Nmap for Network Security

Q.1 What is Nmap, and what is it used for?
Nmap (Network Mapper) is an open-source tool used for network discovery, security auditing, and vulnerability scanning. It helps identify active hosts, open ports, services, and potential security risks.
Q.2 How do you install Nmap on Windows/Linux?
Windows: Download the installer from nmap.org and follow the setup instructions.
Linux: Use the package manager (e.g., sudo apt install nmap for Debian-based systems or sudo yum install nmap for Red Hat-based systems).
Q.3 What is the difference between SYN scan and TCP connect scan?
SYN Scan (-sS): Sends a SYN packet and waits for a response. If SYN-ACK is received, the port is open, but the handshake is never completed, making it stealthier.
TCP Connect Scan (-sT): Establishes a full TCP connection, making it easier to detect but more reliable.
Q.4 What is the difference between a normal scan and a stealth scan?
Normal Scan (-sT) – Completes a full three-way handshake, making it easy to detect.
Stealth Scan (-sS) – Sends SYN packets without completing the handshake, making it harder for firewalls to detect.
Q.5 What is the difference between -p- and -p1-65535 in Nmap?
Both scan all 65,535 ports, but -p- is a shorthand for -p1-65535.
Q.6 How can you evade firewalls while using Nmap?
Some techniques include:
Using fragmented packets: nmap -f
Randomizing scan order: nmap --randomize-hosts
Changing scan timing: nmap -T2 for slower, less detectable scans.
Q.7 How can you detect a firewall using Nmap?
You can use Nmap’s firewall detection techniques, such as:
nmap -sA (ACK scan) – If all ports are unfiltered, there’s likely no firewall; if they are filtered, a firewall is blocking them.
nmap --packet-trace – Shows packet responses to analyze firewall behavior.
nmap --traceroute – Identifies firewall/router hops.
Q.8 How can you limit the number of concurrent Nmap scans to avoid detection?
Use the --min-rate or --max-rate options to control scan speed:
nmap --min-rate 10 --max-rate 50
Q.9 What is the purpose of the --script-trace option in Nmap?
The --script-trace option shows detailed debugging information when running Nmap scripts (NSE). It helps analyze how scripts interact with the target:
nmap --script=http-title --script-trace
Q.10 What is a zombie host in an Idle Scan, and how do you use it?
A zombie host is a passive system used in an Idle Scan (-sI) to perform stealthy scans. It helps hide the attacker’s IP address. Example:
nmap -sI
Q.11 How can you find vulnerable services using Nmap?
Use the Nmap Scripting Engine (NSE) with the vuln script: nmap --script=vuln
This detects common vulnerabilities such as outdated software, misconfigurations, and CVE-listed exploits.
Q.12 How do you perform a scan to detect live hosts on a network?
Use the -sn (ping scan) option to identify active hosts without scanning ports:
nmap -sn 192.168.1.0/24
This sends ICMP echo requests, TCP SYN to port 443, and ARP requests (on local networks) to detect active devices.
Q.13 How do you use Nmap to detect a website's HTTP security headers?
Use the NSE script http-headers:
nmap --script=http-headers
This reveals headers like X-Frame-Options, Content-Security-Policy, and HSTS.
Q.14 How can you find out if a system is vulnerable to SMB-based exploits (e.g., EternalBlue)?
Use the smb-vuln-ms17-010 script:
nmap --script=smb-vuln-ms17-010 -p 445
This checks if the system is vulnerable to the EternalBlue exploit (MS17-010) used in WannaCry ransomware attacks.
Q.15 What is the purpose of the --reason option in Nmap?
The --reason option explains why a port is marked as open, closed, or filtered by showing responses from the target:
nmap --reason
Q.16 How do you scan a network without sending ARP requests?
Use the --disable-arp-ping option to prevent Nmap from using ARP for host discovery:
nmap -sn --disable-arp-ping 192.168.1.0/24
Q.17 What does --open do in an Nmap scan?
The --open option only shows ports that are open, filtering out closed or filtered ones:
nmap -p 1-1000 --open
This helps focus on only reachable services, reducing scan noise.
Q.18 How do you use Nmap to identify DNS servers on a network?
Use a UDP scan on port 53:
nmap -sU -p 53 --open 192.168.1.0/24
If the port is open, the system is likely a DNS server.
Get Govt. Certified Take Test
 For Support