TryHackMe「Nmap」ルームのWalkthroughです。
Task2
Q1.What networking constructs are used to direct traffic to the right application on a server?
A.ports
Q2.How many of these are available on any network-enabled computer?
A.65535
Q3.[Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task)
Hint.Search in Google "How many well-known ____ are there", substituting in your answer to Question 1.
A.1024
Task3
Q1.What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)?
A.-sS
Q2.Which switch would you use for a "UDP scan"?
A.-sU
Q3.If you wanted to detect which operating system the target is running on, which switch would you use?
A.-O
Q4.Nmap provides a switch to detect the version of the services running on the target. What is this switch?
A.-sV
Q5.The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
A.-v
Q6.Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? (Note: it's highly advisable to always use at least this option)
A.-vv
Q7.What switch would you use to save the nmap results in three major formats?
A.-oA
Q8.What switch would you use to save the nmap results in a "normal" format?
A.-oN
Q9.A very useful output format: how would you save results in a "grepable" format?
A.-oG
Q10.How would you activate this setting?
A.-A
Q11.How would you set the timing template to level 5?
A.-T5
Q12.How would you tell nmap to only scan port 80?
A.-p 80
Q13.How would you tell nmap to scan ports 1000-1500?
A.-p 1000-1500
Q14.How would you tell nmap to scan all ports?
A.-p-
Q15.How would you activate a script from the nmap scripting library (lots more on this later!)?
A.--script
Q16.How would you activate all of the scripts in the "vuln" category?
Hint.There are two variants of this switch. One with a space, one with the equals sign. Look at the asterisks in the answer field to see which one it is.
A.--script=vuln
Task5
Q1.Which RFC defines the appropriate behaviour for the TCP protocol?
Hint.RFC 793 was deprecated and replaced by a newer RFC. What is it?
A.RFC 9293
Q2.If a port is closed, which flag should the server send back to indicate this?
A.RST
Task6
Q1.There are two other names for a SYN scan, what are they?
A.Half-open,Stealth
Q2.Can Nmap use a SYN scan without Sudo permissions (Y/N)?
A.N
Task7
Q1.If a UDP port doesn't respond to an Nmap scan, what will it be marked as?
A.open|filtered
Q2.When a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so?
A.icmp
Task8
Q1.Which of the three shown scan types uses the URG flag?
A.Xmas
Q2.Why are NULL, FIN and Xmas scans generally used?
A.Firewall Evasion
Q3.Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
A.Microsoft Windows
Task9
Q1.How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
Hint.The CIDR notation for a Class B network with a default netmask is /16
A.nmap -sn 172.16.0.0/16
Task10
Q1.What language are NSE scripts written in?
A.Lua
Q2.Which category of scripts would be a very bad idea to run in a production environment?
A.intrusive
Task11
Q1.What optional argument can the ftp-anon.nse script take?
--script-help <script name>オプションからスクリプトドキュメントに飛べるのでそこから確認します。
$ nmap --script-help ftp-anon.nse
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-19 08:24 EDT
ftp-anon
Categories: default auth safe
https://nmap.org/nsedoc/scripts/ftp-anon.html
Checks if an FTP server allows anonymous logins.
If anonymous is allowed, gets a directory listing of the root directory
and highlights writeable files.
A.maxlist
Task12
Q1.*Search for "smb" scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server?*
/usr/share/nmap/scripts配下のファイルを検索します。
$ ls -l /usr/share/nmap/scripts | grep "smb-os"
-rw-r--r-- 1 root root 8220 Nov 1 22:10 smb-os-discovery.nse
A.smb-os-discovery.nse
Q2.Read through this script. What does it depend on?
catとgrepコマンドを併用しスクリプトの中身を確認します。
cat ./smb-os-discovery.nse | grep dependencies
dependencies = {"smb-brute"}
A.smb-brute
Task13
Q1.Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
A.icmp
Q2.[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
random dataなどの文字列で検索することができます。
$ nmap --help | grep -i "random data"
--data-length <num>: Append random data to sent packets
A.--data-length
Task14
Q1.Does the target ip respond to ICMP echo (ping) requests (Y/N)?
-PEオプションでICMPエコーが帰ってくるか確認するとpingがblockされていることが分かる。
$ sudo nmap -PE 10.10.172.15
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-19 22:02 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.08 seconds
A.N
Q2.Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?
All 999 scanned ports on 10.10.115.240 are in ignored states.
Not shown: 999 open|filtered tcp ports (no-response)の文言から確認できます。
$ sudo nmap --vv -Pn -sX -p 1-999 10.10.115.240
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-19 08:39 EDT
Initiating Parallel DNS resolution of 1 host. at 08:39
Completed Parallel DNS resolution of 1 host. at 08:39, 0.00s elapsed
Initiating XMAS Scan at 08:39
Scanning 10.10.115.240 [999 ports]
XMAS Scan Timing: About 15.52% done; ETC: 08:42 (0:02:49 remaining)
XMAS Scan Timing: About 30.53% done; ETC: 08:42 (0:02:19 remaining)
XMAS Scan Timing: About 45.55% done; ETC: 08:42 (0:01:49 remaining)
XMAS Scan Timing: About 60.56% done; ETC: 08:42 (0:01:19 remaining)
XMAS Scan Timing: About 75.58% done; ETC: 08:42 (0:00:49 remaining)
Completed XMAS Scan at 08:42, 201.32s elapsed (999 total ports)
Nmap scan report for 10.10.115.240
Host is up, received user-set.
Scanned at 2024-04-19 08:39:08 EDT for 201s
All 999 scanned ports on 10.10.115.240 are in ignored states.
Not shown: 999 open|filtered tcp ports (no-response)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 201.39 seconds
Raw packets sent: 1998 (79.920KB) | Rcvd: 0 (0B)
A.999
Q3.There is a reason given for this -- what is it? Note: The answer will be in your scan results. Think carefully about which switches to use -- and read the hint before asking for help!
Hint.Run this command with the -vv switch enabled. It's good practice to always increase the verbosity in your scans.
A.no response
Q4.Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open?
-sSでTCP SYN scan、-pで1~5000までポート指定、-Pnでpingを実行しないでスキャンを行います。
$ sudo nmap -sS -p1-5000 -Pn 10.10.112.146
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-20 01:58 EDT
Nmap scan report for 10.10.112.146
Host is up (0.24s latency).
Not shown: 4995 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
135/tcp open msrpc
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 33.51 seconds
A.5
Q5.Open Wireshark (see Cryillic's Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what's going on. Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
ftp-anonスクリプトを使用しポートスキャンを行います。
$ nmap -p 21 --script=ftp-anon 10.10.112.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-20 02:09 EDT
Nmap scan report for 10.10.112.146
Host is up (0.24s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
Nmap done: 1 IP address (1 host up) scanned in 31.72 seconds
A.Y