Nmap Development mailing list archives
NMAP "curriculum" for LPI
From: mark () lachniet com
Date: Mon, 8 Mar 2004 19:05:16 -0500 (EST)
Following on my last mega-list of training points on Nessus for the LPI L3-Security track, and with a little bit of prompting, I've taken the time to do a similar list for NMAP. (it didn't hurt that I'm training a bunch of folks on doing vulnerability assessments in two days and was in the process of writing my lessons). Being that a firm understanding of TCP, UDP and the types of features that modern portscanners have (as exemplified by NMAP) it is probably worth a topic area all its own. It will also segue very well into advanced NAT / ipchains / iptables curriculum. For those of you on the nmap-dev list who have no idea what I'm talking about, check out http://www.lpi.org, or more specifically https://www.lpi.org/en/examdev/index.html to contribute to the development of this open Linux certification. The L3 Security track is nascent, and may never make it, but some development has been done. Lets keep the ball rolling folks! Please feel free to comment, criticize, correct or add to the following NMAP training objectives. Please note that I left a few items out, as there are just a lot of NMAP features. No doubt the job task analysis will cut this list down quite a bit. NMAP Curriculum (version 3.5) http://www.insecure.org/nmap/data/nmap_manpage.html General Items 1. Understand what an ICMP ping is (icmp_echo, icmp_echo_reply) 2. Perform an ICMP ping sweep with nmap (-sP, -PE) 3. Understand advanced ICMP sweep features including ICMP Timestamp Request and ICMP Netmask Request (-PP, -PM) 4. Understand the TCP 3-way handshake and TCP port scanning (-sT) 5. Understand how to perform a TCP Ping with ACK or SYN flags and specify specific ports to ping (-PT<portlist>, -PS<portlist>) 6. Understand why you would specify a specific source port such as UDP/53 or TCP/20 for your scans, and how to use these with NMAP (-g <port>) 7. Understand why you would not want to randomize the port sequence of a scan, and how to configure it in NMAP (-r) 8. Configure NMAP to scan random IP addresses (-iR <numhosts>) 9. Understand UDP messages and ICMP responses such as ICMP Port Unreachable and ICMP Host Unreachable 10. Understand why firewalls may give unreliable UDP scan results (by blocking ICMP messages) 11. Perform a UDP scan (-sU) 12. Understand how Version Scans work (http://www.insecure.org/nmap/versionscan.html) 13. Perform scanning with version fingerprinting (-sV, -A) 14. Understand and run a TCP SYN Scan (-sS) 15. Understand how non-standard packet header (Stealth FIN, Xmas, or Null) scans work, and why you would want them (-sF, -sX, -sN) 16. Understand and use RPC scanning features (-sR) 17. Understand and use IDENT scanning features (-I) 18. Understand how OS fingerprinting works, and how to enable it (-O) 19. Understand how to specify specific port ranges and sequences at the command line (-p) 20. Understand how to customize a services file and use it to specify port ranges (-F) 21. Understand how ICMP blocking affects NMAP, how to turn off ping sweeps prior to a port scan, and how this can affect scan speed on large networks (-P0) 22. Understand how source IP decoys work, and why you would want them (-Dip) 23. Understand the difference between IP v4 and v6 networks and how to force nessus to scan them (-6) 24. Understand the various timing schemes, how they affect scan speed, the affect they may have on the target host, and how to configure this setting (-T setting) 25. Understand how DNS works, how forward and reverse DNS resolution work, and how to enable or disable this behavior in NMAP (-n / -R) 26. Understand the different NMAP logging options, and how to select them (-oN, -oX, -oG, -oA) 27. Understand how to select a source interface and IP address in multi-homed machines (-S, -e) 28. Understand how to specify a target IP address, DNS name, subnet or range at the command line 29. Understand IDS how evasion techniques such as packet fragmentation work and how to configure a NMAP scan to use them (-f) 30. Understand how to use NMAP to generate a list of target IP addresses for inclusion in a target text file (-sL) 31. Understand how to create a list of target IP addresses or DNS names in a file, and use this file to specify targets (http://www.insecure.org/nmap/idlescan.html) and how to perform it (-sI host[:probeport]) 32. Understand what an FTP bounce scan is, and how to configure it (-b <host>) 33. Understand how to pass FTP server credentials to a FTP bounce scan 34. Understand why you would want to pad scan packets with random data, how it will affect scan time, and how to configure NMAP to do this (--data_length <val>) 35. Understand NMAP output, including different port states (open, closed, filtered) and how these states are derived (RST response, etc.) External Interfaces 36. Understand how vulnerability assessment tools (e.g. Nessus) use NMAP for discovery 37. Understand how to compare multiple NMAP scans by hand or using available scripts and utilities Windows Items 38. Use the "regedt32 nmap_performance.reg" fix for better TCP scanning 39. Use the --win_norawsock switch switch if you have trouble in Windows 2000 40. Understand Windows-specific options, and when and why they might be used (especially --win_list_interfaces, --win_nopcap) --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- NMAP "curriculum" for LPI mark (Mar 08)