NMAP Switches

Question 1

What is this NMAP switch: -sV

Answer 1

Detect version of service running on port –> scans every open port.

Question 2

-Pn

Answer 2

nmap 192.168.1.1-5 -Pn

No ping.
This option skips the host discovery stage altogether.
Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified

Question 3

What is this NMAP switch: -T0 -T1 -T2 -T3…T5

Answer 3

timing & performance. T0 = paranoid, T1 = sneeky (slow), T2 = polite, T3 = normal, T4 = aggressive, T5 = insane

-T0

nmap 192.168.1.1 -T0

Paranoid (0) Intrusion Detection
System evasion

-T1

nmap 192.168.1.1 -T1

Sneaky (1) Intrusion Detection System
evasion

-T2

nmap 192.168.1.1 -T2

Polite (2) slows down the scan to use
less bandwidth and use less target
machine resources

-T3

nmap 192.168.1.1 -T3

Normal (3) which is default speed

-T4

nmap 192.168.1.1 -T4

Aggressive (4) speeds scans; assumes
you are on a reasonably fast and
reliable network

-T5

nmap 192.168.1.1 -T5

Insane (5) speeds scan; assumes you
are on an extraordinarily fast network

Question 4

What is this NMAP switch: -sU

Answer 4

scan UDP

Question 5

What is this NMAP switch: -O

Answer 5

Remote OS detection using TCP/IP

stack fingerprinting

Question 6

What is this NMAP switch: -sS

Answer 6

TCP Syn port scan (aka stealth scan)

Question 7

What is this NMAP switch: -sn

Answer 7

ping scan only

-sn tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”

Question 8

What is this NMAP switch: -Pn

Answer 8

nmap 192.168.1.1-5 -Pn

port scan only - no ping

Question 9

What is this NMAP switch: -O

Answer 9

O/S scan

Question 10

What is this NMAP switch: -iL

Answer 10

scan each server in file

Question 11

What is this NMAP switch: -sL

Answer 11

list servers, but does not scan them

Question 12

What is this NMAP switch: -oX

Answer 12

save output in XML file

Question 13

What is this NMAP switch: -oG

Answer 13

save scan in greppable format

Question 14

What is this NMAP switch: -sn

Answer 14

PING only
nmap 192.168.1.1/24 -sn

Disable port scanning. Host discovery only (ping).

Question 15

What is this NMAP switch: -sT

Answer 15

-sT

nmap 192.168.1.1 -sT

Full 3-way TCP connect port scan

Question 16

-sx

Answer 16

xmas tree

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

Question 17

-sF

Answer 17

Sets just the TCP FIN bit.

sneaky through firewalls

Question 18

-PS

Answer 18

This option sends an empty TCP packet with the SYN flag set. The default destination port is 80

Question 19

-PA

Answer 19

The TCP ACK ping is quite similar to the -PS.

The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag.

Port 80 by default

Question 20

-PU

Answer 20

UDP discovery on port x.

Port 40125 by default

Question 21

-PR

Answer 21

ARP discovery on local network

Question 22

-n

Answer 22

Never do DNS resolution

Question 23

-D

Answer 23

send scans from spoofed IPs

Question 24

Full Open Scanning

Answer 24

ensures the response that the targeted host is live and the connection is complete

Question 25

Discovery Scan

Answer 25

identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems.

Question 26

-A

Answer 26

Enables OS detection, version detection, script scanning, and traceroute

Question 27

-p

Answer 27

specific ports to be used

-p22,25

Question 27

-p

Answer 27

specific ports to be used

-p22,25

Question 27

-p

Answer 27

specific ports to be used

• p22,25
• p U:53,T:22