1. Answer: a. Unix
Nmap was originally a command-line application for Unix, but a Windows version has been available since 2000.
To learn about Nmap read this Nmap in the enterprise: Installing and configuring Nmap on Windows from our Nmap tip series.
2. Answer: d. SYN
Nmap is the ideal tool for performing a simple network inventory or vulnerability assessment. By default, Nmap performs a SYN Scan, which works against any compliant TCP stack, rather than depending on idiosyncrasies of specific platforms. It can be used to quickly scan thousands of ports, and it allows clear, reliable differentiation between ports in open, closed and filtered states.
To learn more about Nmap services read Nmap: Scanning ports and services from our Nmap tip series.
3. Answer: c. TCP ACK
Nmap provides another scan, the TCP ACK scan (option -sA), to help map out firewall rule sets. This scan doesn't determine whether a port is open or closed, but it can tell if it's filtered and whether the device filtering the port is stateful or not. We will look at firewall evasion in the next tip, but in the meantime, you can experiment probing and analysing your firewalls and network by sending a variety of probe types with different flag settings.
To learn about Nmap's port scanning features, read Nmap: More port scanning techniques from our Nmap tip series.
4. Answer: d. All of the above
When testing the effectiveness of firewalls and intrusion detection systems, use the default, which is a randomized port order, in addition to randomizing the order in which hosts are scanned by using the randomize-hosts option, which can be abbreviated to –rH. This, combined with slow timing options, which we will look at next week, will make any network monitoring devices you have work hard to detect the scan.
To learn more about Nmap's firewall configuration testing capabilities, read Nmap: Firewall configuration testing from our Nmap tip series.
5. Answer: b. Relay
By default, Nmap is set to not abort a scan due to time -- no matter how long it may take to complete. This can be overridden with the Host Timeout option (--host_timeout), which sets the amount of time a scan will wait before giving up on an IP address. This can be useful when scanning network devices over a slow connection or when the scan comes across a device that is slow in responding.
Nmap's other timing options can basically be split into four categories: round trip time, delay, parallel host scanning and parallel port scanning. Round trip time is the number of milliseconds required to receive a response to an Nmap request. Nmap automatically adjusts its response time timeout during a scan. However, you can force it to use a larger timeout value using the Minimum Round Trip Time Timeout option (--min_rtt_timeout) if, for example, your network is experiencing dropped packets. The Maximum Round Trip Time Timeout (--max_rtt_timeout) is useful for ensuring an accurate scan across slow or problematic networks.
To learn how these timing options operate, read Nmap: Techniques for improving scan times from our Nmap tip series.