# Running scans with Nmap ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MO3WHDbXoOOcTT2TsAR%2F-MO3XENHofsBnDlMwS8K%2FNMap_Project_Logo_WHT%5B1%5D.png?alt=media\&token=1edc4185-ae00-4963-8413-21322b0c4780) ## Intro: Different types of scans with Nmap In this practical exercise we will see how to use nmap to perform different types of scans through which we will obtain different details about our target. For this exercise I will use a local lab I have created for Active Directory practices as the target. This lab runs in VMware locally and consists of the following machines: ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNqn0yQKeEZUTnFnFyc%2F-MNqrUd_47zXONQ0tnAd%2Fimage.png?alt=media\&token=abb896b0-8d4c-4e6e-967a-067c7f137e69) | Type | IP | | ----------------------------------- | ---------------------------- | |

DC: Domain Controller

|

192.168.31.131

| | Client1: Win 10 Enterprise | 192.168.31.132 | | Client2: Windows 10 Pro | 192.168.31.133 | This lab is intended to practice certain vulnerabilities of various types, some of them detailed below: | | | | -------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | |

| | {% hint style="info" %} This exercise does not cover the mentioned vulnerabilities nor the creation of the lab; we will only use it as a target to learn the different types of scans. {% endhint %} With this in mind it should help us obtain information through the different types of scans using Nmap that we will see in this exercise. {% hint style="danger" %} Nmap is a tool that has many ways to use it; it is not the goal of this exercise to cover them all. We will simply see some types of scans as examples, mainly those I commonly use to solve `labs` such as [**VulnHub**](https://www.vulnhub.com/) and [**TryHackMe**](https://tryhackme.com/) among others. {% endhint %} ## Part 1: Basic Scans. In this first part of the practical we will see the simplest scans we can perform with nmap. ### Pinging with Nmap. The first thing we can try is how to ping our target. For now let's start with a single target IP, that of the domain controller. To do a simple scan of a host with nmap we can use the following switch `-sn`, it returns several details about the target besides informing us if the host is up, such as latency and the host's MAC address. {% hint style="info" %} **-sn**: Ping Scan - disable port scan {% endhint %} The full command is as follows: {% hint style="success" %} **nmap -sn 192.168.31.131** {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNqFOUt_oJRjAc5WgnD%2F-MNqbcWeiBcU9GJe2R7i%2Fimage.png?alt=media\&token=24396d42-a648-4242-ac1a-aefabc57de9d) {% hint style="info" %} Using `sudo` is not necessary for this scan. {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNqFOUt_oJRjAc5WgnD%2F-MNqarvMxyEpYSa5in7M%2Fimage.png?alt=media\&token=e9721adc-2d14-42c8-8ad2-bdbfd96077fa) With this simple scan we obtained the following information about our target: | **Information Obtained** | Value | | ------------------------ | -------------------------- | | Host Status (Up/Down) | Host is up | | MAC Address | 00:0C:29:1C:F8:3D (VMware) | | Latency | 0.00039s | ### Detecting the Operating System. To detect the target's operating system we can use the following nmap switch: `-O`. Which gives us the following output in the console: The full command looks like this: {% hint style="success" %} sudo nmap -O 192.168.31.131 {% endhint %} {% hint style="warning" %} This switch requires being executed with privileges. {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNqFOUt_oJRjAc5WgnD%2F-MNqMJ4fYgS5_hh7H19M%2Fimage.png?alt=media\&token=e6c4b813-52e5-470b-bc88-35e10ecd48f0) As we can see this scan not only tries to detect the OS (OS fingerprinting), but also runs some additional analyses such as detection of common ports and detection of services running on each port. In this case we see that it was not possible to detect the OS correctly, possibly due to some of the settings I have made in the local lab. It is important to know that we have an alternative switch to try to detect the OS more aggressively: `--osscan-guess` . Let's see what the output looks like when it manages to detect it correctly: ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNqFOUt_oJRjAc5WgnD%2F-MNqec4ehFv5IeId_Jh7%2Fimage.png?alt=media\&token=d568719c-8883-4bb1-b7ba-9325dfe3116e) We also see that it includes the data we saw in the previous scan. | Information Obtained | Value | | ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | List of open ports and their services |

PORT STATE SERVICE

53/tcp open domain

88/tcp open kerberos-sec

135/tcp open msrpc

139/tcp open netbios-ssn

389/tcp open ldap

445/tcp open microsoft-ds

464/tcp open kpasswd5

593/tcp open http-rpc-epmap

636/tcp open ldapssl

3268/tcp open globalcatLDAP

3269/tcp open globalcatLDAPssl

| | Network distance to the host | 1 hop | | Possible Operating System Version (Example host) | Windows XP SP3 or Windows Server 2012 | ### Scanning specific ports. To scan certain ports we can use the switch `-p` which allows us to specify a series of specific ports to scan. The command looks like this: {% hint style="success" %} nmap -p 53,88,389,445 192.168.31.134 {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNqfLK-4reHGQq2HzRc%2F-MNqhATTLAdifKI4axEx%2Fimage.png?alt=media\&token=92d5a24e-61f2-4cc5-89ae-93103f466432) This way we can scan the desired ports. If we want to scan a particular range of ports we can do it as follows: {% hint style="success" %} nmap -p 54-445 192.168.31.131 {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNt49ufUWyobzeKwTIK%2F-MNt9fhe7oxMaalnjiu6%2Fimage.png?alt=media\&token=1afeda9c-2e83-429d-8dea-7beab1ce7038) ### Scanning all ports (65535). If instead we want to scan all ports we can do it as follows, using the switch `-p-`. The command looks like this: {% hint style="success" %} nmap -p- 192.168.31.131 {% endhint %} {% hint style="warning" %} For this particular host I used the switch `-Pn` which allows us to tell nmap not to perform pings. Necessary for targets that do not respond to ping (ICMP) echo requests. {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNqfLK-4reHGQq2HzRc%2F-MNqk4ZgI-9d9SWC62sv%2Fimage.png?alt=media\&token=769e6999-9335-4cdf-94ac-7311bb995392) ### Version Scan. To perform a scan that helps us identify the versions of the services running on the target we can use the following switch `-sV`. The command looks like this: {% hint style="success" %} nmap -sV 192.168.31.131 {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNqn0yQKeEZUTnFnFyc%2F-MNqorhDYFXO2UiCPrOz%2Fimage.png?alt=media\&token=b68e40da-3bdf-420c-a9d5-de56fed5d10b) ### TCP/IP Full Open Scan If we want to perform a fully open scan, we can use the switch `-sT`. In this type of scan it generally ensures a response since the session is initiated in full (SYN, SYN+ACK, ACK, RST). {% hint style="danger" %} Important: This scan is easily detected by firewalls and other security measures. {% endhint %} To perform this scan the command is as follows: {% hint style="success" %} nmap -sT 192.168.31.131 {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNsZFApJsYQzq_P7eOI%2F-MNscCDl6XZ9JcA2mIh7%2Fimage.png?alt=media\&token=5a0c7dc3-d8d6-416e-89e5-821fe79eded5) ### Stealth Scan (Half-open) In many cases we need to perform scans without alerting or triggering detections on the target side. For these cases nmap has the switch `-sS`. In this type of scan the session does not complete correctly, and only the packets **`SYC, SYNC+ACK and RST`** are used. When the target responds, the client instead of responding with **`ACK`** responds directly with **`RST`**. {% hint style="warning" %} **This command requires privileges to run (sudo).** {% endhint %} To run this type of scan the command looks like this: {% hint style="success" %} nmap -sS 192.168.31.131 {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNslmNi1N2hfHLA1tqF%2F-MNso9LbuX_Idel3Qypo%2Fimage.png?alt=media\&token=f509bd41-853b-4939-883b-983a932f276e) {% hint style="warning" %} As I explained before the additional switch **`-Pn`** is necessary for hosts that do not respond to ping requests (ICMP Echo Requests) as is the case with this target I am using. {% endhint %} ### Scan machines on the network If we want to get an overview of the machines that are active on the network we are scanning we can use the switch `-sP`. It may take some time to finish depending on how extensive our network is. In this case the target lab is quite small. We can use the command like this: {% hint style="success" %} nmap -sP 192.168.31.\* {% endhint %} Note that in this case we are passing part of the IP, and indicate the last value as `*` so that nmap automatically scans all the machines that are part of the same subnet. ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNt49ufUWyobzeKwTIK%2F-MNt8lra_V-dzkmybp80%2Fimage.png?alt=media\&token=6b066e00-5855-4f1b-971b-51ab0815d685) Alternatively we can use the switches **`-PS (SYN Ping) or -PR (ARP Scan)`** which return results like these: ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNtU4FPoox19SVRQzUW%2F-MNtZv15VJSuMzcUP65c%2Fimage.png?alt=media\&token=3a7e3d0b-fcfc-4121-8e17-53c42555ead3) For the moment we will not explain the use of the additional switches/flags that you can see in the previous image. We will cover those later in this exercise. ### Scan with Default scripts Nmap includes scripts (NSE) that allow us to indicate if during the scan we also want nmap to try to run the scripts it comes with. These scripts test common vulnerabilities that can provide good information about the target and about how to exploit them to gain access. This is done using the switch `-sC`. The command for this type of scan is the following: {% hint style="success" %} **nmap -sC 192.168.31.131** {% endhint %} ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNt49ufUWyobzeKwTIK%2F-MNtC5-ouq8T908GiYDs%2Fimage.png?alt=media\&token=456130ae-b910-4565-935b-964c89716f65) We see that the results we obtain include a lot of information about the domain controller (in this case) scanned. These results vary depending on which target we are scanning and which vulnerabilities nmap can detect for each particular case. ## Part 2: Multiple scans. In this part of the practical we will see some more advanced scans and begin to use several switches or flags at the same time in our commands. Let's say I want to quickly obtain all the information we saw in the individual scans, to have an overall view of the target as soon as possible. Normally when I run a scan with nmap for a lab I start keeping the following in mind: * Types of data I need to obtain * Types of data I would like to obtain * How quickly I want to obtain the results Usually in practice labs or Capture The Flag type challenges, I use the following set of nmap switches or flags: {% hint style="success" %} sudo nmap -sC -sV -Pn -p- -T5 -O -v -oN results 192.168.31.131 {% endhint %} As we can see in that previous line, there are several new switches or flags that we are passing to nmap that we have not seen in this exercise yet. Let's see one by one what function they perform. | Switch/Flag | Function | | :-------------------: | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **-T5** | Indicates the scan speed. Possible values 1 to 5, with 5 being the highest. (Increases the likelihood of our scan being detected by the target's defense mechanisms) | | **-v** | Tells nmap to produce verbose output, providing the user with a lot of detail about each scan and its result. | | **-oN \** | Tells nmap to generate an output file with the results. In this case in common (text) format. | This type of scan usually results in extensive output in the console, so it's a good idea to save it directly to a file to consult when necessary. ![](https://2575763014-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MNC3KGY9k0nvrU_5PW6%2F-MNtLTO8zRXTBj3o7So0%2F-MNtOh8kHgO4dhLqXVde%2Fimage.png?alt=media\&token=263a70f6-5f6f-410b-90e8-1f1b3216d566) The result of this scan in its entirety can be seen in the following block, since it does not warrant capturing it entirely in images: ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sC -sV -Pn -p- -T5 -O -v -oN results 192.168.31.131 [sudo] password for kali: Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-06 13:48 EST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 13:48 Completed NSE at 13:48, 0.00s elapsed Initiating NSE at 13:48 Completed NSE at 13:48, 0.00s elapsed Initiating NSE at 13:48 Completed NSE at 13:48, 0.00s elapsed Initiating ARP Ping Scan at 13:48 Scanning 192.168.31.131 [1 port] Completed ARP Ping Scan at 13:48, 0.05s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:48 Completed Parallel DNS resolution of 1 host. at 13:48, 0.01s elapsed Initiating SYN Stealth Scan at 13:48 Scanning 192.168.31.131 [65535 ports] Discovered open port 53/tcp on 192.168.31.131 Discovered open port 135/tcp on 192.168.31.131 Discovered open port 139/tcp on 192.168.31.131 Discovered open port 445/tcp on 192.168.31.131 Discovered open port 49703/tcp on 192.168.31.131 Discovered open port 9389/tcp on 192.168.31.131 Discovered open port 49667/tcp on 192.168.31.131 Discovered open port 3268/tcp on 192.168.31.131 Discovered open port 636/tcp on 192.168.31.131 Discovered open port 49674/tcp on 192.168.31.131 Discovered open port 49676/tcp on 192.168.31.131 Discovered open port 3269/tcp on 192.168.31.131 Discovered open port 49666/tcp on 192.168.31.131 SYN Stealth Scan Timing: About 45.08% done; ETC: 13:49 (0:00:38 remaining) Discovered open port 593/tcp on 192.168.31.131 Discovered open port 5985/tcp on 192.168.31.131 Discovered open port 49673/tcp on 192.168.31.131 Discovered open port 88/tcp on 192.168.31.131 Discovered open port 464/tcp on 192.168.31.131 Discovered open port 49710/tcp on 192.168.31.131 Discovered open port 49686/tcp on 192.168.31.131 Discovered open port 389/tcp on 192.168.31.131 Completed SYN Stealth Scan at 13:49, 55.14s elapsed (65535 total ports) Initiating Service scan at 13:49 Scanning 21 services on 192.168.31.131 Completed Service scan at 13:50, 53.60s elapsed (21 services on 1 host) Initiating OS detection (try #1) against 192.168.31.131 Retrying OS detection (try #2) against 192.168.31.131 NSE: Script scanning 192.168.31.131. Initiating NSE at 13:50 Completed NSE at 13:51, 40.06s elapsed Initiating NSE at 13:51 Completed NSE at 13:51, 0.07s elapsed Initiating NSE at 13:51 Completed NSE at 13:51, 0.00s elapsed Nmap scan report for 192.168.31.131 Host is up (0.00045s latency). Not shown: 65514 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-12-06 18:49:48Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: CHUKARO.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=Chukaro-DC.CHUKARO.local | Subject Alternative Name: othername:, DNS:Chukaro-DC.CHUKARO.local | Issuer: commonName=CHUKARO-CHUKARO-DC-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-11-24T20:30:01 | Not valid after: 2021-11-24T20:30:01 | MD5: b134 42d1 5e7e 2394 dc8a 0eae 3e6f bb9f |_SHA-1: 0fb3 428c 8b1f 8a6b b92a 785a a84e cc3f c393 74dd |_ssl-date: 2020-12-06T18:51:20+00:00; 0s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: CHUKARO.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=Chukaro-DC.CHUKARO.local | Subject Alternative Name: othername:, DNS:Chukaro-DC.CHUKARO.local | Issuer: commonName=CHUKARO-CHUKARO-DC-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-11-24T20:30:01 | Not valid after: 2021-11-24T20:30:01 | MD5: b134 42d1 5e7e 2394 dc8a 0eae 3e6f bb9f |_SHA-1: 0fb3 428c 8b1f 8a6b b92a 785a a84e cc3f c393 74dd |_ssl-date: 2020-12-06T18:51:20+00:00; 0s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: CHUKARO.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=Chukaro-DC.CHUKARO.local | Subject Alternative Name: othername:, DNS:Chukaro-DC.CHUKARO.local | Issuer: commonName=CHUKARO-CHUKARO-DC-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-11-24T20:30:01 | Not valid after: 2021-11-24T20:30:01 | MD5: b134 42d1 5e7e 2394 dc8a 0eae 3e6f bb9f |_SHA-1: 0fb3 428c 8b1f 8a6b b92a 785a a84e cc3f c393 74dd |_ssl-date: 2020-12-06T18:51:20+00:00; 0s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: CHUKARO.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=Chukaro-DC.CHUKARO.local | Subject Alternative Name: othername:, DNS:Chukaro-DC.CHUKARO.local | Issuer: commonName=CHUKARO-CHUKARO-DC-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-11-24T20:30:01 | Not valid after: 2021-11-24T20:30:01 | MD5: b134 42d1 5e7e 2394 dc8a 0eae 3e6f bb9f |_SHA-1: 0fb3 428c 8b1f 8a6b b92a 785a a84e cc3f c393 74dd |_ssl-date: 2020-12-06T18:51:20+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49686/tcp open msrpc Microsoft Windows RPC 49703/tcp open msrpc Microsoft Windows RPC 49710/tcp open msrpc Microsoft Windows RPC MAC Address: 00:0C:29:1C:F8:3D (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Timing level 5 (Insane) used No OS matches for host Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: CHUKARO-DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | nbstat: NetBIOS name: CHUKARO-DC, NetBIOS user: , NetBIOS MAC: 00:0c:29:1c:f8:3d (VMware) | Names: | CHUKARO-DC<20> Flags: | CHUKARO-DC<00> Flags: | CHUKARO<00> Flags: | CHUKARO<1c> Flags: |_ CHUKARO<1b> Flags: | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-12-06T18:50:40 |_ start_date: N/A NSE: Script Post-scanning. Initiating NSE at 13:51 Completed NSE at 13:51, 0.00s elapsed Initiating NSE at 13:51 Completed NSE at 13:51, 0.00s elapsed Initiating NSE at 13:51 Completed NSE at 13:51, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 153.56 seconds Raw packets sent: 131159 (5.775MB) | Rcvd: 75 (3.856KB) ``` In this way we saw various types of scans that we can perform with nmap to obtain important information about our target. In the next section we will quickly compile all the data we managed to obtain throughout this exercise about the scanned target. ## Part 3: Gathering the information. In this part we will compile and present all the information we obtained from all the types of scans practiced. During this exercise we saw how we can use a subset of functionalities offered by nmap to perform different types of scans on our target in order to obtain a series of details for our pentest. {% tabs %} {% tab title="Target Information" %} | Data | Detail | | :------------------------------------: | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | | **Open ports and services (DC)** |

53 (domain Simple DNS Plus)
135 (MS Windows RPC)
139 (MS Netbios SSN)
445 (MS DS)
49703 (MS Win RPC)
9389 (.NET Message Framing)
49667 ( MS Win RPC)
3268 (MS Active Directory LDAP)

3269 (MS Active Directory LDAP)
636 (SSL LDAP)
49674 (MS Win RPC)
49666 (MS Win RPC)
593 (MS Win RPC Over HTTP 1.0)
5985 (Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP))

49673 (Microsoft Win RPC over HTTP 1.0)

88 (MS Kerberos)

464 (kpasswd5)

49710 (MS Win RPC)

49686 (MS Win RPC)

389 (MS Active Directory LDAP).

| | **Domain Controller Domain Name** | Chukaro-DC.CHUKARO.local | | **Operating System** | MS Windows | | **Active machines in the DC's subnet** |

192.168.31.1

192.168.31.2

192.168.31.131 (DC)
192.168.31.31.132 (Client1)
192.168.31.31.133 (Client2)

192.168.31.31.134

| | {% endtab %} | | | {% endtabs %} | | This is where we finish this nmap scanning exercise; we saw how to execute different types of scans to obtain various pieces of information and learned the basic use of nmap. {% hint style="info" %} These exercises are subject to modifications and corrections, the most up-to-date version available is online at [the following link](https://tzero86.gitbook.io/tzero86/). {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tzero86.gitbook.io/tzero86/scanning/running-scans-with-nmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.