Questions List
Task 1 : Deploy VM
No Questions HereTask 2 : Intro
What networking constructs are used to direct traffic to the right application on a server?
portsHow many of these are available on any network-enabled computer?
65535How many of these are considered "well-known"?
1024Task 3 : Nmap Switches
What is the first switch listed in the help menu for a 'Syn Scan' ?
-sSman nmap | grep -i syn
Which switch would you use for a "UDP scan"?
-sUman nmap | grep -i udp
If you wanted to detect which operating system the target is running on, which switch would you use?
-Oman nmap | grep -i os
switch to detect the version of the services running on the target. What is this switch?
-sVman nmap | grep -i version
How would you increase the verbosity?
-vman nmap | grep -i verbosity
How would you set the verbosity level to two?
man nmap | grep -i verbosity
What switch would you use to save the nmap results in three major formats?
man nmap | grep -i format
What switch would you use to save the nmap results in a "normal" format?
-oNman nmap | grep -i format
how would you save results in a "grepable" format?
-oGman nmap | grep -i grepable
How would you activate this aggressive mode?
-Aman nmap | grep -i aggressive
How would you set the timing template to level 5?
-T5man nmap | grep -i timing
How would you tell nmap to only scan port 80?
-p 80man nmap | grep -i port | grep -i scan
How would you tell nmap to scan ports 1000-1500?
-p 1000-1500man nmap | grep -i port | grep -i range
How would you tell nmap to scan all ports?
-p-man nmap | grep -i port | grep -i scan
How would you activate a script from the nmap scripting library ?
--scriptman nmap | grep -i script
How would you activate all of the scripts in the "vuln" category?
--script=vulnman nmap | grep -i script
Task 4 : Scan Types Overview
No Questions HereTask 5 : Scan Types TCP Connect Scans
Which RFC defines the appropriate behaviour for the TCP protocol?
RFC 793If a port is closed, which flag should the server send back to indicate this?
rstTask 6 : Scan Types SYN Scans
There are two other names for a SYN scan, what are they?
half-open stealthCan Nmap use a SYN scan without Sudo permissions (Y/N)?
nTask 7 : Scan Types UDP Scans
If a UDP port doesn't respond to an Nmap scan, what will it be marked as?
open|filteredWhen a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so?
ICMPTask 8 : Scan Types NULL, FIN and Xmas
Which of the three shown scan types uses the URG flag?
xmasWhy are NULL, FIN and Xmas scans generally used?
firewall evasionWhich common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
microsoft windowsTask 9 : Scan Types ICMP Network Scanning
How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
Target Specification Nmap Network Scanning
CIDR notation NmapThe answer
nmap -sn 172.16.0.0/16Task 10 : NSE Scripts Overview
What language are NSE scripts written in?
luaWhich category of scripts would be a very bad idea to run in a production environment?
intrusive
Task 11 : NSE Scripts Working with the NSE
What optional argument can the
ftp-anon.nse
script take?ftp-anon NSE Script
maxlistTask 12 : NSE Scripts Searching for Scripts
What is the filename of the script which determines the underlying OS of the SMB server?
smb-os-discovery.nsegrep "smb" /usr/share/nmap/scripts/script.bd | grep -i os
what does it depend on
smb-brutecat smb-os-discovery.nse | grep -i depend
Task 13 : Firewall Evasion
Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the
ICMP-Pn
switch?Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
--data-lengthman nmap | grep -i append | grep -i random
Task 14 : Practical
Does the target (
IP_Address
)respond to ICMP (ping) requests (Y/N)?ping IP_Address
โ Wait for responsePerform an Xmas scan on the first 999 ports of the target -how many ports are shown to be open or filtered?
nmap -sX IP_Address -p 1-999
nmap -sX IP_Address -p 1-999 -vv
There is a reason given for this -what is it?
no responsea TCP SYN scan on the first 5000 ports of the target -how many ports are shown to be open?
nmap -sS IP_Address -p 1-5000 -vv
perform a TCP Connect scan against port 80 on the target, monitoring the results
nmap -sT IP_Address -p 80
Deploy the
ftp-anon
script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)nmap --script=ftp-anon IP_Address
Task 15 : Conclusion
No Questions Here