Section 6: NMAP

Question 1

NMAP: -sL

Answer 1

List Scan (-sL)
o Lists the IP addresses from the supplied target range(s)
and performs a reverse-DNS query to discover any host
names associated with those IPs

Question 2

NMAP: -PS

Answer 2

TCP SYN ping (-PS <PortList>)
o Probes specific ports from the given list using a TCP SYN
packet instead of an ICMP packet to conduct the ping</PortList>

Question 3

NMAP: -Tn

Answer 3

Issues probes with using a timing pattern with n being the
pattern to utilize (0 is slowest and 5 is fastest

Question 4

NMAP: -sl

Answer 4

Another stealth method, this scan makes it appear that
another machine (a zombie) started the scan to hide the
true identity of the scanning machine

Question 5

NMAP: f or –mtu

Answer 5

Fragmentation (-f or –mtu)
o A technique that splits the TCP header of each probe
between multiple IP datagrams to make it hard for an IDS
or IPS to detect

Question 6

Nmap Output

Answer 6

▪ Interactive (default) to screen
▪ Normal (-oN) to file
▪ XML (-oX) to file
▪ Grepable (-oG) to file

Question 7

NMAP: -sS

Answer 7

TCP SYN (-sS)
▪ Conducts a half-open scan by sending a SYN packet to identify the port
state without sending an ACK packet afterwards

Question 8

NMAP: -sT

Answer 8

o TCP Connect (-sT)
▪ Conducts a three-way handshake scan by sending a SYN packet to
identify the port state and then sending an ACK packet once the SYN-ACK
is received

Question 9

NMAP: -sN

Answer 9

Null Scan (-sN)
▪ Conducts a scan by sending a packet with the header bit set to zero

Question 10

NMAP: -sF

Answer 10

FIN Scan (-sF)
▪ Conducts a scan by sending an unexpected FIN packet

Question 11

NMAP: -sX

Answer 11

Xmas Scan (-sX)
▪ Conducts a scan by sending a packet with the FIN, PSH, and URG flags set
to one

Question 12

NMAP: -sU

Answer 12

UDP Scan (-sU)
▪ Conducts a scan by sending a UDP packet to the target and waiting for a
response or timeout

Question 13

Which Nmap scan requires root access?

Answer 13

-sS - Half Scan, SYN Scan