TryHackMe Nmap Walkthrough

Table of Contents

Welcome to another TryHackeMe Walkthrough, this time the Nmap room from TryHackMe’s Beginner Learning Path. In this TryHackMe Nmap Walkthrough, we’ll go over all 15 tasks and you’ll see every detail you need to not only complete the Nmap room but understand it too.

For a quicker look at the Nmap Room, see TryHackMe Nmap Room Notes, enjoy the TryHackMe Nmap Walkthrough, happy hacking.

Disclaimer, see the video version or the previous Linux Fundamentals Part 1, Part 2, or Part 3 if needed. For help getting started, see Linux Quick Start Guide and Starting Out In Cyber Security.

Task 2 Introduction

Nmap is a powerful tool to enumerate computer systems, meaning, it can find out information about a target. But as you’ll learn from this room, Nmap can do even more!

Free Checklist: Hacker's Learning Path

Offline checklist to track your learning path, become a great hacker and stay on task.

Make sure you read over all the information, great, now let’s go over the questions.

  • ‘What networking constructs are used to direct traffic to the right application on a server?’ – they’re numbers, starts with p.
  • ‘How many of these are available on any network-enabled computer?’ – make sure to search ‘Computer Networking Ports’ for more help.
  • ‘[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)’ – searching will also help with this question too, don’t forget to count 0… no it’s not 1023.

Task 3 Nmap Switches

Alright, next up, let’s learn about the various settings we can turn on and off, aka switches. Nmap has a lot of switches, so don’t feel discouraged if you can’t remember them all, it takes time. Don’t forget to read the man pages for nmap when you get stuck.

To save time, search through the --help menu to find switches with nmap --help | grep "<search-term>".

After you’ve gone through the info, let’s go over the questions:

  • ‘What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?’ -sS
  • ‘Which switch would you use for a “UDP scan”?’ -sU
  • ‘If you wanted to detect which operating system the target is running on, which switch would you use?’ -O
  • ‘Nmap provides a switch to detect the version of the services running on the target. What is this switch?’ -sV
  • ‘The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?’ -v
  • ‘Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? (Note: it’s highly advisable to always use at least this option)’ -vv
  • ‘What switch would you use to save the nmap results in three major formats?’ -oA
  • ‘What switch would you use to save the nmap results in a “normal” format?’ -oN
  • ‘A very useful output format: how would you save results in a “grepable” format?’ -oG
  • ‘How would you activate this setting?’ -A
  • ‘How would you set the timing template to level 5?’ -T5
  • ‘How would you tell nmap to only scan port 80?’ -p 80
  • ‘How would you tell nmap to scan ports 1000-1500?’ -p 1000-1500
  • ‘How would you tell nmap to scan all ports?’ -p-
  • ‘How would you activate a script from the nmap scripting library (lots more on this later!)?’ --script
  • ‘How would you activate all of the scripts in the “vuln” category?’ --script=vuln

Task 5 Scan Types TCP Connect Scans

Ah, TCP Scans, the default for nmap without root privs, make sure to go over the three-way handshake from the info provided. Let’s answer the questions:

  • ‘Which RFC defines the appropriate behaviour for the TCP protocol?’ – RFC 793
  • ‘If a port is closed, which flag should the server send back to indicate this?’ – RST

Task 6 Scan Types SYN Scans

Cool, now SYN Scans, the default for nmap WITH root privs, let’s see the questions:

  • ‘There are two other names for a SYN scan, what are they?’ – Half-Open, Stealth
  • ‘Can Nmap use a SYN scan without Sudo permissions (Y/N)?’ – N

Task 7 Scan Types UDP Scans

Lastly out of the main three scans, UDP, I’m still yet to really use this scan, but good to keep in the bank for later. Let’s see the questions:

  • ‘If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?’ – open|filtered
  • ‘When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?’ – ICMP

Task 8 Scan Types NULL, FIN and Xmas

Next up is the lesser scans, ideally for firewall evasion as they’re a bit more complicated. After you read the info provided, here’s a look into the questions and answers:

  • ‘Which of the three shown scan types uses the URG flag?’ – xmas
  • ‘Why are NULL, FIN and Xmas scans generally used?’ – Firewall Evasion
  • ‘Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?’ – Microsoft Windows

Task 9 Scan Types ICMP Network Scanning

Ping sweeping, this is really good to remember! This is how you can find multiple hosts across a network, and fast. Use the -sn switch to enable it, and use arguments that specify the ip range and scope, see below for more. Don’t forget to run nmap’s help switch through grep to find the ping scan switch.

Great, now let’s see the question for this task:

  • ‘How would you perform a ping sweep on the 172.16.x.x network (Netmask: using Nmap? (CIDR notation)’ – nmap -sn

Task 10 NSE Scripts Overview

Scripts blow open nmap into a whole another level, some scripts go beyond enum into exploiting vulns, crazy. After going over the tasks, let’s tackle the questions:

  • ‘What language are NSE scripts written in?’ – Lua
  • ‘Which category of scripts would be a very bad idea to run in a production environment?’ – intrusive

Task 11 NSE Scripts Working with the NSE

Great, use the --script-help switch to find a script’s help info, then go to the info page for more.

Here are this tasks questions:

  • ‘What optional argument can the ftp-anon.nse script take?’ – maxlist

Task 12 NSE Scripts Searching for Scripts

Learning nmap can be a bit tricky, now about the programs within the program, like I mentioned before, whole other level. Make sure to read all the info provided, take your time.

You can display Nmap’s database text file and search it using grep for “anon” as an example.

Now try it again, but this time searching “smb”.

Great, now let’s see the task questions:

  • ‘Search for “smb” scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods. What is the filename of the script which determines the underlying OS of the SMB server?’ – smb-os-discovery.nse
  • ‘Read through this script. What does it depend on?’ – smb-brute

Task 13 Firewall Evasion

Now this may ring a bell, we’ve already touched on firewall evasion back in task 8, go back up if you need a quick refresher, I’ll wait. Search nmap’s help again, this time search for “append”.

Then again for “random”.

Use the screenshots to help you with this rooms questions:

  • ‘Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?’ – ICMP
  • ‘[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?’ – --data-length

Task 14 Practical

Great, now you’re nearly at the end of the room, just the last practical nmap task. Use a Xmas scan, don’t forget to use the -vv to see talkative nmap results.

You can increase the number of ports that nmap will target, looking back, maybe it’s better to use the -p- to scan all ports from the first scan.

After your scan has finished, take note of the ports found.

Once you’re happy with your nmap scan results, let’s go over the questions:

  • ‘Does the target <ip> respond to ICMP (ping) requests (Y/N)?’ – N
  • ‘Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?’ – 999
  • ‘There is a reason given for this — what is it? Note: The answer will be in your scan results. Think carefully about which switches to use — and read the hint before asking for help!’ – No Response.
  • ‘Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?’ – 5.
  • ‘Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)’ – Y.

Great work, that’s the Nmap Room from TryHackMe, I hope you enjoyed it! If you have any feedback, please reach out to let me know.

This is Day 38 and 41 of #100DaysOfHacking, subscribe to my newsletter to see the CyberSec journey! If you like, follow my Learning Path for yourself, happy hacking.

About The Author
Ashley Ball

Ashley Ball

“Learn, create, share, repeat.” • IT teacher, former web designer, learning CyberSec • Road to #100DaysOfHacking on Hackers Learning Path.
Share This Article
Share on linkedin
Share on twitter
Share on facebook
Share on whatsapp
Share on email

Monthly Newsletter

Learn about cyber security, hacking guides & python programming.

Leave A Comment

Leave a Reply

Your email address will not be published.

More Content

Monthly Newsletter

Learn about cyber security, hacking guides & python programming.

This site uses cookies and other tracking technologies to assist with navigation, monitor site usage and web traffic, assist with our promotional and marketing efforts, and customize and improve our services, as set out in our privacy policy