Task 3 - Nmap Switches

What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)?

https://nmap.org/book/synscan.html
Reveal Flag đŸš©

đŸš©-sS

Which switch would you use for a "UDP scan"?

https://nmap.org/book/scan-methods-udp-scan.html
Reveal Flag đŸš©

đŸš©-sU

If you wanted to detect which operating system the target is running on, which switch would you use?

https://nmap.org/book/osdetect-usage.html#osdetect-ex-scanme1
Reveal Flag đŸš©

đŸš©-O

Nmap provides a switch to detect the version of the services running on the target. What is this switch?

https://nmap.org/book/man-version-detection.html
Reveal Flag đŸš©

đŸš©-sV

The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?

https://nmap.org/book/man-output.html
Reveal Flag đŸš©

đŸš©-v

Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? (Note: it's highly advisable to always use at least this option)

https://nmap.org/book/output-formats-commandline-flags.html#output-formats-flags-verbosity

Verbosity and debugging options

-v (Increase verbosity level) , -v (Set verbosity level)

Increases the verbosity level, causing Nmap to print more information about the scan in progress. Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a scan will take more than a few minutes. Use it twice or more for even greater verbosity: -vv, or give a verbosity level directly, for example -v3.

Reveal Flag đŸš©

đŸš©-vv

We should always save the output of our scans -- this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients.

What switch would you use to save the nmap results in three major formats?

https://nmap.org/book/output-formats-commandline-flags.html#output-formats-flags-verbosity

As a convenience, you may specify -oA to store scan results in normal, XML, and grepable formats at once. They are stored in .nmap, .xml, and .gnmap, respectively.

Reveal Flag đŸš©

đŸš©-oA

What switch would you use to save the nmap results in a "normal" format?

https://nmap.org/book/output-formats-normal-output.html
Reveal Flag đŸš©

đŸš©-oN

A very useful output format: how would you save results in a "grepable" format?

https://nmap.org/book/output-formats-grepable-output.html
Reveal Flag đŸš©

đŸš©-oG

Sometimes the results we're getting just aren't enough. If we don't care about how loud we are, we can enable "aggressive" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.

How would you activate this setting?

https://linux.die.net/man/1/nmap

-A: Enable OS detection, version detection, script scanning, and traceroute

Reveal Flag đŸš©

đŸš©-A

Nmap offers five levels of "timing" template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!

How would you set the timing template to level 5?

https://nmap.org/book/performance-timing-templates.html
Reveal Flag đŸš©

đŸš©-T5

We can also choose which port(s) to scan.

How would you tell nmap to only scan port 80?

https://nmap.org/book/man-port-specification.html
Reveal Flag đŸš©

đŸš©-p 80

How would you tell nmap to scan ports 1000-1500?

Reveal Flag đŸš©

đŸš©-p 1000-1500

A very useful option that should not be ignored:

How would you tell nmap to scan all ports?

https://nmap.org/book/man-port-specification.html

So you can specify -p- to scan ports from 1 through 65535.

Reveal Flag đŸš©

đŸš©-p-

How would you activate a script from the nmap scripting library (lots more on this later!)?

https://nmap.org/book/man-nse.html
Reveal Flag đŸš©

đŸš©--script

How would you activate all of the scripts in the "vuln" category?

https://nmap.org/book/nse-usage.html#nse-category-vuln

These scripts check for specific known vulnerabilities and generally only report results if they are found. Examples include realvnc-auth-bypass and afp-path-vuln.

Reveal Flag đŸš©

đŸš©--script=vuln

Last updated