TryHackMe Nmap Walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Hello and welcome to Nmap, a trihack me room. And we're gonna be doing a bit of a walkthrough, a bit of a study guide. I'm learning cybersecurity at the moment. So it's sort of like let's relearn as I've gone through through this room and let's try and learn together. If that sounds nice. Let's go. So let's start off by making sure you're open VPN into the VPN to the virtual private network. You can do this with OpenVPN. And let me just increase this size. Make sure you do that. That will go initialization sequence completed, which is what we're after, to confirm that you are connected to the triage me like virtual private network. Make sure you can Ping 1010. If you get that successful, then you are in the right area. Great. Once that's all good, let's go over to tryhack me.com room further and map the link to this room will be in the description. So first thing first is starting up our machine. That will take about 60 seconds to get up and running. So as that is up and running, let's go complete that. And let's just read over introductions, get a bit of a view of like what's going on. When it comes to hacking, knowledge is power. The more knowledge that we have about our target system or network, the more options you have available. So this makes it imperative that proper enumeration is carried out before any exploitation attempts are made. So the key here is enumeration. So we are going to be learning a tool called MMAP. You might have been learning it, you might have been going through this room getting frustrated. This might be your very first time. Whatever the case is, this word is really key to learning penetration testing, cybersecurity enumeration, which as it's saying, is just finding out stuff about a system, about a computer, about a server, about a website, about an application, finding out information. So sometimes that comes in the form of just clicking around. Sometimes it's using this tool, which is really powerful. So you can go through this in more detail, which is showing how different ports open and close depending on different services. So I'm not going to go through all the information in great detail. I'm sort of going to be scanning because we're more focused about the actual tasks here. So once your IP for the box that we're going to be looking at is up, you can go ahead and try and Ping that box. So just because we can't see pings. So we're trying to say, hey, are you there through an ICMP Ping packet? We're not seeing anything. Usually that's not a good sign just for basic testing, but in this case, maybe something else is up. Maybe we can't Ping this machine by design. So pretty interesting. So go through this and you sort of pause the video, read all of that. What networking constructs are used to direct traffic in the right application on the server, if I remember correctly, it's ports. Interesting. So I'll sort of explain as we go without going into great detail. But ports are just numbers that just represent where the traffic is going. So some of the well known standard ports are like four, four, three for Https protocols, SMB for file transfers on four, four, five. So there's a list of well known and we'll get to know them as we go through. How many of these available are there available on any network enabled computer? So if we go through here we can see that there's 65,535. I do actually wonder why this number is chosen. Is it just a random number? Is it by design? I think most things with computers it's probably by design. I should really look that up if you know, let me know. That would be good. So how many of these are considered well known? These are standard numbers mentioned. So I do know off the top of my head I thought it was 1023, but Port zero is included is a Port. So it's actually 1024. But how do we actually know that? Well, let's just Google it. Let's look up computer ports. Simple little. Now I want the Wiki computer Port, hardware. So usually try and find the Wiki. For most things this is just actual ports. So let's just be a bit more specific networking ports and hopefully we get Port computer networking. So this is what we're after. The term Port is like. It's a little confusing because we often, as I just found out again that ports can sort of be like input, but it's not exactly what we're talking about. The ports in the networking sense. It's just a number. Okay, so we can see here we've got notable well known ports. So we're sort of looking for what is considered well known. So here's just some. So we talked about four, four, three. And there's 84 Http which is not s, not secure. I've got other things like secure shell. So connecting securely into another remotely accessing machine using SSH. Other things you might have heard of like FTP, like over 20 or 21. And there's others like pop three for mail DNS 53. So more protocols and their Port numbers corresponding. That doesn't give us the exact number. Actually it says here the registered ports are those from 100:24 through to that. So we can hit enter. Yay got it. So also a good hint here, how many well known ports are there. So we could look up that sort of thing. So however you want to find out the information so that you but those are some general ways. Awesome. So that's a little bit about ports. So hopefully that gives a good idea. I haven't read the entire Wikipedia page, but if you are really into reading it's got everything in there. But generally just as we're learning, just starting off, get the concepts. Okay. So like most people in Pen testing tools. Nmap is run from the terminal. Cool. So you're going to need to get your terminal open. If you've got Kali or Carly downloaded, I'm running mine in a virtual machine, hypervisor or software. You can use the attack box that Trihack Me gives you. Or you can use VMware whatever you want. So you can see here that I've already gone through and done some other switches. So we're going to be using the tool Nmap. So a good thing when you're just learning tools is just to run the tool like the command itself. Command is a tool. So the tool and then like help just to get used to it. Or maybe it's Dash or we can look up the man for the tool. So yeah, those are just a couple of options. In this case, we're just going to look up man just to get an idea of what it is. So this is a great way because if you're ever in a challenge or maybe your network is down or something, you might not be able to just Google things, which is pretty rare. But this is also just a great way in case you need to know the information quickly. It's on your local system. So good thing. Anyway, network exploration tool and securityport scanner. So we can use the arrow keys. It gives us a synopsis. So Nmap scan type options, target spec. Okay, so we'll get into exactly all of that if this is your first time. Another example, we can actually scanmead Nmap.org, for example, scans. And we've got these funny switches. So we're going to learn all about these switches. But this is just to get sort of like a general idea of how this tool is going to work. So cool. I'm feeling a bit more comfortable. Cool. So it says here that we can use H, man. Great, got that. So what is the first switch listed in the help menu for Sinscan? I'm going to test my memory. I'm going to see if I can remember. Damn it. Let's look it up. So a Sin scan since then. So let's go through. Let's have a look. We want to get to our actual so here we go. We got Sin connect sincecan. So let's try S. Capital S. Got it. Let's give Simscam. Which switch would we use for a UDP scan? Now remember the difference between TCP and UDP? They're both forms of connections over the Internet to send and receive information. Tcp needs a TCP handshake or a three way handshake to make sure that it's going to the right place and we don't lose any information. Udp doesn't care about that doesn't mean it's not used. It's great for things like YouTube and Netflix and streaming services where it doesn't need to every single connection to make sure that it is connected. If it loses some packets, it's not a big deal. So it's more about speed than I guess stability. Okay. That's always good to remember. So from memory, you. I'm not looking good, just trying to remember. I mean, it's right there. I swear I didn't see it. If you wanted to detect which operating system the target is running on, which switch would you use so we can keep looking here. I'm pretty sure it's dashv lowercase V. I mean, we can do it with Dasha. That actually does work. But that's not the only one I remember. I remember. I swear it's. Yes. I've only know that because I've gone through this before. So here it's actually capital OOH, not right. Enable OS detection. Okay, so all this is just going through this man page. We're trying to get familiar with the man page. That's all. Nmap provides a switch to detect the version of services running on the target version. I think it's just. Oh, capital V. Yes. Sweet. I can remember this, but I can't remember where it is. Let's just go back up. We can find this information out a little bit easier without using our head. So another good way of finding out information like this, if we just go help. So this is going to print out everything. Hit the up arrow. If we grep this through something and we just say like version. So just find anything through that output with version we can see here. Sv is there too. So that's really handy just in case we want to look up that way. So the default output provided by Nmap often does not provide enough information for a Pen tester. So when you just run an Nmap scan. So say we just ran an Nmap scan against our target. That's all we see. It's running an Nmap scan right now. But we didn't see anything. We didn't see what it was trying to do. So I don't even know what it means. Let's just have a look at what it means. Is the quality or state of being verbose or wordy. The use of too many words verbosity is such a stigma to me. Okay, so using more words, showing more information, I find it so fascinating why they use this word. So this is V, but we can remember. Just go back here and we can actually try and find. I know the switch, but just as a little trick, if you're ever trying to look up a switch, you can use your backslashes or forward slashes. Just because if you use a dash V, like say I'm trying to find dashv, it's going to run that as a grip switch, which we don't want. But if you actually write the slashes around your dash, it'll recognize that as just actual text, which is quite cool. So that gives us anything that matches the patent v, which we can see here. There is one increased verbosity level. So verbosity, but use double V for even greater effect. So this is a habit that I'm trying to get into and I actually encourage you to if you are using Nmap, try and just make it a habit of using BB. Yeah, it's a good habit, which is Consequently just the next cool. Okay, so we should always save the output of our scans. This means we need to run the scan once. We only need to run the scan once, rather reducing network traffic and thus chance detection. And gives us a reference to use when writing ports for clients. What switch would we use to save and map in three major formats? Man, I totally forgot about this one. So let's actually go pick a word like a major. Cool. So output in three major formats. So. Oa, I have not used it since I've gone through this room. I haven't used this once. I feel like that is not a good thing. I feel like this is actually quite useful. Which switch would you use to see the Nmap results in a normal format? Let's try that one again. But this time we're going to search normal and output in normal scan. So we've got O-N-O-X-O-S-O-G file. I'm just going to pick the first one. No, I'm going to pick the last one. Damn it. I'm going to pick the first one. Why does it say the different options? I don't know. If you know, tell me a very useful output format. How would you save the results in a wrappable format? So let's search this one again. What did I do? I'm in that menu. There we go. Greppable. Nothing. Let's try that again. But let's just use rep. Nothing. I'm going to assume that it's actually this I can't remember. Okay, the only reason that I picked that one for G is Greg. I guess there is a difference in these four. So normal something grepable XML. Oh, it says here. Okay, so I'm missing the last little bit here. Okay, so this is output in a normal mode for on XML mode or format Ox in an S script. Kitty. I don't know what these exactly mean. And then there's probably greppable after this for OG. I didn't pick up on that. Fascinating. Sometimes the results were getting just aren't enough. If we don't care about how loud we are, we can use an aggressive mode. This is a short hand switch that activates service detection, OS detection, trace route, and common script scanning. So more on scripting, which is super powerful. Crazy powerful. So this one I also remember. But to find it we can use that's. Not actually it. I just remember it's a but I mean it's in there. We can just look it up. But trust me, it's there. Honestly, I sort of skip over like using just do it all in these test environments. It's like I'm just learning. I'm just a beginner. But I assume in real world environments you don't want to use a on certain targets you might get away with just using, I don't know, just guessing. Okay. Nap offers five levels of timing template. These are essentially used to increase the speed your scan results. But be careful though. High speeds are noisier and can incur errors. So I can actually vouch for this from going through and doing this room. And like some other rooms I have tested running like T four because I was watching a video of someone who's like, I use T four. It's like sort of the best. It goes faster, which is true, but it's usually good, but it does miss things. Okay, so this is sort of I don't know what the best answer is here. So if we looked up. So let's just use Grep again and we'll just look up anything with T. So there's the answer there. So capital T 12345. Okay, set the timing template. Higher is faster. If zero, that means six. So maybe it's just 12345, I don't know. So the higher is faster. So this is the fastest. But you're going to incur the most areas. So basically the whole point of this is trying to find out information about the computer. If you're just telling it to run so fast, it's going to miss things. One example was like I did a scan and there are actually like five ports open. But because I used T four, it only got four ports. So I actually missed out on a Port. So yeah, it happens. That's what it means by errors. So we can also choose which ports to scan. So if you look up ports, you can see here in the second one, we've got dash P for Port range only scan specified ports. So this is really good. If you're scanning the machine and you get all these ports, there's like hundreds of ports, but you just want to focus on one Port to do more aggressively. Well, this is you can use the dashp and then specify the Port you're after, which is in this case 80, which if we're remembering is Http, how would you tell Nmap to scan ports 1000 to 1500? So same sort of thing. We'd use our dash P switch, but we would just tell it, hey, go between these two ports. Cool. So you can also do this if you wanted to run it against running against here. But we're going to specify P, but we could do like 84, four, three. So we can actually just separate and say, hey, we only want to run it against these three ports. We don't want to run it on all the ports between 80 and 443. We just want to run it on these three or these two ports. So you can use commas to separate it too. So that's good to know. So a very useful option is to scan all ports. Super helpful. The reason that this is so see if we get it here. So I can't see it here. Let's try all see if we can find it with all treat all hosts online. Pn skip host discovery. So this is actually good one that saved me with going through this. So I can't find it. So we can go men and map and just look for it manually. I mean, I remember, but it's a good process. Just spending some time. Where are you? Where are you? I don't know. Would be under heel. Can't see it. It's gonna be in like I saw it. Oh, yeah. You guys didn't see it? Yeah, no, it was right there. Go back, pause the video. P. So that's specifying all ports. Because remember that there are 65,000 ports. So just a default Nmap scan is not going to scan 65,000 ports. It's going to scan. I think it's just 1000. It doesn't even see. We've got to get around something. But I'm pretty sure it just scans like the thousand ports. I don't even know if it's 1024. I'm not sure. But it definitely does not scan all the ports. So that's why when you use that P, how do you activate a script from the Nmap scripting library? Lots more on this later. So this is insanely big, I guess the scripting library. So if we look up our help page again, but this time let's just search the output for script. We can see script equals and then we can put in the name of a script. So think about the way I like to think about it is scripts are sort of like plugins to Nmap. So if Nmap was the operating system and you could install apps on your Nmap operating system, you'd go to your iOS library or your Android app store, whatever, and you would go and install that app on your phone. Okay, same sort of thing. You're going to go to a script library to run a script on your end map. So every time that we have a program that is open to having programs installed on a program, then it gets really flexible because that means so many other people are starting to make programs and there's just kind of mind blowing how much you can do with Nmap. So I didn't even realize that there are so many categories of scripts or programs or apps that can run in Nmap, making it not only just an enumeration tool, but it can also run payloads from it, apparently. Which is kind of crazy. So you could possibly just hypothetically break into a machine with just one tool, just Nmap. Yeah, I think that's kind of crazy. Anyway, how would you activate a script so we can just go script if I can spell? And then how do you activate all of the scripts in the phone category? So we'll look at categories and stuff soon. I can't actually remember just going to go off the top of my head here. Might be wrong, but I think that's it cool. There are two variants of the switch one with a space and one with equal sign. Look at the asterisks in the answer field to see which one it is. I was actually wondering this. I still don't quite understand it, but I'm going to leave that for another time. What this is essentially doing is since there are so many scripts out there, there's so many apps that can be used in Nmap. This is categorizing them. So there could be thousands, hundreds of thousands. I honestly don't know. But hey, try and run all of the scripts under this category. Yeah, that's crazy. Cool. So that's Nmap switches. So let's go over to our scan types on task four. So you can definitely read this in more detail like I've been saying. But basically there are three main types of scans, TCP scans, Sin or half open scans or stealth scans, and then UDP scans. So remember the difference between TCP and UDP, that's important. And then there are less common scans, Null, Finn and Xmas, which we will get into in a little bit. So read that. So this is going to detail exactly the St, which is your normal TCP. So this is what I was sort of referring to earlier, which was the handshake. Okay, that's important. You need to go over that. And I'm going to do my best to try and remember all of this off the top of my head, which it's a process. So if we go read our questions, we've got which RFC defines the appropriate behavior. So we've got RFC 793. So I've always think the RFC is sort of like a handbook to technologies. I'm not sure if that's how everybody describes them or if that's even right, but that's how I always think about it. If what was closed, which flag should the server send back? So if we go back to our so by now you've read it because you've paused the video and you've gone over this detail and now you're a boss at understanding this stuff. So this is synchronized, synchronize, acknowledge, and then acknowledge. If everything's open. And you've got an example here in Wireshark, something that I need to get better at. So if something isn't open, I think it's Rst. I remember, let's go. So an Rst packet is in response saying, hey, I'm closed or hey, the Packet's been dropped. Yeah, that's from a firewall. So that's something else to keep in mind. If there is a firewall, it can be dropped, it can be closed. There's a lot with Nmap. Every time I go over this, I'm like, yeah, I'm pretty sure I remember everything. But then I'm like, man, it's so much to it and just networking in general. Okay, so that's TCP connect scans, which is by default when you just run the tool without root privileges or pseudo privileges, that is what runs a TCP scan. Remember the S capital T. If we are running route, we are going to actually be running a stealth scan. Okay, so similar to the TCP scan, but instead, if my memory serves me correctly, it sends back a closed Port. So where is the system that we're looking at with the TCP scan goes? Oh, okay, there's another machine on the other side who's wanting to connect or can connect the client us. We send back a hey, no, there's nothing here. It's stealthy. Apparently it's not that stealthy anymore from like watching videos and stuff about it, but it still does the thing. So there are two other names for a since. So I know stealth is one I cannot remember. The other half open. So that's referring to the fact that it's going one way open, and then we're saying hey, we're not actually open. So half open and then it's stealth can Nmap use? Sincecan without pseudo permissions, need pseudo permissions, why? All right, it's a good question. Me. I hope fusion me knows, but if you actually do know why, that would be great. You could definitely tell me. Cool. So task seven UDP scans, which stands for I can't remember. I try not to go in like big research, data programming. Yeah, user data, grand protocol. Obviously it's so easy to remember. Okay, so more very important information, which I actually have gone over, and I have my notes to prove it. If you don't believe me, which you should go over to supports video, go over everything. If a UDP Port doesn't respond to an end, I'm just going to copy a word because I saw it in italics. Filtered, filtered. The actual word. No, that was the word I was looking for. I can't remember. I don't actually write everything down when I go through these. I don't write all the answers down. I like going through these to try and pull it out. That memory thing repetition. So let's go for if a UDP Port doesn't respond to an M map scan, what will it be marked as? I don't want to have to read everything because I am conscious of how long this video goes for. If a UDP, but it might take longer if I just keep trying to think about it. If UDP Port doesn't respond to an M map scan, what will it be marked as? Back and forth handshake. When a package is sent, maybe it's a good time to actually go over our information. Yeah, let's do that. Task seven, unlike TCP, UDP connections are stateless. This means that rather than initiating a connection, back and forth handshake, UDP connects relies on sending packets to a task board and just essentially hoping they make it, which is good for streaming services like video sharing. When a packet is sent to an open UDP Port, there should be no response. Whenever this happens, it should be, oh, it's open and filtered. It's the whole thing good. Yes. It's not just filtered. It's open and filtered because it essentially doesn't know the difference. That's right. This has tripped me out because you need to make sure we remember that the Port is UDP. So if it comes back as open or filtered. Yeah, it doesn't know, basically because it doesn't check. It feels good that we got that one. Cool. When a UDP Port is closed by convention, the target should send back Port unreachable message. Which protocol would it use to do so? Man, I really don't remember this. When a UDP Port is closed by convention, it should send back Port unreachable message. Which protocol? Icmp. Yeah. So this is something that I'm definitely like. I need to get a bit more familiar with getting better at the lower levels of networking, like the packets and stuff, which is sort of what I'm really hoping to get from triathny the different headers and the information in the headers. So those are the three main scans. So let's go on to task eight. So we've got Null, Finn, and Xmas. So this will tell us the difference. And if we do it at a sort of a high quick level and from my vague memory, breaking down. So there's different flags, like going deeper into the scan type. There's these different flags and so there's reserve there's no, I do not understand all these, but basically the scan is just showing different flags, like different smaller parts that are being sent. So Null doesn't have any of that. Finn only has the last one, Finn, and then Xmas has got three of them, PSH, which is push URG, which is urgent, and then Finn, which I just assume stands for finish. But I'm not really sure. And it says here that it's like a blinking Christmas tree when it's viewed on Wireshark. So it got the names. Cool. So I'm going to be honest, I feel like they're a bit more lower level than I'm quite at right now, so I don't fully understand it, but at least we can take away that they are less used. So that's what we'll take away from that. But they've got their purpose and I'm sure we'll understand them. So which of the three scan shows that there is urgent? So that was the last one. Sx. Oh my God, I think it was the actual name X. Okay, why are Null, Finn and Xmascans generally used? These are the questions that I just want to cheat on because I can't remember, like harder to detect. Okay, I'm going to have to read, damn it, because they're covered already. So we've put in a huge amount of depth here, all these interlinked and are used primarily, even stealthier. Is that. No, that's not the amount of letters that were after. Oh, no, please just tell me the response. Malformed packet. Unfortunately, as we open UDP ports, spec behavior of the Port in the firewall. Why are they generally used? Oh, firewall evasion. Firewall evasion. I remember. Yeah, I remember because I got really stuck on this one for ages. But yeah, firewall evasion as Firewalls have got more advanced and looking at different packets. I'm not an expert. I'm not an expert. I'm just assuming that Firewalls have got more advanced over the years and that these have been used as just different methods to get around it. So if there are Firewalls that maybe aren't so up to date or something, these could still get around it without being noticed. Which common OS operating system may respond to a knob or XML scan with the Rst on every Port. I saw Windows somewhere. Am I just making that up? Yeah. And I think it says here and a lot of Cisco network devices also respond with Rst. Awesome. All right, we're doing pretty good. We're understanding our scan types and we haven't even used it yet. So that's cool. Okay, task nine scan types. Icmp network scanning. So this is what our Ping packet is using. An ICMP. So more important information that I'm going to do my best to try and remember and therefore skip. How would you perform a Ping sweep on the 170, 216. Xx network? Netmask. 255-2500. I'm so bad at netmasks subnets. I'm so bad at it in the Sidi notation. Okay, let's start with what I do remember. So the SDI notation is putting a slash at the end. So if we look here, these are saying the same thing. So hey, can you give me everything? 192-1680. One between two, five, four. So all of that. And this is saying the same thing. I'm so bad at this, but I think that's what it's doing. So from memory, we are using this one. A pink suite to do a pink sweep is SN. I mean, I believe that this is what it is, but I just want to know. Sn. That's weird. Okay, there it is. Sn. Ping scan, disable Port scan. And it gives us an example here of how we could use it using the Bose SM so we can look at our asterisks to give us a hint. Nmap. We would want to run then SN to do a whole Ping sweep. Tell us everything that's on the network. So this is where it's all coming back to me. Especially if we want to get a map of the network. We would want to do a pink sleep. Show me everything on the network, please. So I'm just making sure that we can just put in 2116 X. So usually we would have numbers there, but this is just. I think it might want numbers now. I'm pretty sure it's the 16. Pretty sure it's this. Hope so. I could be dead wrong. Damn it. We might just want zero instead of our Xx. Cool. Alright, so just to sort of explain from my limited experience and memory. So this is on a different subnet. And honestly, I need to do so much more research on it. That is just matching up to the 2550. So it's 16, which is the amount of bits. So if there's another two, five, five, then it would be the 24 that it was showing here, which means the last octet is the only one that changes. I think I sound like I know what I'm talking about, but to be honest, yeah, I really don't. So it even says here the CIDR notation, which we use as class B network, which is the default net mask of 16. So I just did that off memory. But yeah, need to go back to the network study book to get that ingrained in me marine. But that's okay. That's pretty good. So task ten now. Nse scripts, man, this is a big room. Hey, we're at 40 minutes. This is a big room to get our brain over all this. So I've gone through it. And trust me, it's a lot as you're experiencing. Okay, so the NSE library or script library stands for Nmap scripting engine. It's crazy. So it's built on the lure programming language, which I don't know, but apparently it's pretty simple language. And we have our categories here. So we've got safe intrusive vuln for vulnerabilities exploit to exploit the vulnerabilities or to attempt bypass authentication, brute forcing. So that's crazy that Nmap has got the option to brute force, but I think that's what it like. Yeah. Discovery attempt to query running services. So yeah, that's crazy. So we can find the whole list by going to Nmap.org. Crazy big, right? So what language we've got here? What language? Rnse scripts written in. So that's our Nmap scripting engine. And if we remember it was the L-U-A Lua Lua. Which category of scripts would be a very bad idea to run in a production environment. So I'm just going to take by the amount of letters that we're looking for. It's the intrusive. So as it says here, not safe likely to affect the target. So it might actually cause some damage. So if we're in a production environment, meaning we're just testing an app or we're just testing a server or whatever that doing intrusive scanning or intrusive scripting is probably not what you want to use. Cool. Task eleven NSE scripts working with the NSE. So we looked at script back in task three and that's activating the volume. If we use exactly that script equals van. So that's anything inside. I think that's what it is. That's how we activate it. I'm not an expert. Or we can use this specific script and we just put the script name in, which is kind of cool. So it says here http file upload. So that's an example of a script that you can run. So you've got to use the script and then you've got to equals and say, hey, please use this script. You can use multiple scripts by commas, similar to how you use multiple ports that we looked at earlier. So we've got an example here, please. Hey, can we run Nmap only against Port 80. So I'm assuming that then it's on our website space http put. So that's a script and then script arguments you can use. So it says here. I'm just trying to think of how to explain this. If this makes sense, just ignore my Rambling. If this doesn't make sense, let me make it more confusing for you. So if we are using any arguments. So sort of consider these like switches. So when we have a command we run a switch. So here it's sort of like the switch and then entering a parameter. It's not exactly probably the best way to explain it. That's just how it helps me. So if it helps you, great. If it doesn't, I apologize. So you've got to specify the actual command or the script rather. And then a dot. And then what needs the parameter that needs to be met? In this case a URL needs to be passed through the script. Comma and then another one and the file that needs to be passed through. So I got to be honest, this stuff always gets a little confusing at the beginning, but it does sort of make sense slowly, hopefully some time. But yeah, it gives you a script name argument. So I think that's maybe just stick with how they explain things. So what optional arguments can the FTP and non dot se script take? So this year we can look up the script name but we can use the script help name to actually get the help for it. So let's try that. Let's go script help and then we're going to look up the script name, which in this case is FTP anonymous. Nse. So we've got FTP and on categories is under the default authentic auth or Safe and we're looking for arguments. If anonymous is allowed get directory listing. So is this the only argument that it takes? No. What arguments does it take? To be honest, I do not remember this one at all. What optional arguments can it take? I looked up script help SCP announced. I haven't misspelled anything, have I? Honestly loud. Yeah. So that's what it does. I don't know what number I'm gone. I guess it's interesting that gave me the same. I'm not sure why let's you the URL just going to do it. Copy please. So in this case did not tell us in the help. How dare it? But it does require some other things. So let's go through and look at the action connect FTP parameters, host and Port. So that's cool. I'm looking for 123-4567. It's probably something that I need to get better at is actually if you can't find it there, which I thought that you could find everything there like go to Nmap's website. So good lesson for me there. Cool. So we can search scripts. So there are two ways. So we've got two ways of searching scripts, user share and map scripts. All these scripts are stored in directory by default. Let's just list out this directory. So let's go. Ls, L. So user share in map. Wow. And scripts. Look at all those scripts. Give me like a number of how many? It'd be interesting to know how many? I don't know. I don't know how to find out. But if you do, let me know. Or we can search through the database. So let's just try and cat that out and grab through. I don't know. It worked. Cool. Entry, file name, FTP, Anon and categories. There we go. So there are two ways to look through. You can just list them out. But if you use the database, which I think it says in here, it's not actually just a text file. Despite the extension, this isn't actually a database, it's just a text file. So you can just grab it like normal, which is quite cool. Awesome. So that's just going through file yet. So making sure that it's installing new scripts. Cool. I haven't had to do that. I just assumed that all the good scripts that we need are in there, but shows how much I know. This must be followed by script. Yeah, I think I got this in my notes because I'm already going to forget this. So good to take notes. All right, let's search for SMB. So I'm going to go up. I'm just going to search SMB. So pause if you need to. But we're just counting out that database file because remember, concatenate is just displaying what's in that file and we're grepping, which is searching for patterns. So we're searching for any pattern that matches SMB. All right, there's a lot. So we've got SMB, brute, SMB, double Pulsar, backdoor, SMB, enum groups, processes, services, sessions, shares, users, enum, flood, LS. Okay, there's a lot. So we need a bit more info. How describe either demonstration methods. What's the file name of the script determines the underlying OS. Okay, so this one stood out to me both because I saw it and because I remember OS discovery that sort of lines up with the question OS read through the script. What does it depend on? How do we do that? I've already forgotten. Let's go up. So let's just go for the help and just going to paste that in here. Give me help. So script help, S and B, OS discovery. And what does it depend on? I think I might be making the same mistake because I need to go to the website again. Reading, reading, reading, reading. Attempts to determine the operating system, computer name, domain worker, apparent time over there. This is done by signing a session with the anonymous account. We need an account. I need anonymous account. We need anonymous. We need the decentralized hacking hacktivist group. All right, let's go and look up this thing. Let's go to this thing. What does it depend on? I remember looking and looking and looking and not finding it. So we've got arguments this time around. What's out? Can I just read through the scripts? Don't tell me what to do. I don't read attempts to determine. Oh, that's right. It says the exact same thing here. I remember trying circumstances so many times depending on what's going to be circumstances depending on look for dependencies in the Lewis script. Do we actually want to cat out the script? If we want to cat out the script, where was it all at? Let's just. No, we're, we just want to cat this out because remember it's just a file. We can count this out. There we go. So this was the mistake that I made the first time around. Remember, we're not actually trying to look at the help page. We're actually looking at the scripts because it says here, read through this script. So yeah, when I actually do that, it did give me a little hint when I clicked on the word hint. Funny enough, I don't know, Lure, I'm not a programmer. This is stressing me out seeing so many words. So to make this a bit nicer, let's just grab this through and let's just use the hint that it said dependencies. I might just use it. Cool, we got it. So it's depending on another script. I assume that's another script. I'm not actually sure. I'm assuming that's another script. Just like most Linux programs and open source projects and everything, there's always dependencies. There's always another program that it depends on to run. So I'm assuming that's what it means and what that is. So awesome. We got another one. So that's task twelve. So let's go over to task 13 and let's go for bypassing firewalls or firewall evasion. So Nmap provides an option for this called PM PN which says don't bother pinging the host before scanning. Just basically think that everything's actually there. So this is a good one for firewall evasion. So I'm pretty sure we do have to use this. So here's some other things to use that would need F to fragment the packets. Alternative to F is MTU number maximum transitions, scan delays. So allowing packets to send at different intervals or different delays. So maybe the firewall can't pick up. If it's a time based thing, I think that's what it says. Time based firewall IDs triggers. Yeah. Don't understand a word of it, but this is good to come back. I think when we are in CTF and like challenges down the road, these are going to be the notes that I come back to and go, I wish I understood it. Then that's learning which simply and frequently relied upon protocol is often blocked. Referring to. I think it's Ping, which I'm just guessing. Icmp. Yeah. Cool. Research. Which Nmap switches allows you to append the arbitrary length of random data to the end of packets. Well, that's kind of cool. I'm going to use our Grep method for the help. I'm just going to type it out. Help. Grep. Let's go. Append. Ms. Append output. Append. Rather. I'm going to try this one, but this might not be which allows us. I'm so tempted just to read Google that question. Let's just think about this. Which Nmap switch allows you to append in arbitrary. Arbitrary is going to be the word, right? Let's try random data length. Append random sent. There it is. Append random data to send packets. Is that what it means? I don't know. Let's try. We got it. Append random data to sent packets. That is what it is. Awesome. All right. After all that learning, this is pretty long. We're at like an hour already and we skipped a lot of the detail. Only now we're getting to our practical. So don't feel bad if you spent ages on this. I know I spent ages on this room just trying to understand everything. And that's okay. That's learning. Use what you've learned to scan the target machine and answer the following questions. If you're not a subscriber, make sure you does the target respond. So we actually know this because I've been trying to Ping it since we started. No, it doesn't. So by design, yes. I mean no. Yes. Perform an ex miss scan on the first 999 ports of the target. How many ports are open? So some of these scans can take a while. So if you see the video pausing or anything, just assume that things are taking a while. Okay, so let's go ahead and run Nmap. We're going to use our dashv. So remember that means for the Verosity, however you say it, it's a good habit to be in to get that showing so we can see results. So we want to use the S capital X for this Xmas. So remember that's the different flags. It looks like a Christmas tree on Wireshark. So they tell me. And we want to use the P for ports. We want to specify the ports. So we are going to run it against 999. But this is a problem right now. We're only running it against Port 999, but we want to do it from zero to 999 and we want to know how many ports are open or filtered. So the last step of our Nmap scan is we just need to paste in what we're actually targeting. Okay, so I'm going to let that run. I'm going to pause it, and then when I come back and look at the results, I should really put it in a text file before I hit run. But anyway, you do that, I'll do this. Let's go. Okay, how did we do so I see four ports and we're asking for how many ports are to be open or filtered. So let's look at our scan results. So about 50%. One undergoing Ping scan completed Ping scan one. If it is really up by blocking our Ping probes, try PN. So that was the last one. We saw about. So we're not seeing Ping probes, pin probes, so we're not seeing them. So let's use our capital PN. Let's see the up arrow. I'm not actually sure if you can just combine them all. I'm not sure. But honestly, just for beginning, it's really helpful just to have them all separate. So it's sort of like I know what each one is something. Let's try that. So we're going to be scanning and yeah, this might take a while so I might just pause. All right. It took a couple of minutes but we've got our scan results now. It says here all 1000 scans. So let's just have a look. You can see here we get completed scan, how long it took, and then we've got Nmap scan reports. So we've got that report. So I'm in a bad habit of not saving it off and just copy and pasting this. It's a bit of a no no, probably. But we can see here that we've got 1000 open filter TCP ports. So we can put 1000. But that's not going to work. So I'm going to assume that means that all 999 pores are indeed open or filtered, meaning we're not getting that acknowledged response. All right, so there is a reason given for this. What is it? Firewall question Mark. I think the answer will be in your scan results. Think carefully about which switches to use and read the hint before asking for help. All right, let's continue looking at our I believe that it is the no response can't exactly remember, but yeah, awesome. Pretty sure that really confused me. So just because there's a dash here and we've got a space, that's the reason we're not getting an actual response. So remember the stealth scan, which would no, not stealth scan. Sorry. Well, in this case we're just not getting a response. So it doesn't know how to handle it. So it just says that they are open or filtered, I think. Awesome. So perform a TCP syn scan on the first 5000 ports of the target. How many ports are shown to be open? Let's hit up arrow because we've got a lot of the work here. So this time we want to go $5,000. So it's going to take a little bit longer. If you remember, we could use that T four, T three, or C five. So that was just speed it up, possibly creating a problem for me. I'm going to use the T three, see if that just speeds it up a little bit. So we've got 00:20 5000 ports. This time we want to use a TCP syn scan. So if we go back, if we remember, we've got our TCP syn scan which is that stealth open scan. So that's what we're wanting to run. So I honestly just forgot it's. Ss, right? Yeah, SS, literally right in front of my vase. So let's go over here and change our X, which was for the XMA scan to the Stell scan which is now the capital s. So I'm almost now regretting using the T three because it might stuff something up. But you don't have to use the T three, remember, that's just the time to speed it up. You can try it without I may be doing it without off my memory. It might be zero. It's not zero, but it is between one and nine. So let's run that and let's make sure you've got your dashv so we can actually see what's going on. So look at this. We can see some results using our stealthy scan and using our PM. So we've got an open Port on 211-353-3895 380. Some of these are known ports. Can't remember what they're so known, I can't remember what they are. Okay, I'm going to just use 12345 awesome. So we can essentially cancel that and cool. It's already done. So we've got our five awesome. So this is what we generally get with our scans is we get a little bit of info saying we've got 5996 that are filtered or no response like we saw with the first bunch. But this time we weren't using this SS. So yeah, we can see here we've actually got our ports. The state that they're in the service that they're running to domain http. Msrpc. Mswpbt. You can read. Okay, so let's go back here. So we've got open Wireshark and if we wanted to do that, that's cool. I'm not familiar with Wireshark. I got to do that room. So I'm going to leave that for another time. So we want to deploy the FTP and on script against the box. Can npmap log in successfully to the FTP server on Port 21? Yes or no? I remember off the top of my head that we can I mean, we could just guess yes or no. It's only the last one. But trust me, we can for the time that we've already gone here, I think we've done a good job. So well done. If you made it to this stage in the video, you're an absolute legend. Thank you for sticking around. I would really encourage you to take on network services and network services, too, in the beginning path, which I will be showing soon. So if you want to stick around and you can see that but no, Congratulations. You've got through quite a lot. This is a big room so thank you to try hack me for providing the amazing rooms. Thank you to you, the awesome community. I hope you enjoyed this. If you did great. If you didn't, let me know why and I'll see you in the next one. Cool.
Info
Channel: Mr Ash Co
Views: 21,809
Rating: undefined out of 5
Keywords: TryHackMe, nmap, cybersec
Id: I3mynoAsgJI
Channel Id: undefined
Length: 68min 51sec (4131 seconds)
Published: Thu Mar 10 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.