Task 2 Introduction
1) What networking constructs are used to direct traffic to the right application on a server?
Ans :- Ports
2) How many of these are available on any network-enabled computer?
Ans :- 65535
3) [Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)
Ans :- 1024
Task 3 Nmap Switches
1) What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
Ans :- -sS
2) Which switch would you use for a “UDP scan”?
Ans :- -sU
3) If you wanted to detect which operating system the target is running on, which switch would you use?
Ans :- -O
4) Nmap provides a switch to detect the version of the services running on the target. What is this switch?
Ans :- -sV
5) The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
Ans :- -v
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it’s highly advisable to always use at least this option)
We should always save the output of our scans — this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients.
6) What switch would you use to save the nmap results in three major formats?
Ans :- -oA
7) What switch would you use to save the nmap results in a “normal” format?
Ans :- -oN
8) A very useful output format: how would you save results in a “grepable” format?
Ans :- -oG
Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
9)How would you activate this setting?
Ans :- -A
Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!
10) How would you set the timing template to level 5?
Ans :- -T5
We can also choose which port(s) to scan.
11) How would you tell nmap to only scan port 80?
Ans :- -p 80
12) How would you tell nmap to scan ports 1000–1500?
Ans :- -p 1000–1500
A very useful option that should not be ignored:
13) How would you tell nmap to scan all ports?
Ans :- -p-
14) How would you activate a script from the nmap scripting library (lots more on this later!)?
Ans :- — script
18) How would you activate all of the scripts in the “vuln” category?
Ans :- — script=vuln
Task 5 [Scan Types] TCP Connect Scans
1) Which RFC defines the appropriate behaviour for the TCP protocol?
Ans :- RFC 793
2) If a port is closed, which flag should the server send back to indicate this?
Ans :- RST
Task 6 [Scan Types] SYN Scans
1) There are two other names for a SYN scan, what are they?
Ans :- Half-Open, stealth
2) Can Nmap use a SYN scan without Sudo permissions (Y/N)?
Ans :- N
Task 7 [Scan Types] UDP Scans
1) If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?
Ans :- open|filtered
2) When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
Ans :- ICMP
Task 8 [Scan Types] NULL, FIN And Xmas
1) Which of the three shown scan types uses the URG flag?
Ans :- xmas
2) Why are NULL, FIN and Xmas scans generally used?
Ans :- Firewall Evasion
3) Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Ans :- Microsoft Windows
Task 9 [Scan Types] ICMP Network Scanning
1) How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
Ans :- nmap -sn 172.16.0.0/16
Task 10 [NSE Scripts] Overview
1) What language are NSE scripts written in?
Ans :- lua
2) Which category of scripts would be a very bad idea to run in a production environment?
Ans :- intrusive
Task 11 [NSE Scripts] Working with the NSE
1) What optional argument can the ftp-anon.nse script take?
Ans :- maxlist
Task 12 [NSE Scripts] Searching For Scripts
1) What is the filename of the script which determines the underlying OS of the SMB server?
Ans :- smb-os-discovery.nse
2) Read through this script. What does it depend on?
Ans :- smb-brute
Task 13 Firewall Evasion
1) Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
Ans :- ICMP
2) [Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
Ans :- — data-length
Task 14 Practical
1) Does the target (10.10.99.0)respond to ICMP (ping) requests (Y/N)?
Ans :- N
2) Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?
Ans :- 999
3) There is a reason given for this — what is it?
Ans :- No Response
4) Perform a TCP SYN scan on the first 10000 ports of the target — how many ports are shown to be open?
Ans :- 5
5) Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.
Ans :- Noa nswer needed
6) Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
Ans :- Y
Task 15 Conclusion
Have now completed the Further Nmap room — enjoyed it, and learnt something new!
