Job Interview Questions
Vskills Certifications
Why Vskills
Search
Nmap for Network Security
Nmap for Network Security
Q.1
What is Nmap, and what is it used for?
Nmap (Network Mapper) is an open-source tool used for network discovery, security auditing, and vulnerability scanning. It helps identify active hosts, open ports, services, and potential security risks.
Report This Question
Q.2
How do you install Nmap on Windows/Linux?
Windows: Download the installer from nmap.org and follow the setup instructions.
Linux: Use the package manager (e.g., sudo apt install nmap for Debian-based systems or sudo yum install nmap for Red Hat-based systems).
Report This Question
Q.3
What is the difference between SYN scan and TCP connect scan?
SYN Scan (-sS): Sends a SYN packet and waits for a response. If SYN-ACK is received, the port is open, but the handshake is never completed, making it stealthier.
TCP Connect Scan (-sT): Establishes a full TCP connection, making it easier to detect but more reliable.
Report This Question
Q.4
What is the difference between a normal scan and a stealth scan?
Normal Scan (-sT) – Completes a full three-way handshake, making it easy to detect.
Stealth Scan (-sS) – Sends SYN packets without completing the handshake, making it harder for firewalls to detect.
Report This Question
Q.5
What is the difference between -p- and -p1-65535 in Nmap?
Both scan all 65,535 ports, but -p- is a shorthand for -p1-65535.
Report This Question
Q.6
How can you evade firewalls while using Nmap?
Some techniques include:
Using fragmented packets: nmap -f
Randomizing scan order: nmap --randomize-hosts
Changing scan timing: nmap -T2
for slower, less detectable scans.
Report This Question
Q.7
How can you detect a firewall using Nmap?
You can use Nmap’s firewall detection techniques, such as:
nmap -sA
(ACK scan) – If all ports are unfiltered, there’s likely no firewall; if they are filtered, a firewall is blocking them.
nmap --packet-trace
– Shows packet responses to analyze firewall behavior.
nmap --traceroute
– Identifies firewall/router hops.
Report This Question
Q.8
How can you limit the number of concurrent Nmap scans to avoid detection?
Use the --min-rate or --max-rate options to control scan speed:
nmap --min-rate 10 --max-rate 50
Report This Question
Q.9
What is the purpose of the --script-trace option in Nmap?
The --script-trace option shows detailed debugging information when running Nmap scripts (NSE). It helps analyze how scripts interact with the target:
nmap --script=http-title --script-trace
Report This Question
Q.10
What is a zombie host in an Idle Scan, and how do you use it?
A zombie host is a passive system used in an Idle Scan (-sI) to perform stealthy scans. It helps hide the attacker’s IP address. Example:
nmap -sI
Report This Question
Q.11
How can you find vulnerable services using Nmap?
Use the Nmap Scripting Engine (NSE) with the vuln script: nmap --script=vuln
This detects common vulnerabilities such as outdated software, misconfigurations, and CVE-listed exploits.
Report This Question
Q.12
How do you perform a scan to detect live hosts on a network?
Use the -sn (ping scan) option to identify active hosts without scanning ports:
nmap -sn 192.168.1.0/24
This sends ICMP echo requests, TCP SYN to port 443, and ARP requests (on local networks) to detect active devices.
Report This Question
Q.13
How do you use Nmap to detect a website's HTTP security headers?
Use the NSE script http-headers:
nmap --script=http-headers
This reveals headers like X-Frame-Options, Content-Security-Policy, and HSTS.
Report This Question
Q.14
How can you find out if a system is vulnerable to SMB-based exploits (e.g., EternalBlue)?
Use the smb-vuln-ms17-010 script:
nmap --script=smb-vuln-ms17-010 -p 445
This checks if the system is vulnerable to the EternalBlue exploit (MS17-010) used in WannaCry ransomware attacks.
Report This Question
Q.15
What is the purpose of the --reason option in Nmap?
The --reason option explains why a port is marked as open, closed, or filtered by showing responses from the target:
nmap --reason
Report This Question
Q.16
How do you scan a network without sending ARP requests?
Use the --disable-arp-ping option to prevent Nmap from using ARP for host discovery:
nmap -sn --disable-arp-ping 192.168.1.0/24
Report This Question
Q.17
What does --open do in an Nmap scan?
The --open option only shows ports that are open, filtering out closed or filtered ones:
nmap -p 1-1000 --open
This helps focus on only reachable services, reducing scan noise.
Report This Question
Q.18
How do you use Nmap to identify DNS servers on a network?
Use a UDP scan on port 53:
nmap -sU -p 53 --open 192.168.1.0/24
If the port is open, the system is likely a DNS server.
Report This Question
Get industry recognized certification
Submit
Get Govt. Certified
Know More
Are you an expert ?
Take a Quiz
Get Govt. Certified
Take Test
Report This Question
×
Name
Email
Message
For Support