#Task -1 Deploy
- Deploy the attached VM
Answer:- No need Answer
#Task -2 Introduction
2.1-What networking constructs are used to direct traffic to the right application on a server?
Answer:- ports
2.2-How many of these are available on any network-enabled computer?
Answer:-65535
2.3-[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)
Answer:-1024
#Task -3 Nmap Switches
3.1-What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
Answer: — sS
3.2-Which switch would you use for a “UDP scan”?
Answer:- -sU
3.3-If you wanted to detect which operating system the target is running on, which switch would you use?
Answer:- -O
3.4-Nmap provides a switch to detect the version of the services running on the target. What is this switch?
Answer:- -sV
3.5-The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
Answer: -v
3.6-Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it’s highly advisable to always use at least this option)
Answer: -vv
3.7-We should always save the output of our scans — this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients.
What switch would you use to save the nmap results in three major formats?
Answer: -oA
3.8 -What switch would you use to save the nmap results in a “normal” format?
Answer: -oN
3.9-A very useful output format: how would you save results in a “grepable” format?
Answer: -oG
3.10-Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
How would you activate this setting?
Answer: -A
3.11-Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!
How would you set the timing template to level 5?
Answer: -T5
3.12-We can also choose which port(s) to scan.
How would you tell nmap to only scan port 80?
Answer: -p 80
3.13-How would you tell nmap to scan ports 1000–1500?
Answer: -p 1000–1500
3.14-A very useful option that should not be ignored:
How would you tell nmap to scan all ports?
Answer: -p-
3.15-How would you activate a script from the nmap scripting library (lots more on this later!)?
Answer: — script
3.16-How would you activate all of the scripts in the “vuln” category?
Answer: — script=vuln
#Task- 4 Scan Types Overview
4.1-Read the Scan Types Introduction.
Answer : No Need Answer
#Task -5 Scan Types TCP Connect Scans
5.1- Which RFC defines the appropriate behaviour for the TCP protocol?
Answer:RFC 793
5.2-If a port is closed, which flag should the server send back to indicate this?
Answer: RST
#Task -6 Scan Types SYN Scans
6.1-There are two other names for a SYN scan, what are they?
Answer:Half-Open, Stealth
6.2-Can Nmap use a SYN scan without Sudo permissions (Y/N)?
Answer:N
#Task- 7 Scan Types UDP Scans
7.1-If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?
Answer: open|filtered
7.2-When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
Answer:ICMP
#Task -8 Scan Types NULL, FIN and Xmas
8.1-Which of the three shown scan types uses the URG flag?
Answer: ICMP
8.2-Why are NULL, FIN and Xmas scans generally used?
Answer: Firewall Evasion
8.3-Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Answer: Microsoft Windows
#Task- 9 Scan Types ICMP Network Scanning
9.1-How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
Answer: nmap -sn 172.16.0.0/16
#Task -10 NSE Scripts Overview
10.1-What language are NSE scripts written in?
Answer: Lua
10.2-Which category of scripts would be a very bad idea to run in a production environment?
Answer:intrusive
#Task -11 NSE Scripts Working with the NSE
11.1-What optional argument can the ftp-anon.nse script take?
Answer:maxlist
#Task -12 NSE Scripts Searching for Scripts
12.1-Search for “smb” scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server?
Answer:smb-os-discovery.nse
12.2-Read through this script. What does it depend on?
Answer:smb-brute
#Task- 13 Firewall Evasion
13.1-Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
Answer: ICMP
13.2-[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
Answer: — data-length
#Task -14 Practical
14.1-Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)?
Answer: N
14.2-Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?
Answer: 999
14.3-There is a reason given for this — what is it?
Note: The answer will be in your scan results. Think carefully about which switches to use — and read the hint before asking for help!
Answer: No Response
14.4-Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?
Answer: 5
14.5-Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.
Answer: No need Answer
14.6-Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
Answer:y
#Task -15 Conclusion
15.1- Read the conclusion.
Answer: DOne!
