Nmap Flashcards
How do you perform a Nmap Host Discovery Scan?
nmap –sn {ip_range}
What Nmap switch performs a List Scan that lists IP addresses from the supplied target range(s) and performs a reverse-DNS query to discover any host names associated with those IPs?
-sL
What Nmap switch performs a TCP SYN ping that probes specific ports from the given list using a TCP SYN packet instead of an ICMP packet to conduct the ping?
-PS <PortList></PortList>
What Nmap switch performs a Sparse Scan which issues probes with significant delays to become stealthier and avoid detection by an IDS or IPS?
–scan-delay <Time></Time>
What Nmap switch performs a Scan Timing that issues probes with using a timing pattern?
-Tn
Best use case for -T0 and -T1?
For evading an IDS, but extremely slow
What is the best use case for -T2 ?
Slows the scan to conserve bandwidth.
What is the best use case for -T3?
The default and most stable scanning timing option
What is the best use case for -T4?
For a faster scan that is still relatively stable.
What is the best use case -T5?
Fastest scanning option but can be unstable if network or the target network’s speed cannot maintain the timing
What Nmap switch performs a TCP Idle Scan stealth method, makes it appear that another machine (a zombie) started the scan to hide the true identity of the scanning machine?
-sI
What Nmap switch performs a Fragmentation technique that splits the TCP header of each probe between multiple IP datagrams to make it hard for an IDS or IPS to detect?
-f or –mtu
What are the four ways Nmap can output results?
1.Interactive (default) to screen
2. Normal (-oN) to file
3. XML (-oX) to file
4. Grepable (-oG) to file
What Nmap switch performs a TCP SYN and conducts a half-open scan by sending a SYN packet to identify the port state without sending an ACK packet afterwards?
-sS
What Nmap switch performs a TCP Connect and conducts a three-way handshake scan by sending a SYN packet to identify the port state and then sending an ACK packet once the SYN-ACK is received?
-sT
