Are you going through TryHackMe’s Nmap Room? Did you forget to take notes? I got you covered. Here are my Nmap room notes from TryHackMe, use them as much as you need!
Disclaimer, this is written in shorthand format, meaning, full sentences and proper grammar are always not used. For a full writeup, see TryHackMe Nmap Walkthrough, for help with Linux, see Quick Start Guide.
Task 1 Deploy & Task 2 Introduction
Ports: allow multiple network services, ensure correct device communication, 65535 total.
- Network connections between two ports:
- one open on server,
- one, high-numbered opens randomly on device.
- Port scanning: shows services running on target, “landscape”,
nmaptool is used.
- Types of ports: (example standard ports: 443 HTTPS, 80 HTTP, 139 Win NETBIOS, SMB 445).
- Well-known: 0-1023.
- Registered: 1024 to 49151.
- Dynamic/private: 49152 to 65535.
- Port states: open, closed, or filtered (from firewall).
Task 3 Nmap Switches
Types of scans/switches:
-oAoutput 3 major formats.
-oNoutput normal format.
-oGoutput grepable format.
-Aaggressive mode: services, OSs, traceroute, scripts.
-T<0-5>timing, higher is faster.
-pscan only specific port e.g.
-p-scan all ports.
--scriptuse script e.g.
Scan Types – Task 4 Overview, Task 5 TCP Connect, Task 6 SYN, Task 7 UDP, Task 8 NULL, FIN and Xmas, Task 9 ICMP Network Scanning
Basic scan types:
-sTTCP Connect: uses three-way handshake
ACK– default without sudo priv.
- If port closed
RSTreset, If firewall
- If port closed
RST– default with sudo priv.
- Benefits: avoids older detections, often not logged, slightly faster.
- Cons: sudo/root/admin privs, some services can brought down.
-sUUDP: stateless connection, difficult/slower to scan.
- Should be no response, assumed open, marked open/filtered, moves on.
- If closed, should receive ICMP (ping) packet.
Less common scan types: used for firewall evasion.
-sNTCP Null: sends empty packet, no
-sFTCP Fin: sends almost empty packet, only
FINflag, used to close active connection.
-sXTCP Xmas: sends
FINflags, looks like chirstmas tree in wireshark.
ICMP Network Scanning: find map/landscape, scans any port
-sn <ip range>find up/down hosts e.g.
- Forces ICMP or ARP (local networks).
I hope this has helped you, if it has, feel free to subscribe to my newsletter, that would mean heaps!