12/28/2022 THM Nmap Live Host Discovery and Port Discovery Flashcards
What are three common ways to discover live hosts?
ARP requests
ICMP Scan “Ping Requests”
TCP/UDP Ping Scan
NMAP Commands: Explain the following
ARP Scan (PR)
ICMP Echo (PE) - type 8 & 0
ICMP Timestamp Scan (PP) - type 13 &14 ICMP)
Address Mask Scan (PM)
TCP SYN (PS) w/ ports
PA ACK (PA) w/ ports
UDP Scan (PU) w/ ports
No DNS lookup (n)
Reverse DNS lookup for all hosts (-R)
Host discovery only (-sn)
Port Scanning
*TCP Connect Scan (-sT)
SYN Scan (-sS)
UDP Scan (-sU)
Idle/Zombie Scan (-sI)
Fine Tuning Scope and Performance
Scan Timing (-T0-5)
-v,vv,d,dd,–reason
–min-rate / max-rate
–min-parallelism / max
-D (Decoy Scanning)
*Only non power user option that can be ran
What does the following responses mean from NMAP?
Open
Closed
Filtered
Unfiltered
Open|Filtered
Closed|Filtered
Open - A service is listening on this port
Closed - No service is listening on this port. The Port is reachable (not blocked by FW or security appliances
Filtered - Nmap unable to determine if port is open or closed (ie port not accessible)
Unfiltered - Nmap unable to determine if port is open or closed although port is accessible
Open|Filtered - Nmap unable to determine whether the port is open or filtered
Closed|Filtered - Nmap cannot decide whether port is closed or filtered
What Port Scans are used to figure out Firewall rules
ACK and Window Scans
If fragmenting packets what sizes should you keep fragments to?
Multiples of 8
Version Detection
-sV, –version-[light,all]
OS Detection
-O
Custom Scripts
–script=[SCRIPT]
*Default scripts should already be installed but may need to be downloaded onto machine
Output
-o[NGX] “Normal, Grepable, XML”
What are the stages of how NMAP progresses through scans
Enumerate Target
Discover Live Hosts
Reverse-DNS Lookup
Scan Ports
Detect Versions
Detect OS
Traceroute
Script
Write-Output
