Nmap Post Port Scans TryHackMe

Overview

Once ports are found, the next step is turning that list into useful intelligence. This room covers service and version detection, OS fingerprinting, traceroute, Nmap Scripting Engine (NSE), and how to save scan output cleanly for later use.

Core idea: open ports only tell you where to look. Post-port-scan options tell you what is actually running there and how to document it properly.

1) Service and Version Detection

Add -sV to probe open ports and identify the running service and, where possible, the exact version.

sudo nmap -sV MACHINE_IP
sudo nmap -sV --version-light MACHINE_IP
sudo nmap -sV --version-all MACHINE_IP

-sV: enable service/version detection.
--version-light: lighter probing, intensity 2.
--version-all: full probing, intensity 9.

Important: -sV requires real interaction with the service, so Nmap must complete a connection. This means stealth SYN scan behavior no longer stays purely stealthy once version detection starts.

2) OS Detection

Use -O to fingerprint the remote operating system based on how it responds to network probes.

sudo nmap -sS -O MACHINE_IP

Can identify broad OS family correctly even when exact version is imperfect.
Works best when Nmap sees at least one open and one closed port.
Virtualization, middleboxes, and unusual network behavior can reduce accuracy.

Take it with caution: OS guesses are useful leads, not hard truth. Good enough for prioritization, not good enough to assume without verification.

3) Traceroute from Nmap

Add --traceroute to append path information to the scan output.

sudo nmap -sS --traceroute MACHINE_IP

This helps identify the number of hops between you and the target, though many routers will not answer the packets needed for a full route map.

4) Nmap Scripting Engine (NSE)

NSE lets Nmap run Lua-based scripts for discovery, fingerprinting, enumeration, and in some cases exploitation.

sudo nmap -sS -sC MACHINE_IP
sudo nmap --script "http-date" MACHINE_IP
sudo nmap --script "ftp*" MACHINE_IP

-sC: run the default script category.
--script=NAME: run a specific script.
--script="pattern*": run all matching scripts.

Practical value: NSE can extract SSH keys, page titles, SMTP features, RPC details, HTTP headers, and much more without manually probing every service by hand.

5) Important NSE Categories

NSE scripts are grouped by category. Some are passive and safe, while others are noisy or actively exploitative.

default: safe baseline scripts, same as -sC.
discovery: gather accessible information.
version: assist with service identification.
safe: low-risk checks unlikely to crash a service.
vuln: check for known vulnerabilities.
brute / intrusive / exploit / dos: higher-risk categories that need careful authorization.

Exam mindset: default, discovery, version, and safe scripts are your normal starting point. Be very deliberate before running intrusive, brute-force, or exploit-oriented scripts.

6) Useful Combined Option

Nmap bundles several common post-scan features together with -A.

sudo nmap -A MACHINE_IP

This is equivalent to:

-sV -O -sC --traceroute

Good for labs: -A is convenient when you want a rich first pass. In real engagements, it may be noisier than you want, so using the pieces selectively is often better.

7) Saving Output

Saving results matters. Once scans start piling up, bad naming and missing output files become a real problem.

-oN FILE
-oG FILE
-oX FILE
-oA FILE

-oN: normal human-readable output.
-oG: grepable output, compact and easier to filter with tools like grep.
-oX: XML output for programmatic processing.
-oA: save all three at once.

Best practice: use -oA most of the time so you keep a readable file, a grepable summary, and a structured machine-readable version in one shot.

8) Normal vs Grepable vs XML

The formats exist for different jobs:

Normal: easiest to read manually.
Grepable: each line carries enough context to filter quickly across many hosts.
XML: best when feeding other tooling or reporting pipelines.

Example insight: when grepping for http across many hosts, grepable output preserves host context on the same line, while normal output can be awkward to sift through.

9) Practical Workflow

A strong PT1 workflow after basic/advanced scanning is:

Find live hosts.
Run a focused TCP scan.
Add -sV to identify real service versions.
Add -O and --traceroute only when useful.
Run -sC or a small set of safe NSE scripts for higher-value details.
Save everything with -oA.

Nmap Post-Scan Cheat Sheet

sudo nmap -sV MACHINE_IP
sudo nmap -sV --version-light MACHINE_IP
sudo nmap -sV --version-all MACHINE_IP
sudo nmap -sS -O MACHINE_IP
sudo nmap -sS --traceroute MACHINE_IP
sudo nmap -sS -sC MACHINE_IP
sudo nmap --script "http-date" MACHINE_IP
sudo nmap -A MACHINE_IP
sudo nmap -oA scan_name MACHINE_IP

Exam Notes (PT1)

-sV is for real service/version detection and requires actual service interaction.
-O is useful but imperfect; treat OS detection as a strong hint, not certainty.
-sC runs default NSE scripts and often gives immediate high-value enumeration output.
Be cautious with NSE categories like brute, exploit, and dos.
-oA is the most practical output option because it preserves normal, grepable, and XML formats together.