NMAP "curriculum" for LPI

[mark () lachniet com]

Following on my last mega-list of training points on Nessus for the LPI
L3-Security track, and with a little bit of prompting, I've taken the time
to do a similar list for NMAP.  (it didn't hurt that I'm training a bunch
of folks on doing vulnerability assessments in two days and was in the
process of writing my lessons).

Being that a firm understanding of TCP, UDP and the types of features that
modern portscanners have (as exemplified by NMAP) it is probably worth a
topic area all its own.  It will also segue very well into advanced NAT /
ipchains / iptables curriculum.

For those of you on the nmap-dev list who have no idea what I'm talking
about, check out http://www.lpi.org, or more specifically
https://www.lpi.org/en/examdev/index.html to contribute to the development
of this open Linux certification.  The L3 Security track is nascent, and
may never make it, but some development has been done.  Lets keep the ball
rolling folks!

Please feel free to comment, criticize, correct or add to the following
NMAP training objectives.  Please note that I left a few items out, as
there are just a lot of NMAP features.  No doubt the job task analysis
will cut this list down quite a bit.

NMAP Curriculum (version 3.5)

http://www.insecure.org/nmap/data/nmap_manpage.html

General Items
1. Understand what an ICMP ping is (icmp_echo, icmp_echo_reply)
2. Perform an ICMP ping sweep with nmap (-sP, -PE)
3. Understand advanced ICMP sweep features including “ICMP Timestamp
Request” and “ICMP Netmask Request” (-PP, -PM)
4. Understand the TCP 3-way handshake and TCP port scanning (-sT)
5. Understand how to perform a “TCP Ping” with ACK or SYN flags and
specify specific ports to ping (-PT<portlist>, -PS<portlist>)
6. Understand why you would specify a specific source port such as UDP/53
or TCP/20 for your scans, and how to use these with NMAP (-g <port>)
7. Understand why you would not want to randomize the port sequence of a
scan, and how to configure it in NMAP (-r)
8. Configure NMAP to scan random IP addresses (-iR <numhosts>)
9. Understand UDP messages and ICMP responses such as “ICMP Port
Unreachable” and “ICMP Host Unreachable”
10. Understand why firewalls may give unreliable UDP scan results (by
blocking ICMP messages)
11. Perform a UDP scan (-sU)
12. Understand how Version Scans work
(http://www.insecure.org/nmap/versionscan.html)
13. Perform scanning with version fingerprinting (-sV, -A)
14. Understand and run a TCP SYN Scan (-sS)
15. Understand how non-standard packet header (Stealth FIN, Xmas, or Null)
scans work, and why you would want them (-sF, -sX, -sN)
16. Understand and use RPC scanning features (-sR)
17. Understand and use IDENT scanning features (-I)
18. Understand how OS fingerprinting works, and how to enable it (-O)
19. Understand how to specify specific port ranges and sequences at the
command line (-p)
20. Understand how to customize a services file and use it to specify port
ranges (-F)
21. Understand how ICMP blocking affects NMAP, how to turn off ping sweeps
prior to a port scan, and how this can affect scan speed on large networks
(-P0)
22. Understand how source IP decoys work, and why you would want them (-Dip)
23. Understand the difference between IP v4 and v6 networks  and how to
force nessus to scan them (-6)
24. Understand the various timing schemes, how they affect scan speed, the
affect they may have on the target host, and how to configure this setting
(-T setting)
25. Understand how DNS works, how forward and reverse DNS resolution work,
and how to enable or disable this behavior in NMAP (-n / -R)
26. Understand the different NMAP logging options, and how to select them
(-oN,  -oX, -oG, -oA)
27. Understand how to select a source interface and IP address in
multi-homed machines (-S, -e)
28. Understand how to specify a target IP address, DNS name, subnet or
range at the command line
29. Understand IDS how evasion techniques such as packet fragmentation
work and how to configure a NMAP scan to use them (-f)
30. Understand how to use NMAP to generate a list of target IP addresses
for inclusion in a target text file (-sL)
31. Understand how to create a list of target IP addresses or DNS names in
a file, and use this file to specify targets
(http://www.insecure.org/nmap/idlescan.html) and how to perform it (-sI
host[:probeport])
32. Understand what an FTP bounce scan is, and how to configure it (-b
<host>)
33. Understand how to pass FTP server credentials to a FTP bounce scan
34. Understand why you would want to pad scan packets with random data,
how it will affect scan time, and how to configure NMAP to do this
(--data_length <val>)
35. Understand NMAP output, including different port states (open, closed,
filtered) and how these states are derived (RST response, etc.)

External Interfaces

36. Understand how vulnerability assessment tools (e.g. Nessus) use NMAP
for discovery
37. Understand how to compare multiple NMAP scans by hand or using
available scripts and utilities

Windows Items
38. Use the  "regedt32 nmap_performance.reg" fix for better TCP scanning
39. Use the --win_norawsock switch switch if you have trouble in Windows 2000
40. Understand Windows-specific options, and when and why they might be
used (especially --win_list_interfaces, --win_nopcap)


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org