NMap Info Flashcards
What is NMap?
Nmap (Network Mapper) is a powerful network scanning tool used for discovering hosts, services, and vulnerabilities in a network.
What are the key functions of Nmap?
- Host discovery
- Port scanning
- OS detection
- Version detection
- Scriptable interaction with targets
What is the basic command to perform a default Nmap scan?
nmap [target]
(Default scan checks the 1,000 most common TCP ports.)
What does the default nmap scan cover?
Default scan checks the 1,000 most common TCP ports
Using NMap, how do you scan all 65,535 ports?
nmap -p- [target]
What does the -sS argument in Nmap do?
Performs a stealth (SYN) scan, which sends SYN packets and analyzes responses without completing the TCP handshake.
What does the -sT argument in Nmap do?
Performs a TCP connect scan, establishing a full connection to the target.
What does the -A argument in Nmap do?
Enables agreesive scan:
- -O OS detection:
- -sV version detection
- -sC or –script=default: script scanning
- –traceroute: traceroute
What is the purpose of the -p argument in Nmap?
Specifies the port(s) to scan. For example: -p 80 scans port 80; -p 1-100 scans ports 1–100.
What is the purpose of the -p- argument in Nmap?
Scans all scan all 65,535 ports of the target
In nmap, what is the -Pn argument used for?
Disables host discovery, treating all hosts as “up” and scanning them.
What does the -sU argument do in Nmap?
Performs a UDP scan, which sends UDP packets to detect open ports.
What does -T in Nmap control?
The scan timing. For example:
-T0 (paranoid)
-T4 (aggressive, faster scans).
What is and why is -T0 used in Nmap?
- Slowest and most cautious level, referred to as “paranoid.” It results in a significantly slower scan speed
- This is designed to minimize the risk of detection by Intrusion Detection Systems (IDS) and other monitoring tools
How do you use Nmap to scan a specific IP range?
Use a CIDR notation or IP range:
Example: nmap 192.168.1.0/24
What does the -sV argument do in Nmap
Enables version detection to identify the services running on open ports.
What does –script do in Nmap?
Runs Nmap Scripting Engine (NSE) scripts, which are used for tasks like vulnerability detection and network discovery. Example:
nmap –script vuln 192.168.1.1
What does the nmap -oN argument do?
Outputs scan results in a normal format to a file. Example: nmap -oN results.txt 192.168.1.1
What does -oX do in Nmap?
Outputs scan results in XML format. Example: nmap -oX results.xml 192.168.1.1
How does Nmap perform OS detection?
By using the -O option, which analyzes responses to determine the operating system.
note: requires root privileges in Linux
What does the –reason argument do in Nmap?
Displays the reason why a port is marked as open, closed, or filtered.
How do you use Nmap to find live hosts on a network?
Use the ping scan option: nmap -sn 192.168.1.0/24
What does the –top-ports argument do in Nmap do?
Scans the most common ports. Example: –top-ports 20 scans the top 20 ports.
How can you perform a scan while avoiding detection in Nmap?
Use options like -sS (stealth scan) and adjust timing with -T0 (paranoid mode).
How can Nmap perform banner grabbing?
nmap -sV [target] (retrieves service banners during version detection).
How do you scan the top N most common ports in Nmap?
–top-ports [N]
Example: nmap –top-ports 10 [target]
Service Banner
metadata sent by a service running on a networked system, often when a client connects to it. This banner typically provides information about the service, such as its name, version, or other identifying details.
For example:
- A web server may display a banner showing Apache/2.4.41 (Ubuntu).
- An SSH server might show OpenSSH_8.4.
How do you increase the verbosity of Nmap scans?
-v or -vv (for more detailed output)
Levels:
* Default (no -v): Only the essential results are displayed, such as open ports and a summary at the end of the scan.
* -v: Increases verbosity level to show additional details, such as host discovery, progress updates, and timing information. For example, Nmap will display messages when hosts are found to be alive.
* -vv: Provides even more detailed output, including additional information on scan progress, responses received during the scan, and debugging-like details.
* You can combine verbosity with the debugging flag -d for even deeper insights (e.g., -v -d). This is useful for troubleshooting or understanding scan behavior.
In Nmap, what options can help evade firewalls and IDS/IPS?
- Fragment packets: -f
- Randomize hosts: –randomize-hosts
- Change scan delay: –scan-delay [time]
- Paranoid mode: -T0
What does nmap -F do?
Performs a fast scan, checking the top 100 ports instead of 1,000.
How can Nmap interact with DNS for reconnaissance?
nmap –script dns-brute [domain]
What does nmap –script dns-brute [domain] do?
performs DNS brute-forcing on the specified domain. The dns-brute script tries to discover subdomains of the target domain by attempting to resolve common or user-defined subdomain names.
How It Works: The script uses a predefined wordlist of subdomains (e.g., www, mail, ftp) to query the DNS server. If a subdomain resolves to an IP address, it is reported as a valid subdomain.
may return:
www.example.com -> 192.168.1.1
mail.example.com -> 192.168.1.2
ftp.example.com -> 192.168.1.3
What Nmap scan helps detect firewalls?
nmap -sA [target] (ACK scan)
Why?
- ACK packets are used in TCP to acknowledge data receipt. Normally, they don’t initiate new connections, so a server doesn’t expect them if no connection exists.
- Stateful Firewalls: These firewalls maintain a state table of active connections. If an ACK packet arrives without a corresponding connection in the table, the firewall blocks it.
- Stateless Firewalls: These firewalls may simply forward ACK packets, assuming they’re part of legitimate traffic.
- If the target system replies with a RST (Reset), it means the packet reached the host, indicating no firewall or a stateless firewall exists.
- If there’s no response, it suggests the packet was dropped by a firewall.
- ACK scans don’t reveal open ports but instead help map the presence of firewalls and identify whether they are stateful or stateless.
- This technique is stealthier than a full SYN scan because ACK packets often blend with normal network traffic.
How do you disable ping in Nmap scans?
-Pn
Example: nmap -Pn [target]
this disables host discover and treats all hosts as online
How do you run Nmap scripts for vulnerability detection?
nmap –script=[script name] [target]
Example: nmap –script=vuln [target]
What options save Nmap scan results?
- Normal: -oN [filename]
- XML: -oX [filename]
- Grepable: -oG [filename]
- All formats: -oA [filename]
- Script kiddie: -oS [filename] - randomly capitalizes letters
List three common Nmap scan types and their flags.
- TCP Connect: -sT
- SYN Scan (default): -sS
- UDP Scan: -sU
How do you combine OS and version detection in Nmap?
nmap -O -sV [target]
Given that you are conducting an internal penetration test and need to enumerate assets within the organization’s network, which Nmap command or script would you use to produce the most comprehensive list of live hosts, open ports, and services?
- -sV -O –script=all
- -Pn
- –top-ports 100
- -sn
-sV -O –script=all
The correct answer is -sV -O –script=all. The -sV option enables version detection, probing open ports to determine service/version info, while the -O option triggers OS detection. Combining these with –script=all applies a variety of scripts for further enumeration, including default and non-default scripts that check for a wide range of vulnerabilities and configurations, making it the most comprehensive choice for asset enumeration. -sn only performs host discovery, which would not enumerate open ports or services. –top-ports only scans the most common ports, which might miss out on less common but potentially critical ports. -Pn disables host discovery and should only be used when ensuring all ports are scanned regardless of the host being up.
What does nmap -sn do?
used to perform a “ping scan,” which identifies active hosts on a network without performing a full port scan. It sends ICMP echo requests or ARP requests to check if hosts are up.
