Nmap

Question 1

Syn Scan

Answer 1

-sS
SYN scans sends back a RST TCP packet after receiving a SYN/ACK from the server. Referred to as “half-open” or stealth scans

Question 2

UDP Scan

Answer 2

-sU

Question 3

OS Detection

Answer 3

-O

Question 4

Version of services running on target

Answer 4

-sV

Question 5

Increase verbosity

Answer 5

-v, with more v’s meaning higher verbosity
Ex: -vv

Question 6

Output scan in normal format

Answer 6

-oN

Question 7

Output scan in XML format

Answer 7

-oX

Question 8

Output scan in greppable format

Answer 8

-oG

Question 9

Output scan in the three major formats at once

Answer 9

-oA

Question 10

Activate aggressive mode

Answer 10

-A
This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.

Question 11

Increase speed of scan (and drawbacks)

Answer 11

-T(x) with x being 1-5 sets the speed.
Higher levels are noisier and can generate errors

Question 12

Specify ports- single, range, all

Answer 12

Single: -p (x) [-p 80]
Range: -p (x)-(y) [1000-1500]
All: -p-

Question 13

TCP Connect Scan

Answer 13

-sT
TCP Connect scan works by performing the three-way handshake with each target port in turn. In other words, Nmap tries to connect to each specified TCP port, and determines whether the service is open by the response it receives.

Question 14

What does a “filtered” port indicate?

Answer 14

That it is protected by firewall, and the incoming packet was dropped.

Question 15

If a port is closed, which flag should the server send back to indicate this?

Answer 15

RST

Question 16

What are some drawbacks of Syn Scans?

Answer 16

Require Sudo permissions
Unstable services are sometimes brought down by them

Question 17

What is the default scan Nmap uses?

Answer 17

If the user has sudo permissions: Syn Scan.
If user does not have sudo permissions: TCP Connect Scan.

Question 18

Drawbacks of UDP Scans

Answer 18

UDP scans tend to be incredibly slow in comparison to the various TCP scans (in the region of 20 minutes to scan the first 1000 ports, with a good connection)

Question 19

If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?

Answer 19

Open|Filtered

Question 20

When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?

Answer 20

ICMP

Question 21

Null Scan

Answer 21

-sN
TCP request is sent with no flags set at all. As per the RFC, the target host should respond with a RST if the port is closed.

Question 22

FIN Scan

Answer 22

-sF
Request is sent with the FIN flag (usually used to gracefully close an active connection). Once again, Nmap expects a RST if the port is closed.

Question 23

Xmas Tree Scan

Answer 23

-sX
Sends a malformed TCP packet and expects a RST response for closed ports. It’s referred to as an xmas scan as the flags that it sets (PSH, URG and FIN) give it the appearance of a blinking christmas tree when viewed as a packet capture in Wireshark.

Question 24

Why are NULL, FIN and Xmas scans generally used?

Answer 24

Firewall Evasion

Question 25

Ping Sweep

Answer 25

-sn Sends ICMP packets to ping target IP addresses to determine which hosts are active

Question 26

NSE

Answer 26

Nmap Scripting Engine Written in Lua, extends the capabilities of nmap. Can be used to do a variety of things: from scanning for vulnerabilities, to automating exploits for them.

Question 27

ICMP is often blocked, requiring the use of what flag?

Answer 27

-Pn which tells Nmap to not bother pinging the host before scanning it.