NMap Info

Question 1

What is NMap?

Answer 1

Nmap (Network Mapper) is a powerful network scanning tool used for discovering hosts, services, and vulnerabilities in a network.

Question 2

What are the key functions of Nmap?

Answer 2

• Host discovery
• Port scanning
• OS detection
• Version detection
• Scriptable interaction with targets

Question 3

What is the basic command to perform a default Nmap scan?

Answer 3

nmap [target]
(Default scan checks the 1,000 most common TCP ports.)

Question 4

What does the default nmap scan cover?

Answer 4

Default scan checks the 1,000 most common TCP ports

Question 5

Using NMap, how do you scan all 65,535 ports?

Answer 5

nmap -p- [target]

Question 6

What does the -sS argument in Nmap do?

Answer 6

Performs a stealth (SYN) scan, which sends SYN packets and analyzes responses without completing the TCP handshake.

Question 7

What does the -sT argument in Nmap do?

Answer 7

Performs a TCP connect scan, establishing a full connection to the target.

Question 8

What does the -A argument in Nmap do?

Answer 8

Enables agreesive scan:

• -O OS detection:
• -sV version detection
• -sC or –script=default: script scanning
• –traceroute: traceroute

Question 9

What is the purpose of the -p argument in Nmap?

Answer 9

Specifies the port(s) to scan. For example: -p 80 scans port 80; -p 1-100 scans ports 1–100.

Question 10

What is the purpose of the -p- argument in Nmap?

Answer 10

Scans all scan all 65,535 ports of the target

Question 11

In nmap, what is the -Pn argument used for?

Answer 11

Disables host discovery, treating all hosts as “up” and scanning them.

Question 12

What does the -sU argument do in Nmap?

Answer 12

Performs a UDP scan, which sends UDP packets to detect open ports.

Question 13

What does -T in Nmap control?

Answer 13

The scan timing. For example:

-T0 (paranoid)
-T4 (aggressive, faster scans).

Question 14

What is and why is -T0 used in Nmap?

Answer 14

1. Slowest and most cautious level, referred to as “paranoid.” It results in a significantly slower scan speed
2. This is designed to minimize the risk of detection by Intrusion Detection Systems (IDS) and other monitoring tools

Question 15

How do you use Nmap to scan a specific IP range?

Answer 15

Use a CIDR notation or IP range:

Example: nmap 192.168.1.0/24

Question 16

What does the -sV argument do in Nmap

Answer 16

Enables version detection to identify the services running on open ports.

Question 17

What does –script do in Nmap?

Answer 17

Runs Nmap Scripting Engine (NSE) scripts, which are used for tasks like vulnerability detection and network discovery. Example:

nmap –script vuln 192.168.1.1

Question 18

What does the nmap -oN argument do?

Answer 18

Outputs scan results in a normal format to a file. Example: nmap -oN results.txt 192.168.1.1

Question 19

What does -oX do in Nmap?

Answer 19

Outputs scan results in XML format. Example: nmap -oX results.xml 192.168.1.1

Question 20

How does Nmap perform OS detection?

Answer 20

By using the -O option, which analyzes responses to determine the operating system.

note: requires root privileges in Linux

Question 21

What does the –reason argument do in Nmap?

Answer 21

Displays the reason why a port is marked as open, closed, or filtered.

Question 22

How do you use Nmap to find live hosts on a network?

Answer 22

Use the ping scan option: nmap -sn 192.168.1.0/24

Question 23

What does the –top-ports argument do in Nmap do?

Answer 23

Scans the most common ports. Example: –top-ports 20 scans the top 20 ports.

Question 24

How can you perform a scan while avoiding detection in Nmap?

Answer 24

Use options like -sS (stealth scan) and adjust timing with -T0 (paranoid mode).

Question 25

How can Nmap perform banner grabbing?

Answer 25

nmap -sV [target] (retrieves service banners during version detection).

Question 26

How do you scan the top N most common ports in Nmap?

Answer 26

–top-ports [N]
Example: nmap –top-ports 10 [target]

Question 27

Service Banner

Answer 27

metadata sent by a service running on a networked system, often when a client connects to it. This banner typically provides information about the service, such as its name, version, or other identifying details.

For example:

• A web server may display a banner showing Apache/2.4.41 (Ubuntu).
• An SSH server might show OpenSSH_8.4.

Question 28

How do you increase the verbosity of Nmap scans?

Answer 28

-v or -vv (for more detailed output)

Levels:
* Default (no -v): Only the essential results are displayed, such as open ports and a summary at the end of the scan.
* -v: Increases verbosity level to show additional details, such as host discovery, progress updates, and timing information. For example, Nmap will display messages when hosts are found to be alive.
* -vv: Provides even more detailed output, including additional information on scan progress, responses received during the scan, and debugging-like details.
* You can combine verbosity with the debugging flag -d for even deeper insights (e.g., -v -d). This is useful for troubleshooting or understanding scan behavior.

Question 29

In Nmap, what options can help evade firewalls and IDS/IPS?

Answer 29

• Fragment packets: -f
• Randomize hosts: –randomize-hosts
• Change scan delay: –scan-delay [time]
• Paranoid mode: -T0

Question 30

What does nmap -F do?

Answer 30

Performs a fast scan, checking the top 100 ports instead of 1,000.

Question 31

How can Nmap interact with DNS for reconnaissance?

Answer 31

nmap –script dns-brute [domain]

Question 32

What does nmap –script dns-brute [domain] do?

Answer 32

performs DNS brute-forcing on the specified domain. The dns-brute script tries to discover subdomains of the target domain by attempting to resolve common or user-defined subdomain names.

How It Works: The script uses a predefined wordlist of subdomains (e.g., www, mail, ftp) to query the DNS server. If a subdomain resolves to an IP address, it is reported as a valid subdomain.

may return:
www.example.com -> 192.168.1.1
mail.example.com -> 192.168.1.2
ftp.example.com -> 192.168.1.3

Question 33

What Nmap scan helps detect firewalls?

Answer 33

nmap -sA [target] (ACK scan)

Why?

• ACK packets are used in TCP to acknowledge data receipt. Normally, they don’t initiate new connections, so a server doesn’t expect them if no connection exists.
• Stateful Firewalls: These firewalls maintain a state table of active connections. If an ACK packet arrives without a corresponding connection in the table, the firewall blocks it.
• Stateless Firewalls: These firewalls may simply forward ACK packets, assuming they’re part of legitimate traffic.
• If the target system replies with a RST (Reset), it means the packet reached the host, indicating no firewall or a stateless firewall exists.
• If there’s no response, it suggests the packet was dropped by a firewall.
• ACK scans don’t reveal open ports but instead help map the presence of firewalls and identify whether they are stateful or stateless.
• This technique is stealthier than a full SYN scan because ACK packets often blend with normal network traffic.

Question 34

How do you disable ping in Nmap scans?

Answer 34

-Pn
Example: nmap -Pn [target]

this disables host discover and treats all hosts as online

Question 35

How do you run Nmap scripts for vulnerability detection?

Answer 35

nmap –script=[script name] [target]
Example: nmap –script=vuln [target]

Question 36

What options save Nmap scan results?

Answer 36

• Normal: -oN [filename]
• XML: -oX [filename]
• Grepable: -oG [filename]
• All formats: -oA [filename]
• Script kiddie: -oS [filename] - randomly capitalizes letters

Question 37

List three common Nmap scan types and their flags.

Answer 37

• TCP Connect: -sT
• SYN Scan (default): -sS
• UDP Scan: -sU

Question 38

How do you combine OS and version detection in Nmap?

Answer 38

nmap -O -sV [target]

Question 39

Given that you are conducting an internal penetration test and need to enumerate assets within the organization’s network, which Nmap command or script would you use to produce the most comprehensive list of live hosts, open ports, and services?

• -sV -O –script=all
• -Pn
• –top-ports 100
• -sn

Answer 39

-sV -O –script=all

The correct answer is -sV -O –script=all. The -sV option enables version detection, probing open ports to determine service/version info, while the -O option triggers OS detection. Combining these with –script=all applies a variety of scripts for further enumeration, including default and non-default scripts that check for a wide range of vulnerabilities and configurations, making it the most comprehensive choice for asset enumeration. -sn only performs host discovery, which would not enumerate open ports or services. –top-ports only scans the most common ports, which might miss out on less common but potentially critical ports. -Pn disables host discovery and should only be used when ensuring all ports are scanned regardless of the host being up.

Question 40

What does nmap -sn do?

Answer 40

used to perform a “ping scan,” which identifies active hosts on a network without performing a full port scan. It sends ICMP echo requests or ARP requests to check if hosts are up.