Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Security X CASP+ 004 / 5 > Nmap Commands > Flashcards

Nmap Commands Flashcards

Basic Scans, Service and Version Detection, Stealth and Evasion Scans, Timing and Performance, Output Options, Advanced Scanning, Vulnerability and Script Scanning, Firewall Detection and Bypass

1
Q

Ping Scan

A

Check which hosts are online.

nmap -sP 192.168.1.0/24
This sends ICMP echo requests to determine if hosts are online within the 192.168.1.0/24 subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Scan a Range of IPs

A

nmap 192.168.1.1-20
This scans the IP range from 192.168.1.1 to 192.168.1.20.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Scan an Entire Subnet

A

nmap 192.168.1.0/24
Scans all hosts in the subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Scan Multiple IP Addresses or Hostnames

A

nmap 192.168.1.1 192.168.1.2 google.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Scan Specific Ports

A

nmap -p 22 192.168.1.1
This scans only port 22 (SSH) on the target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Scan a Range of Ports

A

nmap -p 1-100 192.168.1.1
This scans ports 1 through 100 on the target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Scan All Ports

A

nmap -p- 192.168.1.1
Scans all 65535 ports on the target host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Detect Service Versions

A

nmap -sV 192.168.1.1
This attempts to determine the version of services running on open ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Aggressive Scan (Includes Service Detection, OS Detection, and More)

A

nmap -A 192.168.1.1
This performs an aggressive scan that includes service version detection, OS detection, and traceroute.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Operating System Detection

A

nmap -O 192.168.1.1
This attempts to identify the operating system running on the target machine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Script Scan (Using NSE Scripts

A

nmap -sC 192.168.1.1
This uses default NSE (Nmap Scripting Engine) scripts to scan for vulnerabilities or gather additional information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

TCP SYN Scan (Stealth Scan)

A

nmap -sS 192.168.1.1
This performs a TCP SYN scan, often referred to as a “half-open” scan, which can avoid detection by some firewalls or IDS systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

TCP Connect Scan

A

nmap -sT 192.168.1.1
This scan completes the full TCP connection and is less stealthy than the SYN scan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

UDP Scan

A

nmap -sU 192.168.1.1
This scans UDP ports, which is useful for discovering services like DNS (port 53) and SNMP (port 161).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Fragmented Packets Scan

A

nmap -f 192.168.1.1
Sends fragmented packets, which might help evade firewalls or intrusion detection systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Spoofed IP Address Scan

A

nmap -S 192.168.1.100 192.168.1.1
Spoofs the source IP address (use with caution, as it may cause network issues).

17
Q

Scan Through a Proxy

A

nmap -sT -p 80 –proxy http://proxy.server.com:8080 192.168.1.1

18
Q

Set Timing Templates (0-5)

A

Control the speed and stealthiness of scans.

nmap -T4 192.168.1.1
T0 is the slowest (for stealth), and T5 is the fastest (less stealthy, but quicker results).

19
Q

Set Maximum Parallel Scans

A

nmap –min-parallelism 10 192.168.1.1
This controls the number of parallel scans Nmap can run.

20
Q

Set Scan Delay Between Probes

A

nmap –scan-delay 1s 192.168.1.1
This inserts a 1-second delay between scan probes, making it slower but possibly stealthier.

21
Q

Normal Output

A

nmap 192.168.1.1 -oN output.txt
Saves the normal output of the scan to output.txt.

22
Q

Scan Specific IP Protocols

A

map -sO 192.168.1.1
This scans for IP protocols (like ICMP, TCP, and UDP

23
Q

Scan Hosts with Decoy IPs

A

nmap -D RND:10 192.168.1.1
Launches a decoy scan with 10 random IP addresses, hiding the real source of the scan.

24
Q

Scan Using TCP ACK Scan

A

nmap -sA 192.168.1.1
This helps determine if a firewall is present by sending TCP ACK packets.

25
Q

Scan Using FIN, Xmas, or Null Scan

A

nmap -sF 192.168.1.1 (FIN scan)
nmap -sX 192.168.1.1 (Xmas scan)
nmap -sN 192.168.1.1 (Null scan)
These are stealthy scans that send unusual combinations of flags or no flags, helping bypass some firewalls and detect open ports.

26
Q

Run All Vulnerability Scripts

A

nmap –script vuln 192.168.1.1
Runs all vulnerability detection scripts.

27
Q

Run Specific NSE Scripts

A

nmap –script http-default-accounts 192.168.1.1
Runs a specific NSE script for checking default accounts on HTTP services.

28
Q

Run a Script to Find Known Exploits

A

nmap –script exploit 192.168.1.1
Runs a script to find known exploits on the target.

29
Q

Check for Heartbleed Vulnerability

A

nmap –script ssl-heartbleed 192.168.1.1

30
Q

Check for SMB Vulnerabilities

A

nmap –script smb-vuln* 192.168.1.1

31
Q

Firewall Detection

A

nmap -sA 192.168.1.1
Sends ACK packets to determine whether a firewall is present on the network.

32
Q

Scan with Source Port Spoofing

A

nmap -g 53 192.168.1.1
Spoof the source port to trick firewalls (common for DNS queries, which often come from port 53).

33
Q

Scan with Decoy Addresses

A

nmap -D 192.168.1.10,192.168.1.20 192.168.1.1
Scan with decoy addresses to hide the real source of the scan.

34
Q

Polymorphism

A

Polymorphic attacks modify their signature on each attempt to avoid matching known attack patterns.

Example: Malware can change its binary structure with each execution, making it difficult for IDS that rely on static signature matching to detect.

35
Q

Fragmentation

A

Fragmentation involves breaking the payload of network packets into smaller segments, making it harder for an IDS to reassemble and inspect the full content.

36
Q

Obfuscation with Encryption

A

Attackers can encrypt traffic, making it impossible for an IDS to inspect the payload. For example, if communication happens over SSL/TLS, IDS can’t analyze encrypted traffic unless it performs SSL decryption, which is rare due to performance and privacy concerns.
Example of encrypted traffic: Using SSL/TLS with tools like ncat:
bash
Copy code
ncat –ssl victim.com 443
Countermeasure: Intrusion Prevention Systems (IPS) or Deep Packet Inspection (DPI) techniques that can decrypt and analyze SSL traffic may be needed to detect such activities.

37
Q

Using Spoofed IP Addresse

A

Spoofing the source IP address in your traffic can make it harder for the IDS to track the actual source of the attack.

How to use in nmap:
bash
Copy code
nmap -S 192.168.1.100 192.168.1.1
This command spoofs the source IP address as 192.168.1.100.
Note: Spoofing can confuse IDS systems, but it also limits the attacker’s ability to receive responses, as the responses will go to the spoofed IP.

37
Q

Decoys

A

Sending traffic from decoy IP addresses can obscure the true source of the scan or attack, making it harder for an IDS to pinpoint the attacker.

38
Q

Packet Crafting

A

Crafting custom packets allows attackers to manipulate packet flags, headers, or payloads in ways that can evade detection by some IDS solutions.

Tools like hping3 and Scapy allow crafting custom packets. For example, you can set various TCP flags (e.g., SYN, ACK, FIN) to avoid detection:
bash
Copy code
hping3 -S 192.168.1.1 -p 80
Explanation: By using non-standard combinations of flags or malformed packets, attackers can bypass signature-based IDS systems that expect normal packet patterns.

Security X CASP+ 004 / 5 (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions