Tryhackme – Nmap

項目名稱:Nmap

Task.1 Deploy

Q1.Deploy the attached VM

把靶機開起來

Task.2 Introduction

在入侵前通常都要做一步非常重要的步驟 資訊偵查 而Nmap是一個非常重要的資訊偵查工具 如果要入侵一台目標 99%會使用到這套工具 通常我們會使用到的參數主要是-A -sT –script=vuln

Q1.What networking constructs are used to direct traffic to the right application on a server?

A:Ports

題目問說將流量導引到伺服器上應用程序的網路結構是什麼 那當然是Port

Q2.How many of these are available on any network-enabled computer?

A:65535

現在電腦上的Port最高只到65535

Q3.[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)

A:1024

現在眾所皆知的端口有多少 答案是1024個

Task.3 Nmap Switches

Q1.What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?

A:-sS

哪個參數可以做到只發送SYN封包進行掃描

Q2.Which switch would you use for a “UDP scan”?

A:-sU

哪個參數可以進行UDP掃描

Q3.If you wanted to detect which operating system the target is running on, which switch would you use?

A:-O

哪個參數可以掃描作業系統

Q4.Nmap provides a switch to detect the version of the services running on the target. What is this switch?

A:-sV

哪個參數可以掃描服務版本

Q5.The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?

A:-v

哪個參數可以顯示比較詳細的內容

Q6.Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?

A:-vv

哪個參數可以顯示比-v更詳細的內容

Q7.What switch would you use to save the nmap results in three major formats?

A:-oA

哪個參數可以把輸出存成三種格式的檔案

Q8.What switch would you use to save the nmap results in a “normal” format?

A:-oN

哪個參數可以把結果儲存為正常格式

Q9.A very useful output format: how would you save results in a “grepable” format?

A:-oG

哪個參數可以把結果grepable

Q10.Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.

A:-A

如果不在乎被發現 哪個參數可以輸出最為詳細的內容

Q11.How would you set the timing template to level 5?

A:-T5

哪個參數可以掃最快

Q12.How would you tell nmap to only scan port 80?

A:-p 80

哪個參數可以單獨掃描80Port

Q13.How would you tell nmap to scan ports 1000-1500?

A:-p 1000-1500

哪個參數可以掃1000到1500的範圍

Q14.How would you tell nmap to scan all ports?

A:-p-

哪個參數可以掃全部的端口

Q15.How would you activate a script from the nmap scripting library (lots more on this later!)?

A:–script

哪個參數可以用腳本掃描

Q16.How would you activate all of the scripts in the “vuln” category?

A:–script=vuln

哪個參數可以指定使用vuln腳本掃描

Task.4 Overview

使用 Nmap 進行端口掃描時,共有三種基本掃描類型。這些都是: TCP 連接掃描 ( -sT) SYN “半開”掃描 ( -sS) UDP 掃描 ( -sU) 此外,還有幾種不太常見的端口掃描類型,我們還將介紹其中的一些(儘管不太詳細)。這些是: TCP 空掃描 ( -sN) TCP FIN 掃描 ( -sF) TCP 聖誕掃描 ( -sX) 其中大部分(UDP 掃描除外)用於非常相似的目的,但是,它們在每次掃描之間的工作方式不同。這意味著,雖然在大多數情況下前三個掃描之一可能是您的首選,但值得牢記的是,還存在其他掃描類型。 在網絡掃描方面,我們還將簡要介紹 ICMP(或“ping”)掃描。

Q1.把內容都看完

Task.5 TCP Connect Scans

Q1.Which RFC defines the appropriate behaviour for the TCP protocol?

A:RFC 793

哪個RFC定義了TCP協議該做什麼?

Q2.If a port is closed, which flag should the server send back to indicate this?

A:RST

如果端口是關的 伺服器會回應什麼封包

Task.6 SYN Scans

Q1.There are two other names for a SYN scan, what are they?

A:Half-open, Stealth SYN

掃描有另外兩種說法 是哪種

Q2.Can Nmap use a SYN scan without Sudo permissions (Y/N)?

A:n

SYN掃描需要Sudo提權嗎?

Task.7 UDP Scans

Q1.If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?

A:open|filtered

如果UDP端口不回應Nmap掃描 會被Nmap視為什麼?

Q2.When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?

A:ICMP

如果UDP端口關閉 目標發送訊息的協定是什麼

Task.8 NULL, FIN and Xmas

Q1.Which of the three shown scan types uses the URG flag?

A:Xmas

哪種掃描會用到URG標頭

Q2.Why are NULL, FIN and Xmas scans generally used?

A:Firewall Evasion

為什麼要用NULL FIN跟Xmas掃描

Q3.Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

A:Microsoft Windows

哪種作業系統可以響應NULL FIN跟Xmas掃描 而且都回應RST

Task.9 ICMP Network Scanning

Q1.How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)

A:nmap -sn 172.16.0.0/16

在172.16.X.X網段上執行ping掃描的指令是什麼(遮罩 255.255.0.0 )

Task.10 Overview

Script List:

safe:- 不會影響目標

intrusive:- 不安全:可能會影響目標

vuln:- 掃描漏洞

exploit:- 嘗試利用漏洞

auth:- 嘗試繞過身份驗證來運行服務(例如匿名登錄 FTP 服務器)

brute:- 嘗試暴力破解運行服務的憑據

discovery:- 嘗試查詢正在運行的服務以獲取有關網絡的更多信息(例如查詢 SNMP 服務器)。

Q1.What language are NSE scripts written in?

A:Lua NSE script是用哪種語言寫的

Q2.Which category of scripts would be a very bad idea to run in a production environment?

A:intrusive

在生產環境中運行哪一個腳本是不好的行為

Task.11 Working with the NSE

Q1.What optional argument can the ftp-anon.nse script take?

A:maxlist ftp-anon.nse

腳本有什麼參數可以用

Task.12 Searching for Scripts

Q1.What is the filename of the script which determines the underlying OS of the SMB server?

A:smb-os-discovery.nse

搜索SMB伺服器作業系統的腳本名字是什麼?

Q2.Read through this script. What does it depend on?

A:smb-brute

這個腳本的運行取決於什麼

Task.13 Firewall Evasion

Q1.Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?

A:ICMP

哪個協議常常會被擋下來 需要用到-Pn

Q2.[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

A:–data-length

哪個Nmap參數可以在數據包後面增加任意長度的隨機數據

Task.14 Practical

Q1.Does the target (10.10.237.186)respond to ICMP (ping) requests (Y/N)?

A:N

但實作好像是有的 可能是他們那邊設定錯

Q2.Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?

A:999

最後顯示All 999 scanned ports on 10.10.237.186 are open|filtered

Q3.There is a reason given for this — what is it?

A:No Response

加-vv重新掃描一次可以看到no responses

Q4.Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?

A:5

sudo nmap -sS 10.10.237.186 -p1-5000 -Pn

可以看到有5個Port打開

Q5.Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.

這一步單純是要讓你看你傳出去跟傳回來的封包 用WireShark就看的到了

Q6.Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

A:Y

sudo nmap -sS -Pn --script ftp-anon.nse 10.10.237.186

Task.7 Conclusion

你現在已經完成了進一步的 Nmap 房間——希望你喜歡它,並且學到了一些新東西! 有很多很棒的資源可以讓你自己學習更多關於 Nmap 的知識。前面和中間是 Nmaps 自己的(非常廣泛的)文檔,在整個房間裡已經多次提到過。這些是極好的資源,因此,雖然完全沒有必要逐行閱讀它們並通過死記硬背來學習它們,但如果您需要,強烈建議將它們用作參考點。

心得: 這個項目的題目真的蠻多的 尤其是我邊上課邊做 所以又耗更久時間XD 我認為這個項目對還沒使用過nmap的人來說可能有難記 因為蠻多理論類的 反正就加油囉

免責聲明

未經事先雙方同意,使用工具攻擊目標是非法的.請遵守當地法律規範.開發者與本作者對此工具不承擔任何責任,也不對任何濫用或損壞負責.

This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes, period.

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

two × 1 =

Back To Top
error: Content is protected !!