Nmap TryHackMe Room Walkthrough [level 7— level 15]

mohomed arfath
4 min readDec 10, 2020

--

One of my previous blog I did my Nmap room level 1 to level 7 click here to get to the blog. So now lets do the rest of the room..!!!!

Task 8 →NULL, FIN, Xmas

Which of the three shown scan types uses the URG flag?

Xmas

Why are NULL, FIN and Xmas scans generally used?

Firewall Evasion

Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

Microsoft Windows

Task 9 → ICMP Network Scanning

How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)

nmap -sn 172.16.0.0/16

Task 10 → Working With The NSE

What language are NSE scripts written in?

Lua

Which category of scripts would be a very bad idea to run in a production environment?

intrusive

Task 11 → Overview

What optional argument can the ftp-anon.nse script take?

in this DOC you can see it take arg call maxlist

maxlist

Task 12 → Searching for script

What is the filename of the script which determines the underlying OS of the SMB server?

If you run the above command you will get a list like this and highlighted one is the OS discovery.

smb-os-discovery.nse

Read through this script. What does it depend on?

This is how you can see the scorce code of smb-os-discovery.nse
first you need to type locate smb-os-discovery.nse and copy that location and use cat <file_location> the you will be able to get this

So answer is smb-brute

Task 13 →Firewall Evasion

Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?

ICMP

[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

— data-length

To find this you can type man nmap and go to Firewall evasion tab and you can see this to your self.

Task 14 → Practical

Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)?

N

Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?

you can see 999 are open and filtered

There is a reason given for this — what is it?
Note: The answer will be in your scan results. Think carefully about which switches to use — and read the hint before asking for help!

no response

Perform a TCP SYN scan on the first 10000 ports of the target — how many ports are shown to be open?

If you run this above command you will be able see there are 5 ports are open

Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

Y

this is how you have to use scripts in Nmap so in the result you can see anonymous login is allowed now lets try to login

This is how you have to log in to the FTP session

so I hope you learned how to do these task see you in another blog see you………………

--

--

mohomed arfath
mohomed arfath

Written by mohomed arfath

Security Engineer as profession rest is Classified

Responses (1)