nmap Essentials

Question 1

What is the basic nmap scan type & what type of scan is this ?

Answer 1

nmap 172.18.1.5

here basic scan type is SYN TCP scan, it scans Top 1000 TCP ports by default

Question 2

What is three way HANDSHAKE ?

Answer 2

Three way hand shake is a communication process in TCP / IP Protocol , SYN - SYN-ACK, ACK

Question 3

What is TCP half scan ?

Answer 3

SYN only scan is TCP Half scan

Question 4

How many types of ports are in Networking ?

Answer 4

Ports are of two types , TCP & UDP.

Question 5

How many ports are in TCP/IP Based Network ?

Answer 5

Total ports are TCP-65,536 + UDP-65536 = 131,072
each for TCP & UDP.

0 to 65535 each for TCP & UDP

Question 6

What is the range of Standardized Ports ?

Answer 6

Port Zero to 1023 or First 1023 ports are standardized.

Question 7

By which organization ports are Standardized ?

Answer 7

IANA - Internet Assigned Numbers Authority

Question 8

What is the range of Semi Reserved Ports ?

Answer 8

Port 1024 to Port 49151

These ports are reserved for custom registration , considered as semi-reserved ports

Question 9

What is the range of free Ports ?

Answer 9

Port 49152 & higher are free to use, or upto 65535

Question 10

How port scanner scan ports ?

Answer 10

Port scanner sends TCP or UDP packet to know the status of port & host

Question 11

What is the different type of status of ports ?

Answer 11

Port state would be ,

open , close , filtered

Question 12

How UDP works ?

Answer 12

UDP is connection less protocol , no error checking ,

used in live streaming , online video conferencing etc.

Question 13

How to do TCP connect scan ?

Answer 13

nmap -sT host

Question 14

How to do UDP connect scan ?

Answer 14

nmap -sU host

Question 15

How to scan single host ?

Answer 15

nmap ip addr of host

nmap 172.18.1.5

Question 16

How to scan hosts in series ?

Answer 16

nmap ip addr,last quad ip seperated by comma

nmap 172.18.1.5,31,32,33

Question 17

How to scan two or more hosts at once which are on different subnet?

Answer 17

nmap options hosts separated by space

nmap 172.18.1.5 10.10.10.2 172.22.1.254

Question 18

How to scan subnet ?

Answer 18

nmap CIDR notation of subnet

nmap 172.18.0.0/22

Question 19

How to scan specific single port ?

Answer 19

nmap -p 80 172.18.1.5

Question 20

How to scan 2 or more than 2 specific ports ?

Answer 20

nmap -p port numbers seperated by comma

nmap -p 80,21, 172.18.1.5

Question 21

How to scan Top 20 or Top 100 0r 1000 ports ?

Answer 21

nmap –top-ports numberOfPorts host

nmap –top-ports 100 172.18.1.5

Question 22

How to scan range of ports ?

Answer 22

nmap -p port-range host

nmap -p 1-20 172.18.1.5

Question 23

What is Service Version Scan & how to do it ?

Answer 23

Service version scan is useful when someone is running a service on a non-default port.

nmap -sV 172.18.1.5

Question 24

How to save output of nmap in file ?

Answer 24

nmap -oA filename host

nmap -p 1-100 -sV -oA filename 172.18.1.5

here nmap saves output to three different files , .gnmap .nmap or .xml

here -p for ports, -sV for service version scan

Question 25

How to do fast scan , disable port scan ?

Answer 25

nmap -sP 172.18.1.5 or

nmap -sn 172.18.1.5

Question 26

How to scan all ports ?

Answer 26

nmap -p- host

nmap -p- 172.18.1.5

Question 27

How to skip host discovery while scan or assume host is already live ?

Answer 27

nmap -p 1-100 -Pn 172.18.1.5

Question 28

How to do ARP scan ?

Answer 28

nmap -sn –packet-trace -v 172.18.1.5

this is ARP ping scan

Question 29

How to do SYN scan ?

Answer 29

nmaP -sS 172.18.1.5

This is half tcp scan

Question 30

How many ports are scanned by nmap , if no option is given & what type of scan is this ?

Answer 30

without any option nmap will scan first 1000 TCP ports , & this type of scan is TCP SYN or half TCP scan.

Question 31

How many different types of files can we save the output of nmap?

Answer 31

We can save output in four types of files by using option -oA & -oN

Four Types - .gnmap , .nmap , .xml & .txt

Question 32

How to perfotm half TCP scan ?

Answer 32

nmap -sS host

Question 33

How to Perform TCP scan ?

Answer 33

nmap -sT host

Question 34

How to Perform UDP Scan ?

Answer 34

nmap -sU host

Question 35

How to Perform ACK scan ?

Answer 35

nmap -sA host

Used to check filtered ports or Firewalled Ports

Question 36

What are the benefits of ACK scan ?

Answer 36

ACK scan is helpful in detecting filtered ports , or to Detect Firewall

Question 37

How to Perform Service version scan ?

Answer 37

nmap -sV host

Question 38

How to Perform scan on Top 100 ports by using single switch ?

Answer 38

nmap -F host

Question 39

How to Perform version trace of service ?

Answer 39

version trace is used with service version scan

nmap -sV –version-trace host

Question 40

How to save nmap output to test file ?

Answer 40

nmap -oN output.txt host

Question 41

How to detect filtered ports ?

Answer 41

We have to perform ACK Scan ?

nmap -sA host

Question 42

How to Perform fast host Discovery ?

Answer 42

nmap -sn host

Question 43

How to Perform host Discovery & disable port scan ?

Answer 43

nmap -sn host or

nmap -Pn host

Question 44

How to find name server by URL from Linux command line ?

Answer 44

host -t ns 14.139.225.232

Question 45

How to tracerout with nmap ?

Answer 45

Scan Port 80
Assume Host is alive
Use Time Template 4
Use verbose mode

nmap -p80 -Pn -T4 –traceroute dopses.aries.res.in -v

Question 46

How to perform ARP Scan ?

Answer 46

nmap -sP host o3r

nmap -sn -v –packet-trace host

Question 47

Which Web Database URL can be used to search sub-domains & hostnames ?

Answer 47

netcraft

http://searchdns.netcraft.com/?host

Question 48

How to get Domain details from linux Terminal ?

Answer 48

whois 14.139.225.232

Question 49

How to save nmap output to three different files ?

Answer 49

nmao -oA logbase host

Question 50

How to Scan all TCP or UDP Ports ?

Answer 50

Scan all TCP Ports
nmap -sT -p- host

Scan all UDP
nmap -sU -p- host

Question 51

How to scan Selected Ports with the notation of TCP ports only ?

Answer 51

nmap -p- T:80,443,9100

Question 52

How to Perform nmap scan which only show open ports

Answer 52

nmap -sT -F –open 172.18.1.5 -v

Question 53

Which ports works on printer ?

Answer 53

Both TCP & UDP Ports

515 - Printer Port ,
631 - ipp Apple Talk
9100 - jetdirect

Question 54

How to perform Specific port scan ?

Answer 54

nmap -p 80,443 host

Question 55

How to scan port range ?

Answer 55

nmap -p 1-100 host

Question 56

How to scan Top 100 Ports only ?

Answer 56

nmap –top-ports 100 host

Question 57

Where is Service probes of nmap are stored on system ?

Answer 57

less /usr/share/nmap/nmap-service-probes

Question 58

How to perform Service version scan with Top 100 ports ?

Answer 58

nmap -sV -F host

Question 59

How to Display live network trace while scanning top 1000 ports ?

Answer 59

nmap –top-ports 1000 :–packet-trace -v host

Question 60

How to assume host is alive while scanning top ports ?

Answer 60

nmap -Pn –top-ports 1000 host

Question 61

How to skip host discovery while scanning ports ?

Answer 61

nmap -Pn –top-ports host

Question 62

How to enable verbose mode while scanning ?

Answer 62

nmap -v host

Question 63

How to use Timing Template to increase scan speed ?

Answer 63

nmap -p- -T5 -Pn –packet-trace host

-T value is 0 to 5

Question 64

How to show interface & Routes using nmap ?

Answer 64

nmap –iflist

Question 65

How to Perform ultra fast scan , Ping sweep , scan 2000 random ip addresses ?

Answer 65

nmap -iR 2000 -n -sP –min-rate 1000 –max-retries 0 –max-rtt-timeout 100ms –max-scan-delay 0 -T5

Question 66

How to grep one above & one below line of every match ?

Answer 66

nmap -sn 172.18.0.0/22 | grep -A1 -B1 “Host is up”

Question 67

How to multiple string match with grep ?

Answer 67

nmap -sn 172.18.1.5 | grep -A 1 -B 1 -E “Host is up|Nmap done:”

Question 68

How to add some string line after each match in grep to seperate each match while using ?

Answer 68

nmap -sn host | grep –group-seprator —- -A1 -B1 -E “Host is up|Nmap done:”

Question 69

How to disable DNS Resolution ?

Answer 69

nmap -n -sn host

Question 70

How to ignore closed ports scan time to inhance scanning ?

Answer 70

nmap -sS defeat-rst-ratelimit -T4 172.18.1.5

Question 71

How to increase UDP port scanning ?

Answer 71

nmap -sU -T4 defeat-icmp-ratelimit host

Question 72

How to detect OS by nmap scanning ?

Answer 72

nmap -O host

Question 73

How to detect OS by guess ?

Answer 73

nmap -O -fuzzy

Question 74

How to detect OS by scanning Top 100 Ports ?

Answer 74

nmap -O -F 172.18.1.5

Question 75

How to enable OS detection in nmap scanning ?

Answer 75

nmap -F -A -v 172.18.1.5

Question 76

How to guess os Detect ?

Answer 76

nmap -O –osscan-guess 172.18.1.5

Question 77

How to detect OS by service version scan ?

Answer 77

nmap -p80 -sV –verson-trace 172.18.1.5 -reason

Question 78

How to display reason with scan ?

Answer 78

nmap -F -reason 172.18.1.5

Question 79

How to scan hosts from file ?

Answer 79

nmap -F -iL hosts.txt -v -n -Pn host

Question 80

How to scan hosts from file with more speed ?

Answer 80

nmap -F -iL hosts.txt -v -n -Pn host –max-retries 0 host

Question 81

How to Perform Null Fin Xmas scans ?

Answer 81

nmap -sN host

Question 82

How to scan with Timr Template ?

Answer 82

nmap -F -reason -Pn T4 -v 172.18.1.5

Question 83

How to scan with time template with more speed ?

Answer 83

nmap -F -reason -Pn T4 –max-rtt-timeout 20ms -v 172.18.1.5

Question 84

How to scan with time template with more speed by setting up round trip time?

Answer 84

Scan Top 100 ports
show return output 
Assume Host is Alive 
Show each packet 
Enable verbose 
Set round trip time
Set Time Template to 4

nmap -F -Pn –packet-trace -v -reason –max-rtt-timeout 20ms 172.18.1.5

Question 85

How to check port connectivity from Linux ?

Answer 85

ncat 172.18.1.5 80 -v

Question 86

How to know port associated with which service & process ID ?

Answer 86

netstat -lntp | grep -w ‘:22’

Question 87

How to know which process / service listening on a port ?

Answer 87

lsof -i ;22

Question 88

How to show PIDs listening on port ?

Answer 88

fuser 22/tcp

Question 89

How to find process name by program ID ?

Answer 89

ps -p PID

ps -p 1692

Question 90

How to Find All running processes on system ?

Answer 90

ps -aux

Question 91

How to find nameserver of domain from linux Terminal ?

Answer 91

host -t ns aries.res.in

Question 92

How to find IP Address of host from Linux Terminal ?

Answer 92

host google.com

Question 93

How to find mx record of domain ?

Answer 93

host -n -t google.com

Question 94

What is Null Scan probe ?

Answer 94

Establishing a TCP Connection & then waiting for 5 seconds to get any kind of data from the server ?