Nmap Tutorial to scan Network via TryHackMe Lab

TryHackMe Nmap Lab

“One of the best things about hacking is the buzz you get when you find your way into some place you’re not meant to be.”
― Thalia Kalkipsakis.

Nmap, known as Network Mapper, is an open-source tool available for windows and pre-installed in major distribution of Linux. Nmap is famous for its port scanning qualities yet it shows magic in finding other flaws in a network system.

Gordon Lyon developed the tool for many purposes like network host discovery, auditing, operating system detection, open ports scanning, ping scanning, TCP/UDP scan, etc.

While gathering target information, Nmap plays a vital role. Pen-testers, ethical hackers, bug hunters, etc., use the tool widely. Hackers favor Nmap because it is easy to install (if not pre-installed), has a strong and great amount of scanning options, is easy to use regularly, etc. Nmap does not come in the command line only, but it is available in GUI too, named Zenmap.

Today, I will be solving a TryHackMe Nmap room for creating a better understanding of the tool.

Task 1 Deploy.

Deploy the attached VM.

  • Method 1 of deploying the machine is, you download the VPN Server file from the access page and run it in Linux cmd.


  • Method 2 is, you can use the Attack box option from the top right corner.

Method 2

Task 2 Introduction

What networking constructs are used to direct traffic to the right application on a server?

Task 2 Introduction

How many of these are available on any network-enabled computer?

Task 2 Introduction 2

[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)

Task 2 Introduction 3

Task 3 Nmap Switches

What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?

Task 3 Nmap Switches 1

Which switch would you use for a “UDP scan”?

Task 3 Nmap Switches 2

If you wanted to detect which operating system the target is running on, which switch would you use?

Task 3 Nmap Switches 3

Nmap provides a switch to detect the version of the services running on the target. What is this switch?

Task 3 Nmap Switches 4

The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?

Task 3 Nmap Switches 5

Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?

(Note: it’s highly advisable to always use at least this option)

Task 3 Nmap Switches 6

We should always save the output of our scans — this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and it gives us a reference to use when writing reports for clients.

What switch would you use to save the nmap results in three major formats?

Task 3 Nmap Switches 7

What switch would you use to save the nmap results in a “normal” format?

Task 3 Nmap Switches 8

A very useful output format: how would you save results in a “grepable” format?

Task 3 Nmap Switches 9

Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute, and common script scanning.

How would you activate this setting?

Task 3 Nmap Switches 10

Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful, though: higher speeds are noisier, and can incur errors!

How would you set the timing template to level 5?

Task 3 Nmap Switches 11

We can also choose which port(s) to scan. How would you tell nmap to only scan port 80?

Task 3 Nmap Switches 12

A very useful option that should not be ignored: How would you tell nmap to scan all ports?

  • In Nmap, the “-p-” command takes forever to find all open ports. So, Zenmap is a good option for this type of scan, as well as all TCP and UDP ports, which can be searched separately in Zenmap.

Task 3 Nmap Switches 14

How would you activate a script from the nmap scripting library (lots more on this later!)?

Task 3 Nmap Switches 15

How would you activate all of the scripts in the “vuln” category?

Task 3 Nmap Switches 16

Task 4 Scan Types: Overview.

  • Multiple scan types such as UDP scan, TCP scan, TCP FIN scan, SYN scan, etc., is mention in this section.

Task 5 Scan Types: TCP Connect Scans

Which RFC defines the appropriate behaviour for the TCP protocol?

Task 5 Scan Types: TCP Connect Scans

If a port is closed, which flag should the server send back to indicate this?

Task 5 Scan Types: TCP Connect Scans 2

Task 6 Scan Types: SYN Scans

There are two other names for a SYN scan, what are they?

Task 6 Scan Types: SYN ScansCan Nmap use a SYN scan without Sudo permissions (Y/N)?

Task 6 Scan Types: SYN Scans 2

Task 7 Scan Types: UDP Scans

If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?

Task 7 Scan Types: UDP Scans

When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?

Task 7 Scan Types: UDP Scans 2

Task 8 Scan Types: NULL, FIN and Xmas

Which of the three shown scan types uses the URG flag?

Task 8 Scan Types: NULL, FIN and Xmas

Why are NULL, FIN and Xmas scans generally used?

Task 8 Scan Types: NULL, FIN and Xmas 2

Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

Task 8 Scan Types: NULL, FIN and Xmas 3

Task 9 Scan Types: ICMP Network Scanning

How would you perform a ping sweep on the 172.16.x.x network (Netmask: using Nmap? (CIDR notation)

Task 9 Scan Types: ICMP Network Scanning Task 9 Scan Types: ICMP Network Scanning 2

Task 10 NSE Scripts Overview.

What language are NSE scripts written in?

Task 10 NSE Scripts Overview.

Which category of scripts would be a very bad idea to run in a production environment?

Task 10 NSE Scripts Overview 2

Task 11 NSE Scripts Working with the NSE

What optional argument can the ftp-anon.nse script take?

  • As we studied in the overview that “Nmap scripts come with built-in help menus, which can be accessed using Nmap –script-help <script-name>”.
  • So, here using the built-in help menu command with the given script name, which directed us to the “ftp-anon.html” page.
  • The optional argument is “maxlist” after anon.

Task 11 NSE Scripts Working with the NSE

Task 12 NSE Scripts Searching for Scripts

Search for “smb” scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods. What is the filename of the script which determines the underlying OS of the SMB server?

  • “grep” command finds a specific string in a directory.
  • Path taking into the smb file location.

Task 12 NSE Scripts Searching for Scripts

Read through this script. What does it depend on?

  • “cd” command changes directory.
  • “cat” command reads the files.

Task 12 NSE Scripts Searching for Scripts 2

Task 13 Firewall Evasion

Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?

Task 13 Firewall Evasion

[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

Task 13 Firewall Evasion 2

Task 14 Practical

Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)?

Task 14 Practical

Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?

Task 14 Practical 2

There is a reason given for this — what is it?

Note: The answer will be in your scan results. Think carefully about which switches to use — and read the hint before asking for help!

Task 14 Practical 3

Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?

Task 14 Practical 4

Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.


Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

Task 14 Practical 5

Task 15 Conclusion

You have now completed the Further Nmap room — hopefully, you enjoyed it and learned something new!

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...