TryHackMe: NMap - Walkthrough

September 4, 2023
Posted in TryHackMe, NMap
September 4, 2023 Jasper
Hi! In this walkthrough we will be looking at the THM room concerning NMap. Nmap is an fundamental skill required for basicly all penetrating testing projects and CTFs. Let’s cover all the theory together!

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

R

oom URL: https://tryhackme.com/room/furthernmap


Task 1 (Deploy)

Nothing to do here besides deploying the target machine.


Task 2 (Introduction)

Let us assume that you have the IP address of your target machine. The first steps of gathering data on the machine is to find out what services are running on the machine. We do this by scanning its ports. A machine needs to have certain ports open to run certain services, and by scanning its ports we can figure out which services it runs by looking at which ports are open.

Network connections are made between two ports — an open port listening on the server and a randomly selected port on your own computer. For example, when you connect to a web page, your computer may open port 49534 to connect to the server’s port 443. Every computer has 65535 available ports, of which many are registered as standard ports. HTTP for example, runs on port 80, while HTTPS runs on port 443. It is however not guaranteed that services run on their default port, which makes port scanning even more important!

Nmap is a tool that provides us with the power to do quick and efficient port scanning.

Questions:

What networking constructs are used to direct traffic to the right application on a server?

Answer: Ports

How many of these are available on any network-enabled computer?

Answer: 65535

[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)

Answer: 1024


Task 3 (Nmap switches)

Nmap can be accessed by typing nmap into the terminal command line, followed by some of the “switches” (command arguments which tell a program to do different things) we will be covering below. You can get an overview of all switches by writing:

nmap -h
#or
man nmap.

Questions:

What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?

Answer: -sS

Which switch would you use for a “UDP scan”?

Answer: -sU

If you wanted to detect which operating system the target is running on, which switch would you use?

Answer: -sO

Nmap provides a switch to detect the version of the services running on the target. What is this switch?

Answer: — sV

The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?

Answer: -v

Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?

Answer: -vv

We should always save the output of our scans — this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients.

What switch would you use to save the nmap results in three major formats?

Answer: -oA

What switch would you use to save the nmap results in a “normal” format?

Answer: -oN

A very useful output format: how would you save results in a “grepable” format?

Answer: -oG

If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning. How would you activate this setting?

Answer: -A

Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. How would you set the timing template to level 5?

Answer: -T5

We can also choose which port(s) to scan. How would you tell nmap to only scan port 80?

Answer: -p 80

How would you tell nmap to scan ports 1000–1500?

Answer: -p 1000–1500

How would you tell nmap to scan all ports?

Answer: -p-

How would you activate a script from the nmap scripting library (lots more on this later!)?

Answer: — script

How would you activate all of the scripts in the “vuln” category?

Answer: — script=vuln


Task 4 (Scan Types — Overview)

When port scanning with Nmap, there are three basic scan types. These are:

  • TCP Connect Scans (-sT)
  • SYN “Half-open” Scans (-sS)
  • UDP Scans (-sU)

Additionally there are several less common port scan types:

  • TCP Null Scans (-sN)
  • TCP FIN Scans (-sF)
  • TCP Xmas Scans (-sX)

Task 5 (Scan Types — TCP Connect Scans)

To understand TCP Connect Scans, it is important to have knowledge about the three-way handshake. To remind you, the three-way handshake consists of three parts:

  1. The attacking machine sends a TCP request with the SYN (synchronize) flag set.
  2. The host machine acknowledges this packet with a TCP response containing both the SYN flag, as well as the ACK (Acknowledgement) flag.
  3. Finally, the attacker confirm the establish connection by sending a TCP request with the ACK flag.

Nmaps TCP Connect scan uses this three-way handshake method with each target port in turn. It checks the response it receive for each port to determine whether the port is open or closed.

For example: if Nmap sends a TCP request with the SYN flag set to a closed port, the target server will respond with a TCP packet with the RST (Reset) flag set. Nmap can therefore conclude that the port is closed.

If on the other hand the target port is open, the target will respond with a TCP packet with the SYN/ACK flags set. Nmap then marks this port as being open and completes the handshake by sending back a TCP packet with ACK set.

There is a third possibility though: the port is open but hidden behind a firewall. Many firewalls simply drop incoming packets. This means that Nmap will receive nothing after sending a TCP SYN request. The port is considered to be filtered. Firewalls can however be setup to respond with a RST TCP packet instead, which makes it difficult to gain knowledge about the port.

Questions

Which RFC defines the appropriate behaviour for the TCP protocol?

Answer: RFC 793

If a port is closed, which flag should the server send back to indicate this?

Answer: RST


Task 6 (SYN Scans)

Syn scans are very similar to TCP Connect scans. SYN scans are often referred to as “half-open”, or “stealth” scans. The difference is that SYN scans do not perform a full three-way handshake in the sense that they send back a RST TCP package in the third step, instead of a ACK. This prevents that the server will repeatedly try to make the request.

This can have different advantages:

  1. Avoids detection. Some older intrusion detection system are only looking for a full three-way handshake.
  2. Avoids logging. Standard practice is to log a connection once it has been fully established.
  3. Quicker. Because we do not bother to establish a full connection, we increase port scan speed.

There are also two disadvantages:

  1. They require sudo permissions.
  2. They can bring down unstable services.

Because of these strong advantages SYN scans are the default scan type.

Questions

There are two other names for a SYN scan, what are they?

Answer: Half-Open, Stealth

Can Nmap use a SYN scan without Sudo permissions (Y/N)?

Answer: N


Task 7 (UDP Scans)

While TCP connections have a state initiated with a three-way handshake, UDP are stateless. This means that UDP connection send packets to the target port with a hope that they arrive, but no guarantee. Due to being stateless, UDP connections are very quick, but make them difficult and slower to quick.
The switch for an Nmap UDP scan is -sU.

Since UDP scans are so slow it’s usually good practice to run an Nmap scan with --top-ports <number> enabled. For example, scanning with nmap -sU --top-ports 20 <target>. Now only the 20 most common ports get scanned.

When sending a UDP packet to an open UDP port there should be no response. Nmap can in this case only conclude that the port is either open or filtered. It suspect that the port is open, but it could still be firewalled. If it does receive a response the port is marked as open, but this does not happen often. When a packet is sent to a closed UDP port, the target should respond with an ICMP (ping) packet containing a message that the port is unreachable.

Questions

If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?

Answer: open|filtered

When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?

Answer: ICMP


Task 8 (NULL, FIN and Xmas)

NULL, FIN and Xmas TCP port scans are not used as commonly as the previously discussed port scan types. What these three scan types have in common are that they are even stealthier than a SYN scan.

  • As the name suggests, NULL scans (-sN) are when the TCP request is sent with no flags set at all. As per the RFC, the target host should respond with a RST if the port is closed.
  • FIN scans (-sF) work in an almost identical fashion; however, instead of sending a completely empty packet, a request is sent with the FIN flag Once again, Nmap expects a RST if the port is closed.
  • As with the other two scans in this class, Xmas scans (-sX) send a malformed TCP packet and expects a RST response for closed ports.

The expected response for open ports with these scans is also identical, and is very similar to that of a UDP scan. If the port is open then there is no response to the malformed packet. Unfortunately (as with open UDP ports), that is also an expected behavior if the port is protected by a firewall, so NULL, FIN and Xmas scans will only ever identify ports as being open|filtered, closed, or filtered. If a port is identified as filtered with one of these scans then it is usually because the target has responded with an ICMP unreachable packet.

That said, the goal here is, of course, firewall evasion. Many firewalls are configured to drop incoming TCP packets to blocked ports which have the SYN flag set (thus blocking new connection initiation requests). By sending requests which do not contain the SYN flag, we effectively bypass this kind of firewall. However, most modern IDS solutions can deal with these scan types.

Questions

Which of the three shown scan types uses the URG flag?

Answer: xmas

Why are NULL, FIN and Xmas scans generally used?

Answer: Firewall Evasion

Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

Answer: Microsoft Windows


Task 9 (ICMP Network Scanning)

On connecting to a system, our first objective is to obtain a “map” of the network structure. In other words, we want to see which IP addresses contain active hosts, and which do not. Nmap can do this by running a “ping sweep”. What this means is that Nmap sends a ICMP packet to each possible IP address for the specified network. If it receives a response, it marks the address as being alive.

To perform a ping sweep, we use the -sn switch in conjunction with IP ranges.

Questions

How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)

Answer: nmap -sn 172.16.0.0/16


Task 10 (NSE Scripts — Overview)

NSE stands for Nmap Scripting Language. NSE can greatly improve the functionality of Nmap with the use of scripts written in the Lua programming language.

There are many categories of scripts available. A exhaustive list can be found here.

Questions

What language are NSE scripts written in?

Answer: Lua

Which category of scripts would be a very bad idea to run in a production environment?

Answer: intrusive


Task 11 (NSE Scripts — Working with NSE)

To run a specific script, we would use:

--script=http-fileupload-exploiter

Multiple scripts can be run simultaneously in this fashion by separating them by a comma.

Questions

What optional argument can the ftp-anon.nse script take?

The anwer can be found here:

https://nmap.org/nsedoc/scripts/ftp-anon.html

Answer: maxlist


Task 12 (NSE Scripts — Searching)

We know how to run scripts, but how to find them? There are two options:

  1. The first is the page on the Nmap website (mentioned in the previous task) which contains a list of all official scripts.
  2. The second is the local storage on your attacking machine. Nmap stores its scripts on Linux at /usr/share/nmap/scripts. All of the NSE scripts are stored in this directory by default — this is where Nmap looks for scripts when you specify them.

There are two ways to search for these installed scripts. One is by using the /usr/share/nmap/scripts/script.db file. Despite the extension, this isn’t actually a database so much as a formatted text file containing filenames and categories for each available script. Nmap uses this file to keep track of (and utilise) scripts for the scripting engine; however, we can also grep through it to look for scripts. For example:

grep "ftp" /usr/share/nmap/scripts/script.db

The second way to search for scripts is quite simply to use the ls command in the scripts folder. For example, we could get the same results as in the previous screenshot by using:

ls -l /usr/share/nmap/scripts/*ftp*.

Questions

Search for “smb” scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods. What is the filename of the script which determines the underlying OS of the SMB server?

Answer: smb-os-discovery.nse

Read through this script. What does it depend on?

Scroll a bit down in the script. Then you will find the answer:

Dependencies of the smb-os-discovery.nse script

Answer: smb-brute


Task 13 (Firewall Evasion)

We have talked a lot about techniques for bypassing firewalls using stealthier scans. However, there is another common problem. Typical Windows hosts will because of its default firewall block all ICMP packets. This means that we can’t use ping on the network, and in addition nmap uses ICMP packets as well for scanning ports. Open ports will therefore not be detected.

We can bypass this problem by using the -Pn flag. This tells Nmap to avoid pinging hosts before

So, we need a way to get around this configuration. Fortunately Nmap provides an option for this: -Pn, which tells Nmap to not bother pinging the host before scanning it. This means that Nmap will always treat the target host(s) as being alive, effectively bypassing the ICMP block; however, it comes at the price of potentially taking a very long time to complete the scan (if the host really is dead then Nmap will still be checking and double checking every specified port).

Questions

Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?

Answer: ICMP

[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

Answer:–data-length


Task 14 (Practical)

Questions

Does the target ip respond to ICMP (ping) requests (Y/N)?

Answer: N

Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?

Answer: 999

There is a reason given for this — what is it?

Answer: No Response

Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?

Answer: 5

Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.

Answer: No answer needed

Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

Answer: Y


Task 15 (Conclusion)

We are done. Great job! I hope you learned as much as I did while writing this summary of the THM box.


Like my articles?

You are welcome to support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: