NMAP

Question 1

Port Scan Type: Full Connect

Answer 1

AKA Tcp Connect or Full Open Scan. complete 3-way handshake torn down with RST. Easist to detect but most reliable. Open port respond with SYN\ACK– closed with RST

Question 2

Port Scan Type: Stealth

Answer 2

AKA SYN scan or Half-open scan. Only SYN are sent. Open gets a syn/ack closed gets rst. Better at hiding scan and bypassing firewalls

Question 3

Port Scan Type: Inverse TCP Flag

Answer 3

AKA Null or FIN scan Uses FIN URG or PSH flag or none at all. Open port gets no response. Closed gets RST/ACK

Question 4

Port Scan Type: XMAS

Answer 4

XMAS URG, PSH FIN, flags are on. Open gets no response. closed gets RST/Ack

Question 5

Port Scan Type: ACK Flag Probe

Answer 5

Probe with ACK. Look at return RST packet if TTL is less than 64 or the WINDOW size has anything other than 0 in it it is open. Also can be used to check filtering if there is no response there is a stateful firewall between attacker and host if a RST comes back there is not

Question 6

Nmap switch: -sA

Answer 6

ACK scan

Question 7

Nmap switch: -sF

Answer 7

FIN Scan

Question 8

Nmap switch: -sI

Answer 8

IDLE Scan

Question 9

Nmap switch: -sL

Answer 9

DNS or list scan.

Question 10

Nmap switch: -sN

Answer 10

Null scan

Question 11

Nmap switch: -sO

Answer 11

Protocol Scan

Question 12

Nmap switch: -sP

Answer 12

Ping scan

Question 13

Nmap switch: -sR

Answer 13

RPC Scan

Question 14

Nmap switch: -sS

Answer 14

Syn scan

Question 15

Nmap switch: -sT

Answer 15

TCP full connect

Question 16

Nmap switch: -sW

Answer 16

Window scan

Question 17

Nmap switch: -sX

Answer 17

Xmas Scan

Question 18

Nmap switch: -PI -PE -PM -PP

Answer 18

ICMP ping

Question 19

Nmap switch: -Po -PN

Answer 19

no ping

Question 20

Nmap switch: -PS

Answer 20

Syn Ping

Question 21

Nmap switch: -PT

Answer 21

TCP ping

Question 22

Nmap switch: -oN

Answer 22

Normal output

Question 23

Nmap switch: -oX

Answer 23

XML output

Question 24

Nmap switch: -oG

Answer 24

GREPable output

Question 25

Nmap switch: -oA

Answer 25

All formats including script kiddie

Question 26

Nmap switch: -O

Answer 26

OS finger printing

Question 27

Nmap switch: -A

Answer 27

aggressive scan includes version scan, script, protocol, and traceroute

Question 28

Nmap switch: -F

Answer 28

Fast limited ports only 100

Question 29

Nmap switch: -P

Answer 29

port range

Question 30

Nmap switch: -iL

Answer 30

input from list

Question 31

Nmap switch: -PR

Answer 31

ARP ping

Question 32

Nmap switch: -f

Answer 32

Fragment package

Question 33

Nmap switch: -T0

Answer 33

Serial slowest Paranoid 5 min between probes

Question 34

Nmap switch: -T1

Answer 34

serial slowest Sneaky 15 seconds between probes

Question 35

Nmap switch: -T2

Answer 35

Serial slow normal speed Polite .4 sec (400 mil seconds) between probes

Question 36

Nmap switch:-T3

Answer 36

Parallel normal speed default (max delay of 1 sec )

Question 37

Nmap switch:-T4

Answer 37

parallel fast scan aggressive max delay of 10 milsec)

Question 38

nmap: -T5

Answer 38

insane mode caps and delay at 5ms

Question 39

Nmap switch: -R -n

Answer 39

Dns resolution for everything and no DNS resolution for anything

Question 40

Nmap switch: -D RND:10.0.0.0

Answer 40

creates decoy random ips with attackers ip interspersed as well

Question 41

nmap --script http-trace -p80 localhost

Answer 41

detects server that uses trace

Question 42

nmap --script http-google-email

Answer 42

lists email accounts

Question 43

nmap --script hostmap-*

Answer 43

discovers virtual host the * is replaced with DB you are querying.

Question 44

nmap --script http-enum -p80

Answer 44

enumerates common web applications

Question 45

nmap -p 80 -- script http-robots.txt

Answer 45

grabs robots.txt file

Question 46

Full Open Scan. complete 3-way handshake torn down with RST. Easist to detect but most reliable. Open port respond with SYN\ACK-- closed with RST

Answer 46

Port Scan Type: Full Connect

Question 47

AKA SYN scan or Half-open scan. Only SYN are sent. Open gets a syn/ack closed gets rst. Better at hiding scan and bypassing firewalls

Answer 47

Port Scan Type: Stealth

Question 48

AKA Null or FIN scan Uses FIN URG or PSH flag or none at all. Open port gets no response. Closed gets RST/ACK

Answer 48

Port Scan Type: Inverse TCP Flag

Question 49

URG, PSH FIN, flags are on. Open gets no response. closed gets RST/Ack

Answer 49

Port Scan Type: XMAS

Question 50

Look at return RST packet if TTL is less than 64 or the WINDOW size has anything other than 0 in it it is open. Also can be used to check filtering if there is no response there is a stateful firewall between attacker and host if a RST comes back there is not

Answer 50

Port Scan Type: ACK Flag Probe

Question 51

ACK scan

Answer 51

Nmap switch: -sA

Question 52

FIN Scan

Answer 52

Nmap switch: -sF

Question 53

IDLE Scan

Answer 53

Nmap switch: -sI

Question 54

DNS or list scan.

Answer 54

Nmap switch: -sL

Question 55

Null scan

Answer 55

Nmap switch: -sN

Question 56

Protocol Scan

Answer 56

Nmap switch: -sO

Question 57

Ping scan

Answer 57

Nmap switch: -sP

Question 58

RPC Scan

Answer 58

Nmap switch: -sR

Question 59

Syn scan

Answer 59

Nmap switch: -sS

Question 60

TCP full connect

Answer 60

Nmap switch: -sT

Question 61

Window scan

Answer 61

Nmap switch: -sW

Question 62

Xmas Scan

Answer 62

Nmap switch: -sX

Question 63

ICMP ping

Answer 63

Nmap switch: -PI -PE -PM -PP

Question 64

no ping

Answer 64

Nmap switch: -Po -PN

Question 65

Syn Ping

Answer 65

Nmap switch: -PS

Question 66

TCP ping

Answer 66

Nmap switch: -PT

Question 67

Normal output

Answer 67

Nmap switch: -oN

Question 68

XML output

Answer 68

Nmap switch: -oX

Question 69

GREPable output

Answer 69

Nmap switch: -oG

Question 70

All formats including script kiddie

Answer 70

Nmap switch: -oA

Question 71

OS finger printing

Answer 71

Nmap switch: -O

Question 72

scan includes version scan, script, protocol, and traceroute

Answer 72

Nmap switch: -A

Question 73

Fast limited ports only 100

Answer 73

Nmap switch: -F

Question 74

port range

Answer 74

Nmap switch: -P

Question 75

input from list

Answer 75

Nmap switch: -iL

Question 76

ARP ping

Answer 76

Nmap switch: -PR

Question 77

Fragment package

Answer 77

Nmap switch: -f

Question 78

Serial slowest Paranoid 5 min between probes

Answer 78

Nmap switch: -T0

Question 79

serial slowest Sneaky 15 seconds between probes

Answer 79

Nmap switch: -T1

Question 80

Serial slow normal speed Polite .4 sec (400 mil seconds) between probes

Answer 80

Nmap switch: -T2

Question 81

Parallel normal speed default (max delay of 1 sec )

Answer 81

Nmap switch:-T3

Question 82

parallel fast scan aggressive max delay of 10 milsec

Answer 82

Nmap switch:-T4

Question 83

insane mode caps and delay at 5ms

Answer 83

nmap: -T5

Question 84

Dns resolution for everything and no DNS resolution for anything

Answer 84

Nmap switch: -R -n

Question 85

creates decoy random ips with attackers ip interspersed as well

Answer 85

Nmap switch: -D RND:10.0.0.0

Question 86

detects server that uses trace

Answer 86

nmap --script http-trace -p80 localhost

Question 87

lists email accounts

Answer 87

nmap --script http-google-email

Question 88

discovers virtual host the * is replaced with DB you are querying.

Answer 88

nmap --script hostmap-*

Question 89

enumerates common web applications

Answer 89

nmap --script http-enum -p80

Question 90

grabs robots.txt file

Answer 90

nmap --script http-robots.txt

Question 91

Nmap switch: -sC

Answer 91

Script Scan