# Task 3 - Nmap Switches ### What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-sS`
### Which switch would you use for a "UDP scan"? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-sU`
### If you wanted to detect which operating system the target is running on, which switch would you use? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-O`
### Nmap provides a switch to detect the version of the services running on the target. What is this switch? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-sV`
### The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-v`
### Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? (Note: it's highly advisable to always use at least this option) {% embed url="" %} {% endembed %} #### Verbosity and debugging options -v (Increase verbosity level) , -v (Set verbosity level) > Increases the verbosity level, causing Nmap to print more information about the scan in progress. Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a scan will take more than a few minutes. Use it twice or more for even greater verbosity: -vv, or give a verbosity level directly, for example -v3.
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-vv`
**We should always save the output of our scans -- this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients.** ### What switch would you use to save the nmap results in three major formats? {% embed url="" %} {% endembed %} > As a convenience, you may specify -oA to store scan results in normal, XML, and grepable formats at once. They are stored in .nmap, .xml, and .gnmap, respectively.
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-oA`
### What switch would you use to save the nmap results in a "normal" format? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-oN`
### A very useful output format: how would you save results in a "grepable" format? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-oG`
**Sometimes the results we're getting just aren't enough. If we don't care about how loud we are, we can enable "aggressive" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.** ### How would you activate this setting? {% embed url="" %} {% endembed %} > -A: Enable OS detection, version detection, script scanning, and traceroute
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-A`
**Nmap offers five levels of "timing" template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!** ### How would you set the timing template to level 5? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-T5`
**We can also choose which port(s) to scan.** ### How would you tell nmap to only scan port 80? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-p 80`
### How would you tell nmap to scan ports 1000-1500?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-p 1000-1500`
**A very useful option that should not be ignored:** ### How would you tell nmap to scan all ports? {% embed url="" %} {% endembed %} > So you can specify -p- to scan ports from 1 through 65535.
Reveal Flag 🚩 :triangular\_flag\_on\_post:`-p-`
### How would you activate a script from the nmap scripting library (lots more on this later!)? {% embed url="" %} {% endembed %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`--script`
### How would you activate all of the scripts in the "vuln" category? {% embed url="" %} {% endembed %} > These scripts check for specific known vulnerabilities and generally only report results if they are found. Examples include realvnc-auth-bypass and afp-path-vuln. {% hint style="warning" %} **HINT:** There are two variants of this switch. One with a space, one with the equals sign. Look at the asterisks in the answer field to see which one it is. {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`--script=vuln`
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thmflags.gitbook.io/thm-walkthroughs/difficulty-easy/nmap/task-3-nmap-switches.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.