scans are the default scans used by Nmap *if run with sudo permissions*. If run **without** sudo permissions, Nmap defaults to the TCP Connect scan we saw in the previous task.

24. If a UDP port doesn't respond to an Nmap scan, what will it be marked as? `open|filtered`
    
25. When a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so? `ICMP`
    
26. Which of the three shown scan types uses the URG flag? `xmas`
    
27. Why are NULL, FIN, and Xmas scans generally used? `Firewall Evasion`
    
28. Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port? `Microsoft Windows`
    
29. How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation) `nmap -sn 172.16.0.0/16`  
    This command will ping all addresses in the **172.16.0.0 - 172.16.255.255** range using the `-sn` (ping scan) option without performing a port scan. This `/16` represents the subnet mask **255.255.0.0**, covering a much larger range than `/24`. It helps in scanning an entire **Class B** network (65,536 IP addresses), whereas `/24` limits the scan to just **256 IP addresses**.
    
30. What language are NSE scripts written in? `Lua`
    
31. Which category of scripts would be a *very* bad idea to run in a production environment? `intrusive`
    
32. What optional argument can the `ftp-anon.nse` Does script take? `maxlist`
    
    The \``ftp-anon.nse`\` script in Nmap, which checks for anonymous FTP access, can take an optional argument called `ftp-anon.maxlist`. This argument controls the maximum number of files that the script will attempt to list in each directory. If a directory contains more files than the limit, the script will stop listing.  
    Example usage: `nmap --script=ftp-anon --script-args=ftp-anon.maxlist=50 <target>` In this case, the script will attempt to list up to 50 files per directory on the FTP server. The default value is 1000, but you can adjust it depending on the size of the directories you're scanning.
    
33. Search for "smb" scripts in the `/usr/share/nmap/scripts/` directory using either of the demonstrated methods. What is the filename of the script which determines the underlying OS of the SMB server? `smb-os-discovery.nse`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726420541944/fcad96b8-5092-4ed0-8386-279199e8d417.png align="center")
    
34. Read through this script. What does it depend on? `smb-brute` using nano didn’t show the entire script.
    
    ```bash
    $ nano /opt/homebrew/bin/../share/nmap/scripts/smb-os-discovery.nse
    ```
    
    I checked on the [Nmap Websites on the scripts section](https://svn.nmap.org/nmap/scripts/smb-os-discovery.nse) and scrolled up to out `smb-os-discovery.nse` and I found this
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726420652637/b826e70b-146a-4464-a5ee-48c9eba433c8.png align="center")
    
35. Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the `-Pn` switch? `ICMP`
    
36. **\[Research\]** Which Nmap switch allows you to append an arbitrary length of random data to the end of packets? `--data-length` On your terminal, you can run the command `Nmap —help` then check the firewall section
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726420702791/2e23031f-0f25-42c9-9ced-a644814693fc.png align="center")
    
37. Does the target IP respond to ICMP echo (ping) requests (Y/N)? `N` they’re blocked unless we use `-Pn`
    
38. Perform a Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered? `999`We can use three commands to get the answers but because the next question is dependent on the outcome of this we use this one. The keyword is `Xmas ⇒ -sX`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726420764416/5c82c1db-9a48-4137-bf46-414615427483.png align="center")
    
39. There is a reason given for this -- what is it? **Note:** The answer will be in your scan results. Think carefully about which switches to use -- and read the hint before asking for help! `No Response`
    
40. Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open? `5` (count the number of open ports)
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726420814768/67d16894-807a-4cc9-8503-176511bfe974.png align="center")
    
41. Open Wireshark (see [Cryillic's](https://tryhackme.com/p/Cryillic) [Wireshark Room](https://tryhackme.com/room/wireshark) for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what's going on. Deploy the `ftp-anon` script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N) `N`
    

Thank you for reading through my article. You can leave any questions or comments on how I can improve my learning journey and the THM challenges.
