Nmap Commands

Question 1

Ping Scan

Answer 1

Check which hosts are online.

nmap -sP 192.168.1.0/24
This sends ICMP echo requests to determine if hosts are online within the 192.168.1.0/24 subnet.

Question 2

Scan a Range of IPs

Answer 2

nmap 192.168.1.1-20
This scans the IP range from 192.168.1.1 to 192.168.1.20.

Question 3

Scan an Entire Subnet

Answer 3

nmap 192.168.1.0/24
Scans all hosts in the subnet.

Question 4

Scan Multiple IP Addresses or Hostnames

Answer 4

nmap 192.168.1.1 192.168.1.2 google.com

Question 5

Scan Specific Ports

Answer 5

nmap -p 22 192.168.1.1
This scans only port 22 (SSH) on the target.

Question 6

Scan a Range of Ports

Answer 6

nmap -p 1-100 192.168.1.1
This scans ports 1 through 100 on the target.

Question 7

Scan All Ports

Answer 7

nmap -p- 192.168.1.1
Scans all 65535 ports on the target host.

Question 8

Detect Service Versions

Answer 8

nmap -sV 192.168.1.1
This attempts to determine the version of services running on open ports.

Question 9

Aggressive Scan (Includes Service Detection, OS Detection, and More)

Answer 9

nmap -A 192.168.1.1
This performs an aggressive scan that includes service version detection, OS detection, and traceroute.

Question 10

Operating System Detection

Answer 10

nmap -O 192.168.1.1
This attempts to identify the operating system running on the target machine.

Question 11

Script Scan (Using NSE Scripts

Answer 11

nmap -sC 192.168.1.1
This uses default NSE (Nmap Scripting Engine) scripts to scan for vulnerabilities or gather additional information.

Question 12

TCP SYN Scan (Stealth Scan)

Answer 12

nmap -sS 192.168.1.1
This performs a TCP SYN scan, often referred to as a “half-open” scan, which can avoid detection by some firewalls or IDS systems.

Question 13

TCP Connect Scan

Answer 13

nmap -sT 192.168.1.1
This scan completes the full TCP connection and is less stealthy than the SYN scan.

Question 14

UDP Scan

Answer 14

nmap -sU 192.168.1.1
This scans UDP ports, which is useful for discovering services like DNS (port 53) and SNMP (port 161).

Question 15

Fragmented Packets Scan

Answer 15

nmap -f 192.168.1.1
Sends fragmented packets, which might help evade firewalls or intrusion detection systems.

Question 16

Spoofed IP Address Scan

Answer 16

nmap -S 192.168.1.100 192.168.1.1
Spoofs the source IP address (use with caution, as it may cause network issues).

Question 17

Scan Through a Proxy

Answer 17

nmap -sT -p 80 –proxy http://proxy.server.com:8080 192.168.1.1

Question 18

Set Timing Templates (0-5)

Answer 18

Control the speed and stealthiness of scans.

nmap -T4 192.168.1.1
T0 is the slowest (for stealth), and T5 is the fastest (less stealthy, but quicker results).

Question 19

Set Maximum Parallel Scans

Answer 19

nmap –min-parallelism 10 192.168.1.1
This controls the number of parallel scans Nmap can run.

Question 20

Set Scan Delay Between Probes

Answer 20

nmap –scan-delay 1s 192.168.1.1
This inserts a 1-second delay between scan probes, making it slower but possibly stealthier.

Question 21

Normal Output

Answer 21

nmap 192.168.1.1 -oN output.txt
Saves the normal output of the scan to output.txt.

Question 22

Scan Specific IP Protocols

Answer 22

map -sO 192.168.1.1
This scans for IP protocols (like ICMP, TCP, and UDP

Question 23

Scan Hosts with Decoy IPs

Answer 23

nmap -D RND:10 192.168.1.1
Launches a decoy scan with 10 random IP addresses, hiding the real source of the scan.

Question 24

Scan Using TCP ACK Scan

Answer 24

nmap -sA 192.168.1.1
This helps determine if a firewall is present by sending TCP ACK packets.

Question 25

Scan Using FIN, Xmas, or Null Scan

Answer 25

nmap -sF 192.168.1.1 (FIN scan) nmap -sX 192.168.1.1 (Xmas scan) nmap -sN 192.168.1.1 (Null scan) These are stealthy scans that send unusual combinations of flags or no flags, helping bypass some firewalls and detect open ports.

Question 26

Run All Vulnerability Scripts

Answer 26

nmap --script vuln 192.168.1.1 Runs all vulnerability detection scripts.

Question 27

Run Specific NSE Scripts

Answer 27

nmap --script http-default-accounts 192.168.1.1 Runs a specific NSE script for checking default accounts on HTTP services.

Question 28

Run a Script to Find Known Exploits

Answer 28

nmap --script exploit 192.168.1.1 Runs a script to find known exploits on the target.

Question 29

Check for Heartbleed Vulnerability

Answer 29

nmap --script ssl-heartbleed 192.168.1.1

Question 30

Check for SMB Vulnerabilities

Answer 30

nmap --script smb-vuln* 192.168.1.1

Question 31

Firewall Detection

Answer 31

nmap -sA 192.168.1.1 Sends ACK packets to determine whether a firewall is present on the network.

Question 32

Scan with Source Port Spoofing

Answer 32

nmap -g 53 192.168.1.1 Spoof the source port to trick firewalls (common for DNS queries, which often come from port 53).

Question 33

Scan with Decoy Addresses

Answer 33

nmap -D 192.168.1.10,192.168.1.20 192.168.1.1 Scan with decoy addresses to hide the real source of the scan.

Question 34

Polymorphism

Answer 34

Polymorphic attacks modify their signature on each attempt to avoid matching known attack patterns. Example: Malware can change its binary structure with each execution, making it difficult for IDS that rely on static signature matching to detect.

Question 35

Fragmentation

Answer 35

Fragmentation involves breaking the payload of network packets into smaller segments, making it harder for an IDS to reassemble and inspect the full content.

Question 36

Obfuscation with Encryption

Answer 36

Attackers can encrypt traffic, making it impossible for an IDS to inspect the payload. For example, if communication happens over SSL/TLS, IDS can't analyze encrypted traffic unless it performs SSL decryption, which is rare due to performance and privacy concerns. Example of encrypted traffic: Using SSL/TLS with tools like ncat: bash Copy code ncat --ssl victim.com 443 Countermeasure: Intrusion Prevention Systems (IPS) or Deep Packet Inspection (DPI) techniques that can decrypt and analyze SSL traffic may be needed to detect such activities.

Question 37

Using Spoofed IP Addresse

Answer 37

Spoofing the source IP address in your traffic can make it harder for the IDS to track the actual source of the attack. How to use in nmap: bash Copy code nmap -S 192.168.1.100 192.168.1.1 This command spoofs the source IP address as 192.168.1.100. Note: Spoofing can confuse IDS systems, but it also limits the attacker's ability to receive responses, as the responses will go to the spoofed IP.

Question 37

Decoys

Answer 37

Sending traffic from decoy IP addresses can obscure the true source of the scan or attack, making it harder for an IDS to pinpoint the attacker.

Question 38

Packet Crafting

Answer 38

Crafting custom packets allows attackers to manipulate packet flags, headers, or payloads in ways that can evade detection by some IDS solutions. Tools like hping3 and Scapy allow crafting custom packets. For example, you can set various TCP flags (e.g., SYN, ACK, FIN) to avoid detection: bash Copy code hping3 -S 192.168.1.1 -p 80 Explanation: By using non-standard combinations of flags or malformed packets, attackers can bypass signature-based IDS systems that expect normal packet patterns.