2.4 Information gathering & Vulnerability scanning: Nmap

Question 1

Nmap Discovery Scans: what is Nmap Security Scanner?

Answer 1

▪ A versatile port scanner used for topology, host, service, and OS discovery and enumeration
▪ An nmap discovery scan is used to footprint the network

Question 2

Nmap Discovery Scans: give the basic syntax for running nmap scan

Answer 2

nmap {IP}
ex: nmap 192.168.1.0/24

Question 3

Nmap Discovery Scans: give the syntax for running a host discovery scan on nmap

Answer 3

nmap –sn {IP}
ex: nmap –sn 192.168.1.0/24

Question 4

Nmap Discovery Scans: what -sn stands for?

Answer 4

No port scan.
This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”.

Question 5

Nmap Discovery Scans: what -sL stands for ?

Answer 5

List Scan (-sL)
Lists the IP addresses from the supplied target range(s) and performs a reverse-DNS query to discover any host names associated with those IPs

Question 6

Nmap Discovery Scans: what -PS <PortList> used for ?</PortList>

Answer 6

TCP SYN ping (-PS <PortList>)
Probes (=research/ explore) specific ports from the given list using a TCP SYN packet instead of an ICMP packet to conduct the ping</PortList>

Question 7

Nmap Discovery Scans: what –scan-delay <Time> used for ?</Time>

Answer 7

Issues probes (=research/ explore) with significant delays to become stealthier and avoid detection by an IDS or IPS

Question 8

Nmap Discovery Scans: what -Tn used for ?

Answer 8

Scan Timing (-Tn)
Issues probes with using a timing pattern with n being the pattern to utilize (0 is slowest and 5 is fastest)

Question 9

Nmap Discovery Scans: what -sl used for ?

Answer 9

TCP Idle Scan (-sI)
Another stealth method, this scan makes it appear that another machine (a zombie) started the scan to hide the true identity of the scanning machine

Question 10

Nmap Discovery Scans: what -f or –mtu used for ?

Answer 10

Fragmentation (-f or –mtu)
A technique that splits the TCP header of each probe between multiple IP datagrams to make it hard for an IDS or IPS to detect

Question 11

Nmap Discovery Scans: what are the expected results of a nmap discovery scan?

Answer 11

The results of a discovery scan should be a list of IP addresses and whether they responded to the probes

Question 12

Nmap Discovery Scans: how can you see the output of the scan and what are the proposed format (5)?

Answer 12

▪ Interactive (default) to screen
▪ Normal (-oN) to file
▪ XML (-oX) to file
▪ Grepable (-oG) to file
▪ XML or grepable output can be integrating with most SIEM products

Question 13

Nmap Port Scans: when should you run a nmap port scan?

Answer 13

After your footprinting is complete, it is time to begin fingerprinting hosts

Question 14

Nmap Port Scans: what it is used for ?

Answer 14

▪ Determine which network services and operating systems are in use by a target
▪ Service discovery can take minutes to hours to complete

Question 15

Nmap Port Scans: what’s -sS used for?

Answer 15

TCP SYN (-sS)
In this type of scan, Nmap sends a SYN packet to the target port and analyzes the response to determine if the port is open, closed, or filtered by a firewall. This scan is fast and discreet, making it useful for network mapping and discovering online devices.

Question 16

Nmap Port Scans: what’s -sT used for?

Answer 16

TCP Connect (-sT)
Conducts a three-way handshake scan by sending a SYN packet to identify the port state and then sending an ACK packet once the SYN-ACK is received

Question 17

Nmap Port Scans: what’s -sN used for?

Answer 17

Null Scan (-sN)
Conducts a scan by sending a packet with the header bit set to zero

Question 18

Nmap Port Scans: what’s -sF used for?

Answer 18

FIN Scan (-sF)
This type of scan sends a TCP packet with just the FIN flag set. It’s often used to determine whether a port is open, closed, or filtered by a firewall.

Question 19

Nmap Port Scans: what’s -sX used for?

Answer 19

Xmas Scan (-sX)
This type of scan sets the FIN, PSH, and URG flags, but leaves the ACK flag unset. This technique is often used to determine firewall filtering rules and to identify TCP port state.

Question 20

Nmap Port Scans: what’s -sU used for?

Answer 20

UDP Scan (-sU)
Conducts a scan by sending a UDP packet to the target and waiting for a response or timeout

Question 21

Nmap Port Scans: what’s -p used for?

Answer 21

Port Range (-p)
Conducts a scan by targeting the specified ports instead of the default of the 1,000 most commonly used ports

Question 22

Nmap Port Scans: once you see the port scan results, what state a port can commonly have (3)?

Answer 22

▪ Open: An application on the host is accepting connections
▪ Closed: The port responds to probes by sending a reset [RST] packet, but no application is available to accept connections
▪ Filtered: Nmap cannot probe the port, usually due to a firewall blocking the scans on the network or host

Question 23

Nmap Port Scans: you see the port scan results but the scan cannot determine reliable result, what state a port can have in that case (3)?

Answer 23

▪ Unfiltered: Nmap can probe the port but cannot determine if it is open or closed
▪ Open|Filtered: Nmap cannot determine if the port is open or filtered when conducting a UDP or IP protocol scan
▪ Closed|Filtered: Nmap cannot determine if the port is closed or filtered when conducting a TCP Idle scan

Question 24

Nmap Port Scans: why do you need to understand the port state?

Answer 24

Port states are important to understand because an open port indicates a host that might be vulnerable to an inbound connection

Question 25

Nmap Fingerprinting: what is Fingerprinting?

Answer 25

A technique to get a list of resources on the network, host, or system as a whole to identify potential targets for further attack

Question 26

Nmap Fingerprinting: what should you do after the open port are discovered with Nmap?

Answer 26

Once open ports are discovered, use Nmap to probe them intensely:
▪ # nmap –sV 192.168.1.1
▪ # nmap –A 192.168.1.1

Question 27

Nmap Fingerprinting: why should you do an intensive fingerprint? What information can you retrieve?

Answer 27

An intensive fingerprint scan can provide more detailed information:
▪ Protocol
▪ Application name and version
▪ OS type and version
▪ Host name
▪ Device type

Question 28

Nmap Fingerprinting: what -sV stands for?

Answer 28

Probe open ports to determine service/version info

Question 29

Nmap Fingerprinting: what -A stands for?

Answer 29

TCP ACK scan
Enable OS detection, version detection, script scanning and traceroute
This type of scan sends TCP packets with the ACK flag set. It is used to determine how a firewall or intrusion detection system (IDS) is filtering packets, and to infer the presence of a firewall or filter.

Question 30

Nmap Fingerprinting: How does Nmap fingerprint what services and versions are running (2)?

Answer 30

▪ Common Platform Enumeration (CPE)
▪ Nmap Scripting Engine (NSE)

Question 31

Nmap Fingerprinting: explain Common Platform Enumeration (CPE)?

Answer 31

Scheme for identifying hardware devices, operating systems, and applications developed by MITRE

Question 32

Nmap Fingerprinting: explain Nmap Scripting Engine (NSE)?

Answer 32

Scripts are written in the Lua scripting language that can be used to carry out detailed probes:
o OS detection and platform enumeration
o Windows user account discovery
o Identify logged-on Windows user
o Basic vulnerability detection
o Get HTTP data and identify applications
o Geolocation to traceroute probes