TryHackMe: Nmap Live Host Discovery
Learn how to use Nmap to discover live hosts using ARP scan, ICMP scan, and TCP/UDP ping scan.
Difficulty: Medium
Room URL: https://tryhackme.com/room/nmap01
Task 1 [Introduction]
There isn’t a lot to discuss at this task, so let’s proceed to task 2.
Questions
Some of these questions will require the use of a static site to answer the task questions, while others require the use of the AttackBox and the target VM.
Answer: No answer needed
Task 2 [Subnetworks]
Change the values as required by the question and see the response.
Network Log
HANDSHAKE: Starting TCP/IP Handshake between computer1 and computer1
HANDSHAKE: Sending SYN Packet from computer1 to computer1
ARP REQUEST: Who has computer1 tell computer1
ARP RESPONSE: Hey computer1, I am computer1
HANDSHAKE: computer1 received SYN Packet from computer1, sending SYN/ACK Packet to computer1
HANDSHAKE: computer1 received SYN/ACK Packet from computer1, sending ACK packet to computer1
HANDSHAKE: computer1 received ACK packet from computer1, Handshake Complete
TCP: Sending TCP packet from computer1 to computer1
TCP: computer1 received TCP Packet from computer1, sending ACK Packet to computer1
Questions
How many devices can see the ARP Request?
Answer: 4
Did computer6 receive the ARP Request? (Y/N)
Answer: N
Network Log
HANDSHAKE: Starting TCP/IP Handshake between computer4 and computer4
HANDSHAKE: Sending SYN Packet from computer4 to computer4
ARP REQUEST: Who has computer4 tell computer4
ARP RESPONSE: Hey computer4, I am computer4
HANDSHAKE: computer4 received SYN Packet from computer4, sending SYN/ACK Packet to computer4
HANDSHAKE: computer4 received SYN/ACK Packet from computer4, sending ACK packet to computer4
HANDSHAKE: computer4 received ACK packet from computer4, Handshake Complete
TCP: Sending TCP packet from computer4 to computer4
TCP: computer4 received TCP Packet from computer4, sending ACK Packet to computer4
Questions
How many devices can see the ARP Request?
Answer: 4
Did computer6 reply to the ARP Request? (Y/N)
Answer: Y
Task 3 [Enumerating Targets]
Questions
What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target?
Command used: nmap -sL 10.10.12.13/29
The -sL simply list targets to scan.
Answer: 10.10.12.8
How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125?
Command used: nmap -sL 10.10.0–255.101–125
The scan might take several minutes. At the end of the result we can find:
Answer: 6400
Task 4 [Discovering Live Hosts]
Network Log
ARP REQUEST: Who has computer3 tell computer1
ARP RESPONSE: Hey computer1, I am computer3
ARP REQUEST: Who has computer3 tell computer1
ARP RESPONSE: Hey computer1, I am computer3
PING: Sending Ping Request packet from computer1 to computer3
PING: computer3 received ping request from computer1, sending ping response to computer1
PING: Sending Ping Response packet from computer3 to computer1
PING: computer1 received ping response from computer3
Questions
What is the type of packet that computer1 sent before the ping?
Answer: ARP Request
What is the type of packet that computer1 received before being able to send the ping?
Answer: ARP Response
How many computers responded to the ping request?
Answer: 1
Network Log
ROUTING: computer2 says computer5 is not on my local network sending to gateway: router
ARP REQUEST: Who has router tell computer2
ARP RESPONSE: Hey computer2, I am router
ROUTING: computer2 says computer5 is not on my local network sending to gateway: router
ARP REQUEST: Who has router tell computer2
ARP RESPONSE: Hey computer2, I am router
PING: Sending Ping Request packet from computer2 to computer5
ARP REQUEST: Who has computer5 tell router
ARP RESPONSE: Hey router, I am computer5
Questions
What is the name of the first device that responded to the first ARP Request?
Answer: router
What is the name of the first device that responded to the second ARP Request?
Answer: computer5
Send another Ping Request. Did it require new ARP Requests? (Y/N)
Answer: N
Task 5 [Nmap Host Discovery Using ARP]
Questions
How many devices are you able to discover using ARP requests?
Answer: 3
Task 6 [Nmap Host Discovery Using ICMP]
Questions
What is the option required to tell Nmap to use ICMP Timestamp to discover live hosts?
Answer: -PP
What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts?
Answer: -PM
What is the option required to tell Nmap to use ICMP Echo to discover live hosts?
Answer: -PE
Task 7 [Nmap Host Discovery Using TCP and UDP]
Questions
Which TCP ping scan does not require a privileged account?
Answer: TCP SYN Ping
Which TCP ping scan requires a privileged account?
Answer: TCP ACK Ping
What option do you need to add to Nmap to run a TCP SYN ping scan on the telnet port?
Answer: -PS23
Task 8 [Using Reverse-DNS Lookup]
Questions
We want Nmap to issue a reverse DNS lookup for all the possibles hosts on a subnet, hoping to get some insights from the names. What option should we add?
Answer: -R
Task 9 [Summary]
Questions
Ensure you have taken note of all the Nmap options explained in this room. To continue learning about Nmap, please join the room Nmap Basic Port Scans, which introduces the basic types of port scans.
Answer: No answer needed