TryHackMe: Nmap Post Port Scans Walkthrough
This room aims to teach how to leverage Nmap for service and OS detection, use Nmap Scripting Engine (NSE), and save the results. This room can be accessed using this link: https://tryhackme.com/room/nmap04
Task 2: Service Detection
The flag used for service detection is -sV. Its intensive can be controlled using the banner — version-intensity LEVEL, where intensity varies from 0 to 9, ie. from lightest to most complete. — version-light has an intensity of 2 while — version-all has an intensity of 9. This service detection scan needs a 3-way handshake, ie. it is not a stealth scan.
- Start the target machine for this task and launch the AttackBox. Run
nmap -sV --version-light MACHINE_IPvia the AttackBox. What is the detected version for port 143? Answer: Dovecot imapd
- Which service did not have a version detected with
--version-light? Answer: rpcbind
Task 3: OS Detection and Traceroute
The flag used for OS Detection is -O, while for traceroute, we use — traceroute. Example command for traceroute scan is nmap -sS — traceroute MACHINE_IP
MACHINE_IP. What OS did Nmap detect? Answer: Linux
Task 4: Nmap Scripting Engine (NSE)
The Flag used for scripting is — script “SCRIPT-NAME” or for default script, we can use -sC.
- Knowing that Nmap scripts are saved in
/usr/share/nmap/scriptson the AttackBox. What does the script
http-robots.txtcheck for? Answer: disallowed entries
- Can you figure out the name for the script that checks for the remote code execution vulnerability MS15–034 (CVE2015–2015–1635)? Answer: http-vuln-cve2015–1635
- Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts
MACHINE_IP. You will notice that there is a service listening on port 53. What is its full version value? Answer: 9.9.5–9+deb8u19-Debian
- Based on its description, the script
ssh2-enum-algos“reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by
MACHINE_IP? Answer: diffie-hellman-group14-sha1
Task 5: Saving the Output
The flags for output in normal, grepable and XML format are -oN, -oG and -oX, while to get the output in all 3 formats we use the flag -oA. The benefit of the grepable format is that we can find any keyword from the output using the command grep KEYWORD TEXT_FILE.
- Check the attached Nmap logs. How many systems are listening on the HTTPS port? Answer: 3 (use the whole command ie. ‘scp pentester@MACHINE_IP:/home/pentester/* .’ to get preferable output).
- What is the IP address of the system listening on port 8089? Answer: 172.17.20.147
Follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/