TryHackMe: NMAP: Practical

goay xuan hui
3 min readJan 25, 2021


#1 Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)?


Some interesting findings to share:

If you specify nmap -sn option, it will indicate that the host is up as it receives arp-response.

This happens when a privileged user tries to run a scan on LAN network where ARP requests will be used.

To see if the host is responding to ICMP ping, you would need to specify --send-ip option.

#2 Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?


#3 There is a reason given for this — what is it?

Note: The answer will be in your scan results. Think carefully about which switches to use — and read the hint before asking for help!

No Response

#4 Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?


*Just a reminder, -p1–5000 and --top-ports 5000 will return different results as -p1–5000 will scan for the first 5000 ports and the latter will scan for the top well known 5000 TCP and UDP ports.

#5 Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.

#6 Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)


To understand more about NMAP, check out the full series: Part 1: Port Scanning Responses, Part 2: Basic Port Scanning Types, Part 3: Other Port Scanning Types, Part 4: Network Scanning, Part 5: Firewall Evasion Options and Part 6: NSE Scripts!



goay xuan hui

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️