Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

NMAP Trivia: Mastering Network Mapping and Scanning

Published: 2008-12-28
Last Updated: 2008-12-28 09:35:25 UTC
by Raul Siles (Version: 1)
0 comment(s)

Recently the official (and highly recommended) NMAP book, "NMAP Network Scanning" by Fyodor, was published. I will post a review on my personal blog in the next few days (plus this challenge), but meanwhile, I thought it would be very productive to challenge you with a NMAP Trivia. The main goal is providing some entertainment during the holiday season and the early days of 2009, and at the same time, force you to practice and play with the latest stable nmap version, v4.76, trying to increase your technical knowledge, skills, and mastering of the traditional and current features of such an important security tool.

  1.  What are the default target ports used by the current nmap version (4.76)? How can you change the target ports list? What (nmap) options can be used to speed up scans by reducing the number of target ports and still check (potentially) the most relevant ones? How can you force nmap to check all target ports?
  2. How can you force nmap to scan a specific list of 200 target ports, only relevant to you?
  3. What is the default port used by nmap for UDP ping discovery (-PU)? Why? If you don't know it from the top of your head ;), how can you easily identify this port without using other tools (such as a sniffer) or inspecting nmap's source code?
  4. When nmap is run, sometimes it is difficult to know what is going on the backstage. What two (nmap) options allow you to gather detailed but not overwhelming information about nmap's port scanning operations? What other extra (nmap) options are available for ultra detailed information?
  5. What are the preferred (nmap) options to run a stealthy TCP port scan? Particularly, try to avoid detection from someone running a sniffer near the person running nmap and focus on the extra actions performed by the tool (assuming the packets required to complete the port scan are not detected)?
  6. Why port number 49152 is relevant to nmap?
  7. What is the only nmap TCP scan type that classifies the target ports as "unfiltered"? Why? What additional nmap scan type can be used to discern if those ports (previously identified as "unfiltered") are in an open or closed state?
  8. When (and it what nmap version) the default state for a non-responsive UDP port was changed on nmap (from "open" to "open|filtered")? Why?
  9. What is the default scan type used by nmap when none is specified, as in "nmap -T4 scanme.nmap.org"? Is this always the default scan method? If not, what other scan method does nmap default to, under what conditions, and why?
  10. What nmap features (can make or) make use of nmap's raw packet capabilities? What nmap features rely on the OS TCP/IP stack instead?
  11. Nmap's performance has been sometimes criticized versus other network scanners. What (nmap) options can you use to convert nmap into a faster, stateless scanner for high performance but less accurate results?
  12. What relevant nmap feature does not allow an attacker to use the decoy functionality (-D) and might reveal his real IP address?
  13. What are the (nmap) options you can use to identify all the steps followed by nmap to fingerprint and identify the Web server version running on scanme.nmap.org?
  14. As an attacker, what port number would you select to hide a listening service backdoor trying to avoid an accurate detection by nmap's default aggressive fingerprinting tests? Would it be TCP or UDP? Why? What additional (nmap) options do you need to specify as a defender to fingerprint the hidden service backdoor?
  15. What is the language used to write NSE scripts, and what two other famous open-source security tools/projects currently use the same language?
  16. What Linux/Windows command can you use to identify the list of NSE scripts that belong to the "discovery" category and will execute when this set of scripts is selected with the "--script discovery" nmap option?
  17. How can you know the specific arguments accepted by a specific NSE script, such as those accepted by the whois.nse script?

Send your answers through our contact page using "NMAP Trivia" as the subject by January, 15. If you have other interesting nmap trick and tips, please, send them too. I will publish the best answers and other nmap usage suggestions on my next shift around mid-end January 2009.

If you want to stay up to date about the major nmap news and events I strongly recommend you to subscribe to the nmap-hackers mailing list (low traffic, with less than 10 messages this year). You can do so at http://cgi.insecure.org/mailman/listinfo/nmap-hackers.

--
Raul Siles
www.raulsiles.com

Keywords: nmap
0 comment(s)
Diary Archives