Nmap Interview Questions and Answers - 2024

The Nmap characteristics include: 

• Host discovery

• Scan techniques

• Port specification and scan order

• Service or version detection

• Script scan

• OS detection

• Timing and performance

• Evasion and spoofing

• Output

• Target specification

Nmap, for efficiency reasons, uses larger group sizes for UDP or few-port TCP scans. It starts with a group size as low as 5, so the first results come quickly and then increases the group size to as high as 1024. The exact default numbers depend on the given options.

The discovery phase of Nmap sends out a series of packets to target hosts. It then analyses the responses that come back, allowing Nmap to determine what hosts are up and running, which services they are running, and which operating systems they are using. This information is used to tailor subsequent attacks.

Using the -e option makes using Nmap without root access possible. This allows one to specify an interface for scanning rather than the default interface.

The most common Nmap methods include network exploration, managing service upgrade schedules, monitoring host or service uptime, and security auditing.

NSE stands for Nmap Scripting Engine, a powerful engine that allows users to extend the functionality of Nmap by writing their scripts. These scripts can perform tasks like network discovery, port scanning, and vulnerability analysis.

Nmap collects a variety of information about a target network or system. This information includes the network layout, the types of devices and services running, and the open ports and vulnerabilities. It also performs more sophisticated attacks, like denial of service attacks or password guessing.

• Normal output ( -oN )

• XML output ( -oX )

• Grepable output ( -oG )

• Script kiddie ( -oS )

$nmap -sn <target>

$nmap -iL <target-file>

There are several Nmap commands that can be used for specific ports and services. Here are a few examples:

-p

This command is used to specify the port or range of ports to be scanned. For example, if you want to scan port 80, you can use the command nmap -p 80 .

--top-ports

This command is used to specify the number of top ports to be scanned. For example, if you want to scan the top 100 ports, you can use the command nmap --top-ports 100 .

-sV

This command is used to identify the version and name of the services running on the scanned ports. For example, if you want to scan for the version of the Apache web server running on port 80, you can use the command nmap -sV -p 80 .

-sT

This command is used to perform a TCP connect scan. For example, if you want to scan for open ports using a TCP connect scan, you can use the command nmap -sT .

-sU 

This command is used to perform a UDP scan. For example, if you want to scan for open UDP ports, you can use the command nmap -sU .

Nmap is a powerful tool for various tasks, including network exploration, security auditing, and troubleshooting. It is unique in its ability to scan large networks quickly and efficiently. Moreover, Nmap can identify hosts and services on a network and determine which ports are open on a given host.

We can do it using the following command:

nmap -sC <target>

The command used to scan a target using a TCP SYN scan is -sS. The TCP SYN scan is one of the most commonly used scan types in Nmap, and it works by sending a SYN packet to the target port and waiting for a response. 

If the port is open, the target will respond with a SYN-ACK packet, indicating that the port is open and ready to receive connections. If the port is closed, the target will respond with a RST packet, indicating that the port is closed and not accepting connections.

One of the main advantages of using a TCP SYN scan is that it is stealthy and can help avoid detection by network security systems. 

This is because the scan does not complete the TCP handshake, which can be detected by intrusion detection systems. Additionally, the TCP SYN scan can be faster than other types of scans because it sends fewer packets and only sends a full packet to open ports.

Although the interface selection is automatic, you can forcefully assign a specific interface using the below command-

#nmap -e <interface> <target>

A tool like Nmap is the best way to detect multiple hosts on a single subnet. Nmap can quickly scan a subnet and return a list of all active hosts. This is a handy tool for network administrators who need to keep track of all devices on a network.

Using Nmap, it is possible to detect remote operating systems that are running on remote hosts. Since Nmap is used for network exploration and security auditing, it identifies hosts and services on a network and decides what operating systems those hosts are running. If you run Nmap against a remote host, you can fingerprint the operating system the host is running and choose its type.

OS fingerprinting identifies what operating system is running on a given host based on analysing the host’s responses to various network probes. This can be done manually by looking at the answers and identifying patterns or automatically using a tool like Nmap to compare the responses to a database of known operating systems.

Aggressive Detection command enables OS detection (-O), script scanning (-sC), version detection (-sV),  and traceroute (--traceroute)

$nmap -A <target>

To write an Nmap script for the ping scan using UDP, you can use the following steps:

1. Open a text editor and create a new file with the extension .nse. For example, you can name the file udp-ping-scan.nse.

2. In the first line of the script, add a comment with a description of the script. For example, you can use the following comment:

-- UDP Ping Scan: Performs a ping scan using UDP packets to identify hosts on the network

3. Next, add the categories line to specify the category of the script. For example, you can use the following line:

categories = {"discovery", "safe"}

4. In the next line, add the hostrule function to specify the host selection rule. For example, you can use the following line:

hostrule = function(host) return true end

This will select all hosts for the scan.

5. Next, add the action function to define the script's behavior. For a UDP ping scan, you can use the following code:

action = function(host, port)

   local socket = nmap.new_socket()

   socket:set_timeout(500)

   local status, err = socket:sendto(host, 1, "\0")

   if status == nil then

      return

   end

   local response, err = socket:receive()

   if response then

      nmap.report_host(host, "", "up")

   end

   socket:close()

end

This function creates a new UDP socket and sends a UDP packet to port 1 on the target host. If the host responds with any UDP packet, the script reports the host as "up".

6. Save the script and run it using the following command:

nmap -sU -p 1 -sV -n -Pn --script=udp-ping-scan.nse

This will run a UDP ping scan on the specified target IP address.

Note: Before running any Nmap script, it's important to understand the potential risks and legal implications of using the tool. Always use Nmap responsibly and with permission from the network owner.

#nmap --packet-trace -n -sn

$ nmap -6 -O <target>

$ nmap -6 -sT <target>

You can upload more signatures and fingerprints on the URL https://nmap.org/cgi-bin/submit.cgi?

$nmap -sn --script whois-*

$nmap -sU -sS --host-timeout -p1-100

Advantage-

• The host-timeout option allows skipping slow hosts

$ nmap -O

$nmap -O --osscan-guess  

$nmap -O --osscan-limit

$nmap -O -v

where,

-v option used for verbose mode

--osscan-guess option forces Nmap to guess OS

--osscan-limit option gives results for OS if met by ideal condition

$ nmap -sV <target>

$nmap -sV --version-intensity [0-9] <target>

$nmap --script-updatedb

$ nmap -sn -PR --spoof-mac <mac address> <target>

#nmap --packet-trace -n -sn <target>

Security analysts widely use Nmap as a port scanner. However, many options are available to scan basic vulnerabilities using Nmap.

No, any resource is to be scanned after taking appropriate approvals in written form. If you participate in the bug bounty of any specific program, it is the responsibility of the bug bounty hunter to read all rules before participation.

Nmap tool can scan any IP which is available via the network. Internal or private IP may be monitored by connecting the network via VPN or physically connecting the web.

Any active scanning security tool must be used by taking written permission from the asset owner. Hence, using Nmap by taking appropriate authorisation from the legitimate owner is highly recommended.

Nmap is a port scanner that identifies open ports. At the same time, Wireshark is a protocol analyser that helps security engineers to read the structure of different packets.

A range's beginning and/or end values may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan ports from 1 through 65535.

The flags are used for scanning port-related information about target hosts. If you know which ports are open, you can get into the system, so pen-testers rely heavily on this Nmap query.

Hackers use Nmap to gain access to uncontrolled ports on a system. To successfully enter a targeted system, a hacker must run Nmap on that system, look for vulnerabilities, and figure out how to exploit them.

The Nmap command you need to scan all ports is “nmap –p– 192.168. 0.1,” which scans ports 0 through 65,535. To scan a single port, the command is “nmap -p 22 192.168. 1.1.” For scanning a range of ports, use the command “nmap -p 1-100 192.168.

Scan Types in Nmap-

• TCP Connect Scans ( -sT ) In this type of scan, Nmap sends a TCP packet to a port with the SYN flag set. ...

• SYN “Half-open” Scans ( -sS ) ...

• UDP Scans ( -sU ) ...

• TCP Null Scans ( -sN ) ...

• TCP FIN Scans ( -sF ) ...

• TCP Xmas Scans ( -sX ) ...

• Limitations.

The attacker sends a packet to the target without any flags set within it. The target will be confused and will not respond. This will indicate the port is open on the target. If the target responds with an RST packet, the port is closed.

• C

• Python

• C++

• Lua

Transport Layer.

The timing template in the Nmap is defined by –T<0-5>, having -T0 as the slowest and –T5 as the fastest.

In Nmap, TCP scans are activated using the -sT option. The Nmap tool completes UDP scans by sending a packet to every targeted port and waits for a response or timeout. In Nmap, UDP port scans are activated using the -sU option.

Nmap works with two protocols that use ports- TCP and UDP. A connection for each protocol is uniquely identified by four elements: source and destination IP addresses and corresponding source and destination ports. These elements are simply numbers placed in the headers of each packet sent between hosts.

By default, Nmap scans the top 1,000 ports for each scan protocol requested. This catches 93% of the TCP and 49% of the UDP ports. With the -F (fast) option, only the top 100 ports are scanned, providing 78% TCP effectiveness and 39% for UDP.