TryHackMe WriteUp – Nmap Basic Port Scans

https://tryhackme.com/room/nmap02

Task 1 Introduction

Keine Fragen in diesem Task.

Task 2 TCP and UDP Ports

Frage 1:
Which service uses UDP port 53 by default?

Diese Frage wird nicht im Text erklärt. Für die Antwort müssen wir nachforschen.

Antwort 1:
DNS

Frage 2:
Which service uses TCP port 22 by default?

Auch hier müssen wir ggf. nachforschen, allerdings haben wir diesen Port schon oft behandelt.

Antwort 2:
SSH

Frage 3:
How many port states does Nmap consider?

Antwort 3:
6

Frage 4:
Which port state is the most interesting to discover as a pentester?

Antwort 4:
open

Task 3 TCP Flags

Frage 1:
What 3 letters represent the Reset flag?

Antwort 1:
RST

Frage 2:
Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?

Der 3-way-handshake beginnt immer mit einem SYN Paket, der Empfänger antwortet darauf mit SYN+ACK, worauf wir wieder mit ACK antworten.

Antwort 3:
SYN

Task 4 TCP Connect Scan

Frage 1:
Launch the VM. Open the AttackBox and execute nmap -sT 10.10.58.124 via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?

Wir scannen die Machine mit dem vorgegebenen Befehl und gleichen unser Ergebnis mit dem Beispiel ab:

└─$ nmap -sT 10.10.58.124
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-11 17:56 CEST
Nmap scan report for 10.10.58.124
Host is up (0.067s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
111/tcp open  rpcbind
143/tcp open  imap

Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds

Port 110 ist hier offen.

Antwort 1:
110

Frage 2:
What is Nmap’s guess about the newly installed service?

Antwort 2:
pop3

Task 5 TCP SYN Scan

Frage 1:
Launch the VM. Some new server software has been installed since the last time we scanned it. On the AttackBox, use the terminal to execute nmap -sS 10.10.218.252. What is the new open port?

Für den SYN Scan brauchen wir root Rechte, daher müssen wir ggf. sudo benutzen:

└─$ sudo nmap -sS 10.10.218.252                  
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-11 18:17 CEST
Nmap scan report for 10.10.218.252
Host is up (0.10s latency).
Not shown: 993 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
6667/tcp open  irc

Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds

Antwort 1:
6667

Frage 2:
What is Nmap’s guess of the service name?

Antwort 2:
irc

Task 6 UDP Scan

Frage 1:
Launch the VM. On the AttackBox, use the terminal to execute nmap -sU -F -v 10.10.9.250. A new service has been installed since the last scan. What is the UDP port that is now open?

WIr starten wieder den angegeben Scan und müssen ggf. auch hier „sudo“ anhängen:

└─$ sudo nmap -sU -F -v 10.10.9.250
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-11 18:21 CEST
Initiating Ping Scan at 18:21
Scanning 10.10.9.250 [4 ports]
Completed Ping Scan at 18:21, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:21
Completed Parallel DNS resolution of 1 host. at 18:21, 0.00s elapsed
Initiating UDP Scan at 18:21
Scanning 10.10.9.250 [100 ports]
Discovered open port 53/udp on 10.10.9.250
Increasing send delay for 10.10.9.250 from 0 to 50 due to max_successful_tryno increase to 4
Increasing send delay for 10.10.9.250 from 50 to 100 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.9.250 from 100 to 200 due to max_successful_tryno increase to 6
Increasing send delay for 10.10.9.250 from 200 to 400 due to max_successful_tryno increase to 7
Increasing send delay for 10.10.9.250 from 400 to 800 due to max_successful_tryno increase to 8
Increasing send delay for 10.10.9.250 from 800 to 1000 due to 11 out of 12 dropped probes since last increase.
UDP Scan Timing: About 47.20% done; ETC: 18:22 (0:00:35 remaining)
Discovered open port 111/udp on 10.10.9.250
Completed UDP Scan at 18:23, 96.31s elapsed (100 total ports)
Nmap scan report for 10.10.9.250
Host is up (0.082s latency).
Not shown: 97 closed udp ports (port-unreach)
PORT    STATE         SERVICE
53/udp  open          domain
68/udp  open|filtered dhcpc
111/udp open          rpcbind

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 96.64 seconds
           Raw packets sent: 266 (14.647KB) | Rcvd: 107 (9.086KB)

Antwort 1:
53

Frage 2:
What is the service name according to Nmap?

Antwort 2:
domain

Task 7 Fine-Tuning Scope and Performance

Frage 1:
What is the option to scan all the TCP ports between 5000 and 5500?

Antwort 1:
-p 5000-5500

Frage 2:
How can you ensure that Nmap will run at least 64 probes in parallel?

Antwort 2:
–min-parallelism 64

Frage 3:
What option would you add to make Nmap very slow and paranoid?

Antwort 3:
-t0

Task 8 Summary

Keine Fragen in diesem Task.