TryHackMe: Nmap Advanced Port Scans Walkthrough

This room aims to teach advanced techniques such as null, FIN, Xmas, and idle (zombie) scans, spoofing, in addition to FW and IDS evasion. This room can be accessed using the link: https://tryhackme.com/room/nmap03

Task 2: TCP Null Scan, FIN Scan, and Xmas Scan

Flags for Null, Fin and Xmas Scans are -sN, -sF, and -sX respectively.

1. In a null scan, how many flags are set to 1? Answer: 0
2. In a FIN scan, how many flags are set to 1? Answer: 1
3. In a Xmas scan, how many flags are set to 1?
4. Start the VM and load the AttackBox. Once both are ready, open the terminal on the AttackBox and use Nmap to launch a FIN scan against the target VM. How many ports appear as open|filtered? Answer: 7
5. Repeat your scan launching a null scan against the target VM. How many ports appear as open|filtered? Answer: 7

Task 3: TCP Maimon Scan

Flags for Maimon Scan is -sM.

1. In the Maimon scan, how many flags are set? Answer: 2

Task 4: TCP ACK, Window, and Custom Scan

Flags for TCP ACK and Window Scans are -sA and -sW respectively while for Custom Scan, the flags are set using ‘— scanflags CUSTOM_FLAGS’.

1. In TCP Window scan, how many flags are set? Answer: 1
2. You decided to experiment with a custom TCP scan that has the reset flag set. What would you add after --scanflags? Answer: RST
3. The VM received an update to its firewall ruleset. A new port is now allowed by the firewall. After you make sure that you have terminated the VM from Task 2, start the VM for this task. Launch the AttackBox if you haven’t done that already. Once both are ready, open the terminal on the AttackBox and use Nmap to launch an ACK scan against the target VM. How many ports appear unfiltered? Answer: 4
4. What is the new port number that appeared? Answer: 443
5. Is there any service behind the newly discovered port number? (Y/N). Answer: N

Task 5: Spoofing and Decoys

IP spoofing is done using the command nmap -S SPOOFED_IP MACHINE_IP, while for MAC spoofing the flag used is — spoof-mac SPOOFED_MAC. In order to show that the scans are coming from different targets, we can use Decoy Scan, by using the command nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME MACHINE_IP. Here RND is any random IP while ME is the IP of your system.

1. What do you need to add to the command sudo nmap MACHINE_IP to make the scan appear as if coming from the source IP address 10.10.10.11 instead of your IP address? Answer: -S 10.10.10.11
2. What do you need to add to the command sudo nmap MACHINE_IP to make the scan appear as if coming from the source IP addresses 10.10.20.21 and 10.10.20.28 in addition to your IP address? Answer: -D 10.10.20.21,10.10.20.28,ME

Task 6: Fragmented Packets

The flag used for fragmentation is -f. Once chosen, the IP data will be divided into 8 bytes or less. Adding another -f ( -ff or -f -f) will split the data into 16 byte-fragments instead of 8. The default value can be changed by using the — mtu; however, a multiple of 8 should always be chosen.

1. If the TCP segment has a size of 64, and -ff option is being used, how many IP fragments will you get? Answer: 4

Task 7: Idle/Zombie Scan

The command for Idle/Zombie Scan is nmap -sI ZOMBIE_IP MACHINE_IP.

1. You discovered a rarely-used network printer with the IP address 10.10.5.5, and you decide to use it as a zombie in your idle scan. What argument should you add to your Nmap command? Answer: -sI 10.10.5.5

Task 8: Getting More Details

The flag used to get further details about scan, such as reason for ports to be opened etc, is — reason. -v is used for verbose while -d is used for debug detail.

1. Launch the AttackBox if you haven’t done so already. After you make sure that you have terminated the VM from Task 4, start the VM for this task. Wait for it to load completely, then open the terminal on the AttackBox and use Nmap with nmap -sS -F --reason MACHINE_IP to scan the VM. What is the reason provided for the stated port(s) being open? Answer: syn-ack

Task 9: Summary

Follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/