#1 What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
#2 Which switch would you use for a “UDP scan”?
#3 If you wanted to detect which operating system the target is running on, which switch would you use?
#4 Nmap provides a switch to detect the version of the services running on the target. What is this switch?
#5 The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
#6 Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it’s highly advisable to always use at least this option)
#7 What switch would you use to save the nmap results in three major formats?
-oA <basename> command will store scan results in normal, XML and grepable formats at once in <basename>.nmap, <basename>.xml and <basename>.gnmap.
Tips: -o stands for output while -O stands for operating system (See #3)
#8 What switch would you use to save the nmap results in a “normal” format?
#9 A very useful output format: how would you save results in a “grepable” format?
#10 Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
#11 Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors! How would you set the timing template to level 5?
#12 How would you tell nmap to only scan port 80?
#13 How would you tell nmap to scan ports 1000–1500?
#14 How would you tell nmap to scan all ports?
#15 How would you activate a script from the nmap scripting library?
#16 How would you activate all of the scripts in the “vuln” category?
To understand more about NMAP, check out the full series: Part 1: Port Scanning Responses, Part 2: Basic Port Scanning Types, Part 3: Other Port Scanning Types, Part 4: Network Scanning, Part 5: Firewall Evasion Options and Part 6: NSE Scripts!