NMAP
Can Nmap use a SYN scan without Sudo permissions (Y/N)?
No
Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)?
No
If a UDP port doesn't respond to an Nmap scan, what will it be marked as?
Open | Filtered
What networking constructs are used to direct traffic to the right application on a server?
Ports
Which RFC defines the appropriate behaviour for the TCP protocol?
RFC 793 https://tools.ietf.org/html/rfc793
If a port is closed, which flag should the server send back to indicate this?
RST (Reset)
When port scanning with Nmap, there are three basic scan types. These are:
TCP Connect Scans (-sT) SYN "Half Open" Scans (-sS) UDP Scans (-sU)
Additionally there are several less common port scan types, some of which we will also cover (albeit in less detail). These are:
TCP Null Scans (-sN) TCP FIN Scans (-sF) TCP Xmas Scans (-sX)
There are, however, a couple of disadvantages to SYN scans, namely:
They require sudo permissions[1] in order to work correctly in Linux. This is because SYN scans require the ability to create raw packets (as opposed to the full TCP handshake), which is a privilege only the root user has by default. Unstable services are sometimes brought down by SYN scans, which could prove problematic if a client has provided a production environment for the test.
Which of the three shown scan types uses the URG flag?
Xmas
What optional argument can the ftp-anon.nse script take?
maxlist https://nmap.org/nsedoc/
How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
nmap -sn 172.16.0.0/16
NSE (Nmap Scripting Engine) Categories
safe:- Won't affect the target intrusive:- Not safe: likely to affect the target vuln:- Scan for vulnerabilities exploit:- Attempt to exploit a vulnerability auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously) brute:- Attempt to bruteforce credentials for running services discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server) (More in-depth List) https://nmap.org/book/nse-usage.html
Read through this script. ( smb-os-discovery.nse) What does it depend on?
smb-brute
Search for "smb" scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods. What is the filename of the script which determines the underlying OS of the SMB server?
smb-os-discovery.nse
Due to this difficulty in identifying whether a UDP port is actually open, UDP scans tend to be incredibly slow in comparison to the various TCP scans (in the region of 20 minutes to scan the first 1000 ports, with a good connection). For this reason, it's usually good practice to run an Nmap scan enabled.
(--top-ports <number>) an example of this being used is: nmap -sU --top-ports 20 <target>
There is a reason given for this -- what is it? Note: The answer will be in your scan results. Think carefully about which switches to use -- and read the hint before asking for help!
*Hint* run the scan using -vv Answer: No response
How would you activate a script from the nmap scripting library (lots more on this later!)?
--script
How would you activate all of the scripts in the "vuln" category?
--script=vuln
Sometimes the results we're getting just aren't enough. If we don't care about how loud we are, we can enable "aggressive" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning. How would you activate this setting?
-A
If you wanted to detect which operating system the target is running on, which switch would you use?
-O
What nmap switch will make sure to treat all scan hosts as if they were alive? 9We need this because it automatically pings a target, and so it will ignore anything that blocks ICMP packets.)
-Pn
Nmap offers five levels of "timing" template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors! How would you set the timing template to level 5?
-T5
[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
-data-length To find this you can type man nmap and go to Firewall evasion tab and you can see this to your self.
The following switches are of particular note:
-f:- Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS. An alternative to -f, but providing more control over the size of the packets: --mtu <number>, accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8. --scan-delay <time>ms:- used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place. --badsum:- this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.
What switch would you use to save the nmap results in three major formats?
-oA
A very useful output format: how would you save results in a "grepable" format?
-oG
What switch would you use to save the nmap results in a "normal" format?
-oN
How would you tell nmap to scan ports 1000-1500?
-p 1000-1500
We can also choose which port(s) to scan. How would you tell nmap to only scan port 80?
-p 80
A very useful option that should not be ignored: How would you tell nmap to scan all ports?
-p-
As with TCP scans, SYN scans _______ are used to scan the TCP port-range of a target or targets; however, the two scan types work slightly differently. SYN scans are sometimes referred to as "Half-open" scans, or "Stealth" scans.
-sS
What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)?
-sS
Which switch would you use for a "UDP scan"?
-sU
Nmap provides a switch to detect the version of the services running on the target. What is this switch?
-sV
Ping sweep switch for Nmap?
-sn (example: nmap -sn 192.168.0.x)
The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
-v
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?(Note: it's highly advisable to always use at least this option)
-vv
The CIDR notation for a Class B network with a default netmask is ____
/16
[Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task)
1024
Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open?
5
How many ports exist?
65,535
Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?
999
Why are NULL, FIN and Xmas scans generally used?
Firewall evasion
There are two other names for a SYN scan, what are they?
Half-Open and Stealth
When a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so?
ICMP
Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
ICMP
When a packet is sent to a closed UDP port, the target should respond with an __________ packet containing a message that the port is unreachable. This clearly identifies closed ports, which Nmap marks as such and moves on.
ICMP (ping)
Which category of scripts would be a very bad idea to run in a production environment?
Intrusive
What language are NSE scripts written in?
Lua
Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Microsoft Windows
NSE (What does it stand for, and what language is it written in?)
Nmap Scripting Engine --- Lua Programming Language
