TryHackMe | Nmap Post Port Scans
This is the final nmap room and in it we covered the following: Service Detection, OS detection, traceroute, Nmap Scripting Engine (NSE), and how to save our results.
Service detection was our first task. Once you ‘ve discovered open ports you can probe the port in an attempt to detect the running service. Once you know what service is on the port you can start researching vulnerabilities on that service. In order to do service detection, we will use the -sV option. One thing to note when doing this is that it will cause nmap to complete the 3-way handshake, so don’t bother pairing it with -sS. You can also control the intensity level of the scan ranging from 0-9 by using the —version-intensity option. Next up is OS detection using the -O option. It will attempt to detect the OS and its version, but there are a number of factors that affect its accuracy. Things like virtualization, or not being able to find at least one open and closed port will decrease accuracy. The traceroute in nmap works differently than that of Linux or Windows. A standard traceroute will start at a low TTL and increases it until it reaches the target. Nmap does the opposite and starts with a high TTL and decreases it. The Nmap Scripting Engine (NSE) can contain close to 600 scripts on a default installation. You can also create your own scripts, provided they are written in Lua. If you want to see what scripts you have, you can browse to /usr/share/nmap/scripts. When using the NSE, you can specify scripts to run by name or by category:
| Script Category | Description |
| auth | Authentication related scripts |
| broadcast | Discover hosts by sending broadcast messages |
| brute | Performs brute-force password auditing against logins |
| default | Default scripts, same as -sC |
| discovery | Retrieve accessible information, such as database tables and DNS names |
| dos | Detects servers vulnerable to Denial of Service (DoS) |
| exploit | Attempts to exploit various vulnerable services |
| external | Checks using a third-party service, such as Geoplugin and Virustotal |
| fuzzer | Launch fuzzing attacks |
| intrusive | Intrusive scripts such as brute-force attacks and exploitation |
| malware | Scans for backdoors |
| safe | Safe scripts that won’t crash the target |
| version | Retrieve service versions |
| vuln | Checks for vulnerabilities or exploit vulnerable services |
It is important to know what the scripts you want to use will do when run as some of them will launch brute force attacks, DoS, and even exploit systems. So always make sure you know what a script is going to do so that you don’t get in trouble.
Finally, we discussed how to export our results in different formats. The first format was the normal output that saves it in a file that looks similar to your onscreen results. This is accomplished with the -oN flag followed by the desired filename. If you want the format to be friendly with Grep, you can use the -oG flag. The third format you can use is XML, which uses the -oX option. The last file format is Script Kiddie. It isn’t a really useful output, but it might look good infront of friends who aren’t tech literate.
IamSpotted: Adventures in Cybersecurity 
Leave a comment