Re: NMAP Trivia on SANS Internet Storm Center

[Joel Esler <eslerj () gmail com>]

Hello, I'm a Handler with the ISC, and lurk here as well :)

We received overwhelming response to this diary.  I think it's great  
how one tool can generate such great publicity/noise/reaction.

I work for Sourcefire, and we see the same thing with Snort.  I think  
it's really great when a community gets behind a project such as Nmap.

J

On Dec 30, 2008, at 3:44 PM, DePriest, Jason R. allegedly wrote:

> http://isc.sans.org/diary.html?storyid=5566
>
> More publicity for Fyodor's book and for Nmap in general.  Always  
> good.
>
> Visit the site or just read below.
>
> NMAP Trivia: Mastering Network Mapping and Scanning
> Published: 2008-12-28,
> Last Updated: 2008-12-28 09:35:25 UTC
> by Raul Siles (Version: 1)
> 0 comment(s)
>
> Recently the official (and highly recommended) NMAP book, "NMAP
> Network Scanning" by Fyodor, was published. I will post a review on my
> personal blog in the next few days (plus this challenge), but
> meanwhile, I thought it would be very productive to challenge you with
> a NMAP Trivia. The main goal is providing some entertainment during
> the holiday season and the early days of 2009, and at the same time,
> force you to practice and play with the latest stable nmap version,
> v4.76, trying to increase your technical knowledge, skills, and
> mastering of the traditional and current features of such an important
> security tool.
>
>   1.  What are the default target ports used by the current nmap
> version (4.76)? How can you change the target ports list? What (nmap)
> options can be used to speed up scans by reducing the number of target
> ports and still check (potentially) the most relevant ones? How can
> you force nmap to check all target ports?
>   2. How can you force nmap to scan a specific list of 200 target
> ports, only relevant to you?
>   3. What is the default port used by nmap for UDP ping discovery
> (-PU)? Why? If you don't know it from the top of your head ;), how can
> you easily identify this port without using other tools (such as a
> sniffer) or inspecting nmap's source code?
>   4. When nmap is run, sometimes it is difficult to know what is
> going on the backstage. What two (nmap) options allow you to gather
> detailed but not overwhelming information about nmap's port scanning
> operations? What other extra (nmap) options are available for ultra
> detailed information?
>   5. What are the preferred (nmap) options to run a stealthy TCP port
> scan? Particularly, try to avoid detection from someone running a
> sniffer near the person running nmap and focus on the extra actions
> performed by the tool (assuming the packets required to complete the
> port scan are not detected)?
>   6. Why port number 49152 is relevant to nmap?
>   7. What is the only nmap TCP scan type that classifies the target
> ports as "unfiltered"? Why? What additional nmap scan type can be used
> to discern if those ports (previously identified as "unfiltered") are
> in an open or closed state?
>   8. When (and it what nmap version) the default state for a
> non-responsive UDP port was changed on nmap (from "open" to
> "open|filtered")? Why?
>   9. What is the default scan type used by nmap when none is
> specified, as in "nmap -T4 scanme.nmap.org"? Is this always the
> default scan method? If not, what other scan method does nmap default
> to, under what conditions, and why?
>  10. What nmap features (can make or) make use of nmap's raw packet
> capabilities? What nmap features rely on the OS TCP/IP stack instead?
>  11. Nmap's performance has been sometimes criticized versus other
> network scanners. What (nmap) options can you use to convert nmap into
> a faster, stateless scanner for high performance but less accurate
> results?
>  12. What relevant nmap feature does not allow an attacker to use the
> decoy functionality (-D) and might reveal his real IP address?
>  13. What are the (nmap) options you can use to identify all the
> steps followed by nmap to fingerprint and identify the Web server
> version running on scanme.nmap.org?
>  14. As an attacker, what port number would you select to hide a
> listening service backdoor trying to avoid an accurate detection by
> nmap's default aggressive fingerprinting tests? Would it be TCP or
> UDP? Why? What additional (nmap) options do you need to specify as a
> defender to fingerprint the hidden service backdoor?
>  15. What is the language used to write NSE scripts, and what two
> other famous open-source security tools/projects currently use the
> same language?
>  16. What Linux/Windows command can you use to identify the list of
> NSE scripts that belong to the "discovery" category and will execute
> when this set of scripts is selected with the "--script discovery"
> nmap option?
>  17. How can you know the specific arguments accepted by a specific
> NSE script, such as those accepted by the whois.nse script?
>
> Send your answers through our contact page using "NMAP Trivia" as the
> subject by January, 15. If you have other interesting nmap trick and
> tips, please, send them too. I will publish the best answers and other
> nmap usage suggestions on my next shift around mid-end January 2009.
>
> If you want to stay up to date about the major nmap news and events I
> strongly recommend you to subscribe to the nmap-hackers mailing list
> (low traffic, with less than 10 messages this year). You can do so at
> http://cgi.insecure.org/mailman/listinfo/nmap-hackers.
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org


--
Joel Esler
  http://www.joelesler.net
[m]


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org