Nmap switches

Question 1

‘nmap 192.168.1.1’

Answer 1

Scans a single IP

Question 2

‘nmap 192.168.1.1 192.168.2.1’

Answer 2

Scans specified IPs

Question 3

‘nmap 192.168.1.1-254’

Answer 3

Scans the range

Question 4

‘nmap scanme.nmap.org’

Answer 4

Scans the scanme.nmap.org domain

Question 5

‘nmap 192.168.1.0/24’

Answer 5

Scans using the CIDR notation

Question 6

‘nmap -iL targets.txt’

Answer 6

Scans targets from the targets.txt file

-iL switch is ‘Input List’

Question 7

‘nmap -iR 100’

Answer 7

Scans 100 random targets

-iR switch chooses a certain number of random targets

Question 8

‘nmap –exclude 192.168.1.1’

Answer 8

Excludes listed hosts

Question 9

‘nmap 192.168.1.1 -sS’

Answer 9

TCP SYN port scan (Default)

Question 10

‘nmap 192.168.1.1 -sT’

Answer 10

TCP connect port scan

Question 11

‘nmap 192.168.1.1 -sU’

Answer 11

UDP Port Scan

Question 12

‘nmap 192.168.1.1 -sA’

Answer 12

TCP ACK Port Scan

Question 13

‘nmap 192.168.1.1 -sW’

Answer 13

TCP Window port scan

Question 14

‘nmap 192.168.1.1 -sM’

Answer 14

TCP Maimon Port Scan

Question 15

‘nmap 192.168.1.1 -p 21’

Answer 15

Port scan for port 21

Question 16

‘nmap 192.168.1.1 -p 21-100’

Answer 16

Scans port range 21-100

Question 17

nmap 192.168.1.1 -p U:53,T:21,80’

Answer 17

Scans UDP port 53 and TCP Port 21 and 80

Question 18

‘nmap 192.168.1.1 192.168.1.1 -p-‘

Answer 18

Port scans all ports

Question 19

‘nmap 192.168.1.1 -p http,https’

Answer 19

Port scan for service names

Question 20

‘nmap 192.168.1.1 -F’

Answer 20

Fast port scan (100 ports)

Question 21

‘nmap 192.168.1.1 –top-ports 2000’

Answer 21

Port scan the top x ports

Question 22

‘nmap 192.168.1.1 -p-65535’

Answer 22

Leaving off initial port in range makes the scan start at port 1

Question 23

‘nmap 192.168.1.1 -p0-‘

Answer 23

Leaving off end port in rage makes the scan through to port 65535

Question 24

‘nmap 192.168.1.1 -sV’

Answer 24

Attempts to determine the version of the service running on the port

Question 25

‘nmap 192.168.1.1 -sV –version-intensity 8’

Answer 25

Intensity level 0 to 9.

Higher number increases possibility of correctness

Question 26

‘nmap 192.168.1.1 -sV –version-light’

Answer 26

Enables light mode. Lower possibility of correctness. Faster

Question 27

‘nmap 192.168.1.1 –version-all’

Answer 27

Enable intensity level 9.
Higher possibility of correctness.
Slower

Question 28

‘nmap 192.168.1.1 -A’

Answer 28

Enables OS detection, version detection, script scanning and traceroute

Question 29

‘nmap 192.168.1.1 -O’

Answer 29

Remote OS detection using TCP/IP stack fingerprinting

Question 30

‘nmap 192.168.1.1 -O –osscan-limit’

Answer 30

If at least one open and one closed TCP port are not found it will not try to detect OS against the host

Question 31

‘nmap 192.168.1.1 -O –sscan-guess’

Answer 31

Makes Nmap guess more aggressively

Question 32

‘nmap 192.168.1.1 -O –max-os-tries 1’

Answer 32

Set the maximum number x of OS detection tries against a target

Question 33

‘nmap 192.168.1.1 -A’

Answer 33

Enables oS detection, version detection, script scanning and traceroute

Question 34

‘nmap 192.168.1.1 -T0’

Answer 34

Paranoid (P) Intrusion detection system evasion

Question 35

‘nmap 192.168.1.1 -T1’

Answer 35

Sneaky (1) Intrusion Detection System evasion

Question 36

‘nmap 192.168.1.1 -T2’

Answer 36

Polite (2) slows down the scan to use less bandwidth and use less target machine resources

Question 37

‘nmap 192.168.1.1 -T3’

Answer 37

Normal (3) which is default spped

Question 38

‘nmap 192.168.1.1 -T4’

Answer 38

Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

Question 39

‘nmap 192.168.1.1 -T5’

Answer 39

Insane (5) speeds scan; assumes you are on an extraordinary fast network

Question 40

‘nmap –host-timeout

Answer 40

Give up on target after this long

Acceptable input examples:
1s;4m;2h

Question 41

–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout

Answer 41

Specifies probe round trip time
Acceptable input examples:
1s;4m;2h

Question 42

–min-hostgroup/max-hostgroup

Answer 42

Parallel host scan group sizes
Input examples:
50;1024

Question 43

–min-parallelism/max-parraellelism

Answer 43

Probe parallelization
Input examples:
10;1

Question 44

–scan-delay/–max-scan-delay (time)

Answer 44

Adjust delay between probes
Input examples:
20ms;2s;4m;5h

Question 45

–max-retries

Answer 45

Specify the maximum number of port scans probe retransmission’s
Input examples:
1-100

Question 46

–min-rate

Answer 46

Send packets no slower than per second

Question 47

–max-rate

Answer 47

Send packets no faster than < number> per second

Question 48

‘nmap 192.168.1.1 -sC’

Answer 48

Scan with default NSE scripts

Considered useful for discovery and safe

Question 49

‘nmap 192.168.1.1 –script default’

Answer 49

Scan with default NSE scripts.

Considered useful for discovery and safe

Question 50

‘nmap 192.168.1.1 –script=banner’

Answer 50

Scan with a single script.

Example banner

Question 51

‘nmap 192.168.1.1 –script=http*’

Answer 51

Scan with a wildcard

Example http

Question 52

‘nmap 192.168.1.1 –script=http,banner’

Answer 52

Scan with two scripts. Example http and banner

Question 53

‘nmap 192.168.1.1 –script “not intrusive”

Answer 53

Scan default, but remove intrusive scripts

Question 54

‘nmap –script snmp-sysdescr –script-args snmpcommunity=admin 192.168.1.1’

Answer 54

NSE script with arguments

Question 55

‘nmap -Pn –script=http-sitemap-generator scanme.nmap.org’

Answer 55

http site map generator

Question 56

‘nmap -n -Pn -p 80 –open -sV -vvv –script banner, http-title -iR 1000’

Answer 56

Fast search for random web servers

Question 57

nmap -Pn –script=dns-brute domain.com

Answer 57

Brute forces DNS hostname guessing subdomains

Question 58

nmap -n -Pn -vv -O -sV –script smb-enum,smb-ls,smb-mbenum,smb-os-discovery,smb-s,smb-vuln,smbv2 -vv 192.168.1.1

Answer 58

Safe SMB scripts to run

Question 59

nmap –script whois* domain.com

Answer 59

Whois query

Question 60

nmap -p80 –script http-unsafe-output-escaping scanme.nmap.org

Answer 60

Detect cross site scripting vulnerabiltiies

Question 61

nmap -p80 –script http-sql-injection scanme.nmap.org

Answer 61

Check for SQL injections

Question 62

nmap 192.168.1.1 -f

Answer 62

Requested scan (including ping scans) use tiny fragmented IP packets.
Harder for packet filters

Question 63

nmap 192.168.1.1 –mtu 32

Answer 63

Set your own offset size

Question 64

nmap -D 192.168.1.101,192.168.1.102,

192.168.1.103,192.168.1.23 192.168.1.1

Answer 64

Send scans from spoofed IPs

Question 65

nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip

Answer 65

Above example explained

Question 66

nmap -S www.microsoft.com www.facebook.com

Answer 66

Scan Facebook from Microsoft (-e eth0 -Pn may be required)

Question 67

nmap –proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1

Answer 67

Relay connections through HTTP/SOCKS4 proxies

Question 68

nmap –data-length 200 192.168.1.1

Answer 68

Appends random data to sent packets

Question 69

nmap 192.168.1.1 -oN normal.file

Answer 69

Normal output to the file normal.file

Question 70

nmap 192.168.1.1 -oX xml.file

Answer 70

XML output to the file xml.file

Question 71

nmap 192.168.1.1 -oG grep.file

Answer 71

Grepable output to the file grep.file

Question 72

nmap 192.168.1.1 -oA results

Answer 72

Output in the three major formats at once

Question 73

nmap 192.168.1.1 -oG -

Answer 73

Grepable output to screen. -oN -, -oX - also usable

Question 74

nmap 192.168.1.1 -oN file.file –append-output

Answer 74

Append a scan to a previous scan file

Question 75

nmap 192.168.1.1 -v

Answer 75

Increase the verbosity level (use -vv or more for greater effect)

Question 76

nmap 192.168.1.1 -d

Answer 76

Increase debugging level (use -dd or more for greater effect)

Question 77

nmap 192.168.1.1 –reason

Answer 77

Display the reason a port is in a particular state, same output as -vv

Question 78

nmap 192.168.1.1 –open

Answer 78

Only show open (or possibly open) ports

Question 79

nmap 192.168.1.1 -T4 –packet-trace

Answer 79

Show all packets sent and received

Question 80

nmap –iflist

Answer 80

Shows the host interfaces and routes

Question 81

nmap –resume results.file

Answer 81

Resume a scan

Question 82

nmap -p80 -sV -oG - –open 192.168.1.1/24 | grep open

Answer 82

Scan for web servers and grep to show which IPs are running web servers

Question 83

nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d “ “ -f5 > live-hosts.txt

Answer 83

Generate a list of the IPs of live hosts

Question 84

nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d “ “ -f5&raquo_space; live-hosts.txt

Answer 84

Append IP to the list of live hosts

Question 85

ndiff scanl.xml scan2.xml

Answer 85

Compare output from nmap using the ndif

Question 86

xsltproc nmap.xml -o nmap.html

Answer 86

Convert nmap xml files to html files

Question 87

grep “ open “ results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less

Answer 87

Reverse sorted list of how often ports turn up

Question 88

nmap -6 2607:f0d0:1002:51::4

Answer 88

Enable IPv6 scanning

Question 89

nmap -h

Answer 89

nmap help screen

Question 90

nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn

Answer 90

Discovery only on ports x, no port scan

Question 91

nmap 192.168.1.1-1/24 -PR -sn -vv

Answer 91

Arp discovery only on local network, no port scan

Question 92

nmap -iR 10 -sn -traceroute

Answer 92

Traceroute to random targets, no port scan

Question 93

nmap 192.168.1.1-50 -sL –dns-server 192.168.1.1

Answer 93

Query the Internal DNS for hosts, list targets only