This article is a step by step walk-through of "RP: NMAP" and I would definitely say that if you haven't solved this challenge by yourself, please try harder and if you are still unable to figure things out. This walk-through is going to be your manual for this challenge.
In this challenge, we have different tasks and what we need to do is to complete them one by one. Our main aim/goal should be to learn new things. Even if you know NMAP like me! you should be giving it a revision to clear the basic concepts.
Deploy the Nmap machine and follow along here.
[Task 1] Deploy
In this task, we are provided with the a machine which is intentionally vulnerable and we will be trying to find the answers of the given questions. Click on the "Deploy" button in order to start the VM.
Note: I am assuming that you guys have working Kali Linux or any other OS for "Penetration Testing/Learning" and have downloaded your VPN files!
[Task 2] NMAP Quiz
NMAP comes pre-installed in Kali Linux, Santoku OS and many others. At the moment i will be using Santoku OS.
Open your terminal and simply write "nmap". Different options which can be used with nmap will be prompted on the prompt.
This proves that we have NMAP already installed. Now on the prompt we can clearly see many different options which can be used with the NMAP. In this walk-through i will only stick to the questions which are asked within this section.
Answering The Questions
We have our first question! "How do we access the help menu?". We can do it by using the -h attribute along with nmap. So that the command looks like.
$ nmap -h
Moreover we can also check how can we do this by using the options which were prompted before when we first typed "nmap".
We have completed out first quiz!
Now we will be answering 2 questions at a time. On checking the "Help Menu" under the "Scan Techniques" we can easily answer these question. For UDP scanning we use -sU flag and for Syn scanning we use -sS flag.
In the help menu, under OS Detection section we can find the answer for this question i.e. for performing an OS detection we use -O flag.
Using the same help menu, under the Service/Version Detection we can find our answer.
The answer to these question can be found in OUTPUT section.
NMAP allows us to save the output of the scan in different formats. The information for these formats can be found under the OUTPUT.
The answer to this question can be found under MISC section.
NMAP allows us to set timing and performance setting for NMAP and these details can be found under "Timing and Performance".
NMAP also allows us to scan only specific ports and all ports. For all ports we need not to specify any ports just a single - with -p so it looks like -p-. These information can be found under Port Specification and Scan Order.
NMAP also has the NMAP-Scripting engine which allows us to scan for different checks, another name vulnerabilities and that can be done using scripts.
We can only scan for vulnerable scripts by specifying their name as "vuln".
Pinging is the method to check if the host is alive or not and is done to save the time so that the NMAP does not scan that host which is not up and only scan the host which will respond to the ICMP requests. Specifying this option will make the NMAP treat all hosts as alive. These options can be found under Host Discovery section.
[Task 3] NMAP Scanning
Now as we have learnt much about the NMAP and different options which can be supplied with the NMAP. Now we will try to find the answers of the questions by applying these techniques.
Now all we need is to go back on Task 1 and deploy the machine and also initiate a connection using the VPN file.
Once connected to VPN. Deploy your machine and note down the IP address.
Answering The Questions
We have already seen this and we know that in order to perform a Syn Scan, we use -sC flag.
Now let's perform Syn Scan on the IP address and note down the ports which are in the range of ( 1<=999). So we found out there are 2 ports.
We can answer this question from the previous screenshot and we can see that along with Port Number, Port Type has been given. As we haven't specified -sU for UDP scanning all the ports which will be scanned are of type TCP.
Now rather than testing last 3 questions one by one. Let's try to find answers using only one request. The command will look like
$nmap -sC -sV -T4 -A --script vuln <ipAddress>
With -sV we are doing version detection, with -A an agressive scan, with -T4 scanning much faster and with --script vuln we are only scanning for vulnerabilities.
We have found the answers of 2 questions i.e. the version of SSH and the flag which is not running on Port 80. Similarly we have found the answer for the third question, i.e. by using scripting engine.
With all this we have completed this room and I hope that after all this you will have fair amount of information/knowledge about how you can use NMAP in your engagements for your initial enumeration.