How would you activate all of the scripts in the vuln category
How would you activate all of the scripts in the vuln category
TryHackMe Room: Nmap [Task1-15]
In this post I will offer you all the answers you need to get your first (easy) completed room. However, I don’t recommend you simply copy-paste the answers without actually reading anything because then you will not learn anything.
The answers posted here should be used if you are really stuck on a task and you need help.
NOTE: I take no responsibility what you have in mind to do with these questions/answers. I am simply posting them for learning purposes. Please think twice before you try to become all “anonymous hacker” and start scanning commercial/production applications.
Task 1: Deploy
No answer needed here, simply click “Question Done” after you deployed your machine.
Task 2: Introduction
What networking constructs are used to direct traffic to the right application on a server?
How many of these are available on any network-enabled computer?
[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)
Task 3: Nmap Switches
What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
Which switch would you use for a “UDP scan”?
If you wanted to detect which operating system the target is running on, which switch would you use?
Nmap provides a switch to detect the version of the services running on the target. What is this switch?
The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
What switch would you use to save the nmap results in three major formats?
What switch would you use to save the nmap results in a “normal” format?
A very useful output format: how would you save results in a “grepable” format?
How would you activate this setting?
How would you set the timing template to level 5?
How would you tell nmap to only scan port 80?
How would you tell nmap to scan ports 1000-1500?
How would you tell nmap to scan all ports?
How would you activate a script from the nmap scripting library?
How would you activate all of the scripts in the “vuln” category?
Task 4: Overview
No answer needed here, simply click “Question Done” after you deployed your machine.
Task 5: TCP Connect Scans
Which RFC defines the appropriate behaviour for the TCP protocol?
If a port is closed, which flag should the server send back to indicate this?
Task 6: SYN Scans
There are two other names for a SYN scan, what are they?
Can Nmap use a SYN scan without Sudo permissions (Y/N)?
Task 7: UDP Scans
If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?
When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
Task 8: NULL, FIN & XMAS
Which of the three shown scan types uses the URG flag?
Why are NULL, FIN and Xmas scans generally used?
Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Task 9: ICMP Network Scanning
How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
Task 10: Overview
What language are NSE scripts written in?
Which category of scripts would be a very bad idea to run in a production environment?
Task 11: Working with NSE
What optional argument can the ftp-anon.nse script take?
Task 12: Searching for Scripts
What is the filename of the script which determines the underlying OS of the SMB server?
What does it depend on?
Task 13: Firewall Evasion
[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
Task 14: Practical
Does the target ( 10.10.107.167 )respond to ICMP (ping) requests (Y/N)?
Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?
There is a reason given for this — what is it?
Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?
Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
Task 15: Deploy
No answer needed here, simply click “Question Done” after you deployed your machine.
Congratulations
You’ve completed the room!
Your contribution fuels me with coffee to write more stuff 😃
You can use the link below to donate coins:
Nmap TryHackMe Room Walkthrough [level 1 — level 7]
Click here for part 2 in Nmap link
Task 2 → Introduction
What networking constructs are used to direct traffic to the right application on a server?
How many of these are available on any network-enabled computer?
[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)
Task 3 → Nmap Switches
What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
Which switch would you use for a “UDP scan”?
If you wanted to detect which operating system the target is running on, which switch would you use?
Nmap provides a switch to detect the version of the services running on the target. What is this switch?
The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
What switch would you use to save the nmap results in three major formats?
What switch would you use to save the nmap results in a “normal” format?
A very useful output format: how would you save results in a “grepable” format?
Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
How would you activate this setting?
Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!
How would you set the timing template to level 5?
We can also choose which port(s) to scan.
How would you tell nmap to only scan port 80?
How would you tell nmap to scan ports 1000–1500?
A very useful option that should not be ignored:
How would you tell nmap to scan all ports?
How would you activate a script from the nmap scripting library (lots more on this later!)?
How would you activate all of the scripts in the “vuln” category?
Task 5→ TCP Connect Scan
Which RFC defines the appropriate behaviour for the TCP protocol?
If a port is closed, which flag should the server send back to indicate this?
Task 6 → SYN Scan
There are two other names for a SYN scan, what are they?
Can Nmap use a SYN scan without Sudo permissions (Y/N)?
Task 7 → UDP Scan
If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?
When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
doretox
doretox · March 20, 2021
An in depth look at scanning with nmap, a powerful network scanning tool.
No answer needed.
What networking constructs are used to direct traffic to the right application on a server?
Answer: ports
How many of these are available on any network-enabled computer?
Answer: 65535
[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)
Answer: 1024
What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
Which switch would you use for a “UDP scan”?
If you wanted to detect which operating system the target is running on, which switch would you use?
Nmap provides a switch to detect the version of the services running on the target. What is this switch?
The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
What switch would you use to save the nmap results in three major formats?
What switch would you use to save the nmap results in a “normal” format?
A very useful output format: how would you save results in a “grepable” format?
Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
How would you activate this setting?
Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!
How would you set the timing template to level 5?
We can also choose which port(s) to scan.
How would you tell nmap to only scan port 80?
How would you tell nmap to scan ports 1000-1500?
A very useful option that should not be ignored:
How would you tell nmap to scan all ports?
How would you activate a script from the nmap scripting library (lots more on this later!)?
Answer: –script
How would you activate all of the scripts in the “vuln” category?
Answer: –script=vuln
No answer needed.
hich RFC defines the appropriate behaviour for the TCP protocol?
Answer: RFC 793
If a port is closed, which flag should the server send back to indicate this?
Answer: RST
There are two other names for a SYN scan, what are they?
Answer: Half-Open, Stealth
Can Nmap use a SYN scan without Sudo permissions (Y/N)?
Answer: N
If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?
Answer: 
When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
Answer: ICMP
Answer: xmas
Answer: Firewall Evasion
Answer: Microsoft Windows
Answer: Lua
Answer: intrusive
What optional argument can the ftp-anon.nse script take?
Answer: maxlist
Search for “smb” scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods. What is the filename of the script which determines the underlying OS of the SMB server?
Answer: smb-os-discovery.nse
Read through this script. What does it depend on?
Answer: smb-brute
Answer: ICMP
[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
Answer: –data-lenght
Does the target ( MACHINE_IP ) respond to ICMP (ping) requests (Y/N)?
Answer: N
Perform an Xmas scan on the first 999 ports of the target – how many ports are shown to be open or filtered?
Answer: 999
There is a reason given for this – what is it?
Answer: no response
Perform a TCP SYN scan on the first 5000 ports of the target – how many ports are shown to be open?
Answer: 5
Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
UmutErgunes/Nmap-TryHackMe
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
Deploy the machine!
What networking constructs are used to direct traffic to the right application on a server?
How many of these are available on any network-enabled computer?
[Research] How many of these are considered «well-known»? (These are the «standard» numbers mentioned in the task)
What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
Which switch would you use for a «UDP scan»?
If you wanted to detect which operating system the target is running on, which switch would you use?
Nmap provides a switch to detect the version of the services running on the target. What is this switch?
The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
What switch would you use to save the nmap results in three major formats?
What switch would you use to save the nmap results in a «normal» format?
A very useful output format: how would you save results in a «grepable» format?
How would you activate this setting?
How would you set the timing template to level 5?
How would you tell nmap to only scan port 80?
How would you tell nmap to scan ports 1000-1500?
How would you tell nmap to scan all ports?
How would you activate a script from the nmap scripting library (lots more on this later!)?
How would you activate all of the scripts in the «vuln» category?
[Scan Types] Overview
[Scan Types] TCP Connect Scans
Which RFC defines the appropriate behaviour for the TCP protocol?
If a port is closed, which flag should the server send back to indicate this?
writeups
Information
Overview#
Install tools used in this WU on BlackArch Linux:
Introduction#
What networking constructs are used to direct traffic to the right application on a server?
Read the task material.
How many of these are available on any network-enabled computer?
Read the task material.
[Research] How many of these are considered «well-known»? (These are the «standard» numbers mentioned in the task)
Nmap Switches#
Disclaimer: I won’t detail the task as it’s just search through the help/man page.
What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
Which switch would you use for a «UDP scan»?
If you wanted to detect which operating system the target is running on, which switch would you use?
Nmap provides a switch to detect the version of the services running on the target. What is this switch?
The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
What switch would you use to save the nmap results in three major formats?
What switch would you use to save the nmap results in a «normal» format?
A very useful output format: how would you save results in a «grepable» format?
Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable «aggressive» mode. This is a shorthand switch > that activates service detection, operating system detection, a traceroute and common script scanning.
How would you activate this setting?
How would you set the timing template to level 5?
How would you tell nmap to only scan port 80?
How would you tell nmap to scan ports 1000-1500?
How would you tell nmap to scan all ports?
How would you activate a script from the nmap scripting library (lots more on this later!)?
How would you activate all of the scripts in the «vuln» category?
[Scan Types] TCP Connect Scans#
Which RFC defines the appropriate behaviour for the TCP protocol?
Read the task material.
If a port is closed, which flag should the server send back to indicate this?
Read the task material.
[Scan Types] SYN Scans#
There are two other names for a SYN scan, what are they?
Answer: Half-open, stealth
Read the task material.
Can Nmap use a SYN scan without Sudo permissions (Y/N)?
Raw socket requires some capabilities:
[Scan Types] UDP Scans#
If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?
Read the task material.
When a UDP port is closed, by convention the target should send back a «port unreachable» message. Which protocol would it use to do so?
Read the task material.
[Scan Types] NULL, FIN and Xmas#
Which of the three shown scan types uses the URG flag?
Read the task material.
Why are NULL, FIN and Xmas scans generally used?
Answer: firewall evasion
Read the task material.
Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Answer: Microsoft Windows
Read the task material.
[Scan Types] ICMP Network Scanning#
How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
[NSE Scripts] Overview#
What language are NSE scripts written in?
Read the task material.
Which category of scripts would be a very bad idea to run in a production environment?
Read the task material.
[NSE Scripts] Working with the NSE#
What optional argument can the ftp-anon.nse script take?
[NSE Scripts] Searching for Scripts#
Search for «smb» scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods. What is the filename of the script which determines the underlying OS of the SMB server?
Read through this script. What does it depend on?
Let’s look for dependencies.
Firewall Evasion#
Read the task material.
[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
Practical#
Does the target (10.10.130.86) respond to ICMP (ping) requests (Y/N)?
Answer: no responses
Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)