LIVE NEWSROOM · --:-- · May 15, 2026
A LIBRARY FOR SECURITY RESEARCHERS
THM Walkthrough #linux #network #nmap

TryHackMe Walkthrough: Nmap Basic Port Scans

TE Team Ciphers Security · May 3, 2024 · 5 min read · 4.2k reads
Post on X LinkedIn
TryHackMe Walkthrough: Nmap Basic Port Scans

This room is the second Nmap Basic Port Scans in the Nmap series (part of the Introduction to Network Security module).

  1. Nmap Live Host Discovery
  2. Nmap Basic Port Scans
  3. Nmap Advanced Port Scans
  4. Nmap Post Port Scans

In the previous room, we focused on discovering online systems. So far, we have covered three steps of a Nmap scan:

  1. Enumerate targets
  2. Discover live hosts
  3. Reverse-DNS lookup

The next step would be checking which ports are open and listening and which ports are closed. Therefore, in this room and the next one, we focus on port scanning and the different types of port scans used by nmap. This room explains:

  1. TCP connect port scan
  2. TCP SYN port scan
  3. UDP port scan

Moreover, we discuss the different options to specify the ports, the scan rate, and the number of parallel probes.

// 01 Task 2 TCP and UDP Ports Nmap Basic

Question: Which service uses UDP port 53 by default?
Answer: DNS

Question: Which service uses TCP port 22 by default?
Answer: SSh

Question: How many port states does Nmap consider?
Answer: 6

Question: Which port state is the most interesting to discover as a pentester?
Answer: open

However, in practical situations, we need to consider the impact of firewalls. For instance, a port might be open, but a firewall might be blocking the packets. Therefore, Nmap considers the following six states:

  1. Open: indicates that a service is listening on the specified port.
  2. Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.
  3. Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.
  4. Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan -sA.
  5. Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered. Nmap Basic
  6. Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered. Nmap Basic

// 02 TCP Flags Nmap Basic

TCP Header
  1. URG: Urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent, and that a TCP segment with the URG flag set is processed immediately without consideration of having to wait on previously sent TCP segments.
  2. ACK: Acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of a TCP segment.
  3. PSH: Push flag asking TCP to pass the data to the application promptly. Nmap Basic
  4. RST: Reset flag is used to reset the connection. Another device, such as a firewall, might send it to tear a TCP connection. This flag is also used when data is sent to a host and there is no service on the receiving end to answer. Nmap Basic
  5. SYN: Synchronize flag is used to initiate a TCP 3-way handshake and synchronize sequence numbers with the other host. The sequence number should be set randomly during TCP connection establishment.
  6. FIN: The sender has no more data to send. Nmap Basic

Question: What 3 letters represent the Reset flag?
Answer: RST

Question: Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?
Answer: SYN

// 03 Task 4 TCP Connect Scan Nmap Basic

Question: Launch the VM. Open the AttackBox and execute nmap -sT 10.10.180.186 via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?
Answer: 110

Question: What is Nmap’s guess about the newly installed service?
Answer: pop3

// 04 Task 5 TCP SYN Scan

Question: Launch the VM. Some new server software has been installed since the last time we scanned it. On the AttackBox, use the terminal to execute nmap -sS 10.10.38.225. What is the new open port?
Answer: 6667

Question: What is Nmap’s guess of the service name?
Answer: irc

// 05 Task 6 UDP Scan

Question: Launch the VM. On the AttackBox, use the terminal to execute nmap -sU -F -v 10.10.212.229. A new service has been installed since the last scan. What is the UDP port that is now open?
Answer: 53

Question: What is the service name according to Nmap?
Answer: domain

// 06 Task 7 Fine-Tuning Scope and Performance

Question: What is the option to scan all the TCP ports between 5000 and 5500?
Answer: -p5000-5500

Question: How can you ensure that Nmap will run at least 64 probes in parallel?
Answer: –min-parallelism=64

Question: What option would you add to make Nmap very slow and paranoid?
Answer: -T0

Nmap Basic Port Scans

Related coverage on Ciphers Security

    TE
    Team Ciphers Security

    The Ciphers Security editorial team — practitioners covering daily threat intel, CVE deep-dives, and hands-on cybersecurity research. About us →

    Previous TryHackMe Walkthrough: Active Directory Hardening Next TryHackMe Walkthrough: Nmap Advanced Port Scans

    Latest News

    YARA-X 1.16.0: Faster Scans, Panic Fixes, and Neovim LSP Support YARA-X 1.16.0 ships with performance improvements across 10 PRs, constant folding for bitwise ops, configurable mat… Instructure Removed from ShinyHunters' Leak Site as Canvas Breach Deadline Passes Instructure was quietly removed from ShinyHunters' extortion site after the May 12, 2026 deadline — no data dump, n… Costa Rica Joins Have I Been Pwned as the 42nd Government Costa Rica's CSIRT gains free access to Have I Been Pwned's government domain monitoring service, becoming the 42nd… LummaC2 Infostealer Targets US Critical Infrastructure: CISA-FBI Advisory AA25-141B and DOJ Domain Seizures CISA and FBI advisory AA25-141B details LummaC2 MaaS infostealer TTPs targeting critical infrastructure. DOJ seized… MacSync Stealer: Hackers Abuse Google Ads and Claude.ai Chats to Push Mac Malware Russian-speaking attackers combine Google Ads and Claude.ai shared chats in a ClickFix campaign deploying MacSync S… JDownloader Site Hacked, Installers Swapped with Python RAT Malware JDownloader's website was hacked May 6–7, 2026, replacing Windows and Linux installers with a Python-based RAT. Use… Operation HookedWing: 4-Year Phishing Campaign Hits 500+ Organizations Across Aviation, Energy, and Logistics Operation HookedWing has stolen credentials from 500+ organizations in aviation, energy, logistics, and critical in… Twelve Critical vm2 Node.js Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution A dozen CVEs in the vm2 Node.js sandbox library — including CVSS 10.0 flaws — allow sandbox escape and RCE. Update …
    Scroll to Top