NMAP

Question 1

nmap help menu

Answer 1

nmap -h

man nmap

Question 2

Which switch would you use for a “UDP scan”?

Answer 2

-sU

Question 3

Which switch would you use for a Syn Scan”?

Answer 3

-sS

Question 4

If you wanted to detect which operating system the target is running on, which switch would you use?

Answer 4

-O

Question 5

Nmap provides a switch to detect the version of the services running on the target. What is this switch?

Answer 5

-sV

Question 6

The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?

Answer 6

-v

Question 7

How would you set the verbosity level to two?

Answer 7

-vv

Question 8

What switch would you use to save the nmap results in three major formats?

Answer 8

-oA

Question 9

What switch would you use to save the nmap results in a “normal” format?

Answer 9

-oN

Question 10

A very useful output format: how would you save results in a “grepable” format?

Answer 10

-oG

Question 11

Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.

Answer 11

-A

Question 12

Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!

How would you set the timing template to level 5?

Answer 12

-T5

Question 13

How would you tell nmap to only scan port 80?

Answer 13

-p 80

Question 14

How would you tell nmap to scan ports 1000-1500?

Answer 14

-p 1000-1500

Question 15

How would you tell nmap to scan all ports?

Answer 15

-p-

Question 16

How would you activate a script from the nmap scripting library ?

Answer 16

–script=

Question 17

How would you activate all of the scripts in the “vuln” category?

Answer 17

–script=vuln

Question 18

Three basic NMAP scan types and their commands

Answer 18

TCP Connect Scans (-sT)
SYN “Half-open” Scans (-sS)
UDP Scans (-sU)

Question 19

TCP connect Scan

Answer 19

-sT

Question 20

Syn half open scan

Answer 20

-sS

Question 21

UDP Scans

Answer 21

-sU

Question 22

TCP Null Scan

Answer 22

-sN

Question 23

TCP FIN Scan

Answer 23

-sF

Question 24

TCP Xmas Scans

Answer 24

-sX

Question 25

What does a TCP Connect Scan do ?

Answer 25

Performs the three-way handshake with each target port in turn.

Question 26

What will the response be to a TCP SYN flag if a port is closed ?

Answer 26

A Reset flag (RST)

Question 27

What does it indicate if your SYN flag doesn’t receive a response ?

Answer 27

That port is being protected by a firewall

Question 28

If a port is closed, which flag should the server send back to indicate this?

Answer 28

RST

Question 29

What are SYN Scans also known as ?

Answer 29

Stealth Scans/Half-Open Scans

Question 30

What does a SYN Scan reply with after receiving a SYN/ACK

Answer 30

RST

Question 31

If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?

Answer 31

open|filtered

Question 32

When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?

Answer 32

ICMP

Question 33

Why are NULL, FIN and Xmas scans generally used?

Answer 33

Firewall Evasion

Question 33

Why are NULL, FIN and Xmas scans generally used?

Answer 33

Firewall Evasion

Question 34

How do you perform a Ping Sweep ?

Answer 34

We use the “-sn” switch in conjunction with IP ranges

Question 35

How to to tell NMAP not to ping a host before scanning it ?

Answer 35

-Pn