2024-06-10T10:20:40+03:00[Europe/Moscow] en true how to check if the host is running, what does /24 mean?, what does a host refer to?, how to check all hosts in network with a ping sweep (not a port scan), what would you be able to see from a ping sweep, What are Mac addresses made up of?, can you see the mac address when using Nmap?, do systems usually filter out pings?, What is a nmap -sT scan, what will a TCP connect scan show?, how does a TCP connect scan work?, what is a 3 way handshake, what is TCP, how to specifically scan just a couple of ports with nmap?, how to do a SYN scan using nmap, what kind of scan is SYN scan considered, why is a SYN scan faster?, -sS (TCP SYN scan), are Stealth Scan really stealthy?, if you do nmap network address what scan is it going to do by default, How to control the speed of the Nmap Scan, How can you do a low and slow scan, benefit of of doing a low and slow scan, TCP null scan (-sN), FIN scan (-sF), Xmas scan (-sX), Fast Mode (-F), how to specify specific port ranges (-p), traceroute, Nmap scans are TCP, but can it also do UDP, Decoy scan, Zombie scan, purpose of a Zombie scan, -S, -f, fragment attacks, -O, -sV, what is nginx a sign of, Nmap Scripting Engine, —script vuln flashcards
How to use Nmap?

How to use Nmap?

Customize
collection saved
Share
Long Term Learning Spaced Repetition
Add to Long Term Learning Desk
Fast learning Repeat this set of flashcards
Preview Test Spell
Play
Match
Review
  • how to check if the host is running
    “ping IP address”
  • what does /24 mean?
    it means that there could be up 254 hosts in a network
  • what does a host refer to?
    refers to any device that can connect to a network and communicate with other devices on the network. A host can be any type of computer or device that has an IP address, allowing it to send and receive data. Desktops, laptops, servers, and workstations, Smartphones and tablets,Routers, switches, and firewalls, Smart home devices, sensors, and other Internet of Things gadgets, Network-connected printers and scanners
  • how to check all hosts in network with a ping sweep (not a port scan)
    “nmap -sn IP address of network/24
  • what would you be able to see from a ping sweep
    see hosts running and the manufacturers.
  • What are Mac addresses made up of?
    first part is an identifier for the manufacturer
  • can you see the mac address when using Nmap?
    you can only see Mac address if your in part of the same subnet or network as the target devices, so if you are outside the network, you wouldn't be able to see the mac addresses
  • do systems usually filter out pings?
    they do filter pings by default so youre not going to detect hosts being up just by pinging
  • What is a nmap -sT scan
    it is TCP connect scan or a full open scan.
  • what will a TCP connect scan show?
    provides you all open ports that are running and what services are running such as http, file server, print server.
  • how does a TCP connect scan work?
    it conducts a TCP 3 way handshake like a normal application to all these ports to see what services are runnings
  • what is a 3 way handshake
    Alex wants to to communicate with Bob, Alex sends a message to bob saying I want to connect with you bob and bob sends an reply saying okay i want to talk to you as well, and this is how im going to talk to you back, and then alex, then sends a reply okay, im okay with how you want to communicate. Syn, SYN/ACK, then ACK
  • what is TCP
    a connect oriented protocol, which means we need to set up connection first before we send any data using a 3 way handshake
  • how to specifically scan just a couple of ports with nmap?
    -sT -p “portnumber, portnumber2, etc network address”
  • how to do a SYN scan using nmap
    -sS network address
  • what kind of scan is SYN scan considered
    a half open scan, meaning instead of finalizing a 3 way handshake, it only sends the first SYN and getting back a SYN/ACK but not sending a ACK.
  • why is a SYN scan faster?
    Because we are doing a half open scan meaning we aren't finalizing the 3 way handshake, and more stealthier
  • -sS (TCP SYN scan)
    a SYN Scan also known as a Stealth Scan also known as a Half-Open Scan alson known as a TCP SYN scan
  • are Stealth Scan really stealthy?
    not really because an finely tuned IDs will immediately detect these scans. NOT REALLY STEALTHY
  • if you do nmap network address what scan is it going to do by default
    it is going to do a stealth scan by default and by default it is going to scan 1000 ports
  • How to control the speed of the Nmap Scan
    theres a scale from T0-T5 (higher the number, the faster)
  • How can you do a low and slow scan
    implement a -T0 on the scan for slow
  • benefit of of doing a low and slow scan
    chance of invading some specific IDS policy that might be able to detect your scan, they wont be able to tell that all those packets sent over the hour is from the same scanning process
  • TCP null scan (-sN)
    will set null flags to see how firewall react to those
  • FIN scan (-sF)
    will force the closure of a TCP session
  • Xmas scan (-sX)
    the flags of FIN, Push and Urgent are all set and will light up the TCP packet,
  • Fast Mode (-F)
    will scan fewer ports than default scan
  • how to specify specific port ranges (-p)
    will only scan specific ports, can do specific port, a range of ports or a list of ports separated by a comma
  • traceroute
    can be added to nmap to display all the layer 3 hops between you and the target.
  • Nmap scans are TCP, but can it also do UDP
    yes it can with -sU (UDP scan), can take a long time because UDP is not a connection oriented meaning so you dont know a 3 way handshake also meaning there is no acknowledgement, this scan can only wait a couple of second for a response because doesn’t receive an acknowledgement
  • Decoy scan
    -D, scan that uses a decoy
  • Zombie scan
    -sI which is a zombie host, also a decoy scan, also know as an IDLE scan
  • purpose of a Zombie scan
    it is a way of doing a stealth scan where another host also known as a zombie or a decoy appears to be doing the scanning, so you don’t show your true IP identity, very important for an exam.
  • -S
    scan that can send you packets with another changed, spoofed IP address as a source
  • -f
    allows to scan using fragment packets,
  • fragment attacks
    either ignored to bypass the firewall or used for a denial of service attacks, because reconstructing an original packet form multiple fragments takes up route or firewall memory, not useful nowadays which arent fooled
  • -O
    for OS detection, allows us to see what Operating system (LINUX, WINDOWS, GOOGLE ANDROID etc) also allows for version of OS running
  • -sV
    a version scan include the protocol, the actual applications running on the ports, also shows CPE, which shows the platform that running, (a printer, a mobile device, a smart home device, an xbox,)
  • what is nginx a sign of
    it means a web server is running
  • Nmap Scripting Engine
    allows to combine multiple ways of scanning to do more complex thing, scripts to run that are more complex using nmap
  • —script vuln
    run vulnerability script to see what vulnerabilities are