TryHackMe: Nmap Post Port Scans Walkthrough

2 min readApr 18, 2022

This room aims to teach how to leverage Nmap for service and OS detection, use Nmap Scripting Engine (NSE), and save the results. This room can be accessed using this link:

Task 2: Service Detection

The flag used for service detection is -sV. Its intensive can be controlled using the banner — version-intensity LEVEL, where intensity varies from 0 to 9, ie. from lightest to most complete. — version-light has an intensity of 2 while — version-all has an intensity of 9. This service detection scan needs a 3-way handshake, ie. it is not a stealth scan.

  1. Start the target machine for this task and launch the AttackBox. Run nmap -sV --version-light MACHINE_IPvia the AttackBox. What is the detected version for port 143? Answer: Dovecot imapd
  2. Which service did not have a version detected with --version-light? Answer: rpcbind

Task 3: OS Detection and Traceroute

The flag used for OS Detection is -O, while for traceroute, we use — traceroute. Example command for traceroute scan is nmap -sS — traceroute MACHINE_IP

  1. Run nmap with -O option against MACHINE_IP. What OS did Nmap detect? Answer: Linux

Task 4: Nmap Scripting Engine (NSE)

The Flag used for scripting is — script “SCRIPT-NAME” or for default script, we can use -sC.

  1. Knowing that Nmap scripts are saved in /usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for? Answer: disallowed entries
  2. Can you figure out the name for the script that checks for the remote code execution vulnerability MS15–034 (CVE2015–2015–1635)? Answer: http-vuln-cve2015–1635
  3. Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts -sC against MACHINE_IP. You will notice that there is a service listening on port 53. What is its full version value? Answer: 9.9.5–9+deb8u19-Debian
  4. Based on its description, the script ssh2-enum-algos “reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by MACHINE_IP? Answer: diffie-hellman-group14-sha1

Task 5: Saving the Output

The flags for output in normal, grepable and XML format are -oN, -oG and -oX, while to get the output in all 3 formats we use the flag -oA. The benefit of the grepable format is that we can find any keyword from the output using the command grep KEYWORD TEXT_FILE.

  1. Check the attached Nmap logs. How many systems are listening on the HTTPS port? Answer: 3 (use the whole command ie. ‘scp pentester@MACHINE_IP:/home/pentester/* .’ to get preferable output).
  2. What is the IP address of the system listening on port 8089? Answer:

Follow me on LinkedIn: