TryHackMe: Nmap Live Host Discovery Writeup

This room aims to teach how to use Nmap to discover live hosts using ARP scan, ICMP scan, and TCP/UDP ping scan. It explains all types of scans in detail. This room can be accessed using the link: https://tryhackme.com/room/nmap01

Task 1: Introduction

The important point of this task:

  1. Some of these questions will require the use of a static site to answer the task questions, while others require the use of the AttackBox and the target VM. Answer: No answer needed

Task 2: Subnetworks

  1. Send a packet with the following:
  • From computer1
  • To computer1 (to indicate it is broadcast)
  • Packet Type: “ARP Request”
  • Data: computer6 (because we are asking for computer6 MAC address using ARP Request)

How many devices can see the ARP Request? Answer: 4

2. Did computer6 receive the ARP Request? (Y/N). Answer: N

3. Send a packet with the following:

From computer4
  • To computer4 (to indicate it is broadcast)
  • Packet Type: “ARP Request”
  • Data: computer6 (because we are asking for computer6 MAC address using ARP Request)

How many devices can see the ARP Request? Answer: 4

4. Did computer6 reply to the ARP Request? (Y/N). Answer: Y

Task 3: Enumerating Targets

  1. What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target? Answer: 10.10.12.8
  2. How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125? Answer: 6400

Task 4: Discovering Live Hosts

  1. Send a packet with the following:
  • From computer1
  • To computer3
  • Packet Type: “Ping Request”

What is the type of packet that computer1 sent before the ping? Answer: ARP Request

2. What is the type of packet that computer1 received before being able to send the ping? Answer: ARP Response

3. How many computers responded to the ping request? Answer: 1

4. Send a packet with the following:

  • From computer2
  • To computer5
  • Packet Type: “Ping Request”

What is the name of the first device that responded to the first ARP Request? Answer: router

5. What is the name of the first device that responded to the second ARP Request? Answer: computer5

6. Send another Ping Request. Did it require new ARP Requests? (Y/N). Answer: N

Task 5: Nmap Host Discovery Using ARP

  1. How many devices are you able to discover using ARP requests? Answer: 3

Task 6: Nmap Host Discovery Using ICMP

  1. What is the option required to tell Nmap to use ICMP Timestamp to discover live hosts? Answer: -PP
  2. What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts? Answer: -PM
  3. What is the option required to tell Nmap to use ICMP Echo to discover life hosts? Answer: -PE

Task 7: Nmap Host Discovery Using TCP and UDP

  1. Which TCP ping scan does not require a privileged account? Answer: TCP SYN Ping
  2. Which TCP ping scan requires a privileged account? Answer: TCP ACK Ping
  3. What option do you need to add to Nmap to run a TCP SYN ping scan on the telnet port? Answer: -PS23

Task 8: Using Reverse-DNS Lookup

  1. We want Nmap to issue a reverse DNS lookup for all the possibles hosts on a subnet, hoping to get some insights from the names. What option should we add? Answer: -R

Task 9: Summary

Important points of this room, which need to be kept in mind are:

  1. Ensure you have taken note of all the Nmap options explained in this room. To continue learning about Nmap, please join the room Nmap Basic Port Scans, which introduces the basic types of port scans. Answer: No answer needed

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store