Nmap - TryHackMe!

-
nmap

Task 2

  1. What networking constructs are used to direct traffic to the right application on a server?
ports
  1. How many of these are available on any network-enabled computer?
65535
  1. [Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)?
1024

Task 3

  1. What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
-sS
  1. Which switch would you use for a “UDP scan”?
-sU
  1. If you wanted to detect which operating system the target is running on, which switch would you use?
-O
  1. Nmap provides a switch to detect the version of the services running on the target. What is this switch?
-sV
  1. The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
-v
  1. Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
    (Note: it’s highly advisable to always use at least this option)
-vv
  1. What switch would you use to save the nmap results in three major formats?
 -oA
  1. What switch would you use to save the nmap results in a “normal” format?
 -oN
  1. A very useful output format: how would you save results in a “grepable” format?
 -oG
  1. How would you activate this setting?
 -A
  1. How would you set the timing template to level 5?
 -T5
  1. How would you tell nmap to only scan port 80?
 -p 80
  1. How would you tell nmap to scan ports 1000-1500?
-p 1000-1500
  1. How would you tell nmap to scan all ports?
-p-
  1. How would you activate a script from the nmap scripting library (lots more on this later!)?
--script
  1. How would you activate all of the scripts in the “vuln” category?
--script=vuln

Task 5

  1. Which RFC defines the appropriate behaviour for the TCP protocol?
RFC 793
  1. If a port is closed, which flag should the server send back to indicate this?
RST

Task 6

  1. There are two other names for a SYN scan, what are they?
half-open stealth
  1. Can Nmap use a SYN scan without Sudo permissions (Y/N)?
n

Task 7

  1. If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?
open|filtered
  1. When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
ICMP

Task 8

  1. Which of the three shown scan types uses the URG flag?
xmas
  1. Why are NULL, FIN and Xmas scans generally used?
firewall evasion
  1. Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Microsoft windows

Task 9

  1. How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
nmap -sn 172.16.0.0/16

Task 10

  1. What language are NSE scripts written in?
Lua
  1. Which category of scripts would be a very bad idea to run in a production environment?
intrusive

Task 11

  1. What optional argument can the ftp-anon.nse script take?
maxlist

Task 12

  1. What is the filename of the script which determines the underlying OS of the SMB server?
smb-os-discovery.nse
  1. Read through this script. What does it depend on?
smb-brute

Task 13

  1. Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
ICMP
  1. [Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
--data-length

Task 14

This is a practical session, all commands in below youtube video

  1. Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)?
n
  1. Perform an Xmas scan on the first 999 ports of the target – how many ports are shown to be open or filtered?
999
  1. There is a reason given for this – what is it?
 no responses
  1. Perform a TCP SYN scan on the first 5000 ports of the target – how many ports are shown to be open?
5
  1. Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.
no answer need
  1. Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
y

Popular posts from this blog

Mustacchio - TryHackMe

-
Image
thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t...
Read more

Tech_Supp0rt: 1 - TryHackMe

-
Image
Welcome file Welcome to another CTF-writeup !! Tech_support:1 by vikaran. What we can learn from this machine. nmap scan , smbmap etc. (enumeration skills) subrion cms 4.2.1 RCE iconv sudo permission to overwritten files and read the files Let’s start with enumeration. First with nmap to see what port we have in the box. Nmap scan ┌── ( defalt@kali ) - [ ~/Documents/tryhackme/Tech_Supp0rt:1 ] └─$ nmap -sC -sV 10.10.168.200 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 21:29 PDT Nmap scan report for 10.10.168.20 Host is up ( 0.37s latency ) . Not shown: 996 closed tcp ports ( conn-refused ) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 ( RSA ) | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c ( ECDSA ) | _ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c ( ED25519 ) 80/tcp open http Apache ht...
Read more