Open in app

Sign in

Write

Sign in

Nmap — Network Mapper

Ashutosh Agrawal
6 min readSep 25, 2023

--

Tryhackme Walkthrough- Nmap Live Host Discovery + Notes

An automation tool designed for mapping networks, identifying live hosts, and discovering running services

Terminologies

Network Segment : A group of computers connected using a shared medium , for eg, Ethernet Switch or Wifi Access Point

Subnetwork: One or more network segments connected together and configured to use the same router.

The network segment refers to a physical connection, while a subnetwork refers to a logical connection.

  • Subnets with /16, which means that the subnet mask can be written as 255.255.0.0. This subnet can have around 65 thousand hosts.
  • Subnets with /24, which indicates that the subnet mask can be expressed as 255.255.255.0. This subnet can have around 250 hosts.

Using NMap

  • nmap target — Nmap will scan the targets specified. Target can be a single entity or multiple entities separated by space. Target can also be specified as range or subnet.
  • nmap -iL targets.txt — This will scan all the targets in the targets.txt file
  • nmap -sL targets -This option will give you a detailed list of the hosts that Nmap will scan without scanning them. Nmap will also attempt a reverse-DNS resolution on all the targets to obtain their names.

Discovering Live Hosts using Protocols

ARP : Sends a frame to the broadcast address on the network segment and asking the computer with a specific IP address to respond by providing its MAC (hardware) address.

If you want to ping a system on the same subnet, an ARP query should precede the ICMP Echo.

A scanner can send a specially-crafted packet to common TCP or UDP ports to check whether the target will respond. This method is efficient, especially when ICMP Echo is blocked.

When no host discovery options are provided, Nmap follows the following approaches to discover live hosts:

  1. When a privileged user tries to scan targets on a local network (Ethernet), Nmap uses ARP requests. A privileged user is root or a user who belongs to sudoers and can run sudo.
  2. When a privileged user tries to scan targets outside the local network, Nmap uses ICMP echo requests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronize) to port 443, and ICMP timestamp request.
  3. When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.

ICMP: To use ICMP echo request to discover live hosts, add the option -PE. (Remember to add -sn if you don’t want to follow that with a port scan.)

nmap -PE -sn target

Because ICMP echo requests tend to be blocked, you might also consider ICMP Timestamp or ICMP Address Mask requests to tell if a system is online. Nmap uses timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). Adding the -PP option tells Nmap to use ICMP timestamp requests.

TCP SYN PING: If you want Nmap to use TCP SYN ping, you can do so via the option -PS followed by the port number, range, list, or a combination of them. For example, -PS21 will target port 21, while -PS21-25 will target ports 21, 22, 23, 24, and 25. Finally -PS80,443,8080 will target the three ports 80, 443, and 8080.

TCP ACK PING: This sends a packet with an ACK flag set. You must be running Nmap as a privileged user to be able to accomplish this. If you try it as an unprivileged user, Nmap will attempt a 3-way handshake.

By default, port 80 is used. The syntax is similar to TCP SYN ping. -PA should be followed by a port number, range, list, or a combination of them

UDP Ping : Sending a UDP packet to an open port is not expected to lead to any reply. However, if we send a UDP packet to a closed UDP port, we expect to get an ICMP port unreachable packet

Reverse DNS Lookup

Nmap’s default behaviour is to use reverse-DNS online hosts. Because the hostnames can reveal a lot, this can be a helpful step. However, if you don’t want to send such DNS queries, you use -n to skip this step.

By default, Nmap will look up online hosts; however, you can use the option -R to query the DNS server even for offline hosts. If you want to use a specific DNS server, you can add the --dns-servers DNS_SERVER option.

Masscan

Masscan uses a similar approach to discover the available systems. However, to finish its network scan quickly, Masscan is quite aggressive with the rate of packets it generates. The syntax is quite similar: -p can be followed by a port number, list, or range. Consider the following examples:

  • masscan MACHINE_IP/24 -p443
  • masscan MACHINE_IP/24 -p80,443
  • masscan MACHINE_IP/24 -p22-25
  • masscan MACHINE_IP/24 ‐‐top-ports 100

Summary

TryHackMe Waltkthrough

Task 2

Hint: ARP packets are bound to their subnet i.e. If you are in Network A, you can use ARP only to discover the devices within that subnet

Task 3

Hint:
1) run the nmap -sL 10.10.12.13/29 on the VM.
2) we have ip of the form 10.10.x.y where x can take any value in the range 0–255 . That is there are 256 possible values for x . Similarly, there are 25 possible values for y. So no of IP = 256*25 = 6400

Task 4

Hint:
1) Check Network Log

Task 5

Hint:
1) Arp request can be used to discover devices on the same subnet. So we will be able to discover computer2, computer3 and router.

Task 6

Task 7

Task 8

Nmap
Tryhackme Walkthrough
Protocol
Networking
Tryhackme Writeup

--

--

Ashutosh Agrawal

Written by Ashutosh Agrawal

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams