Network Security: iptables, Nmap, Snort & Crypto Reference

Posted on Apr 27, 2025 in Computers

Midterm 1 Review

  1. Find problems with the following rules and correct them:

    • a) iptables -A -S 192.168.0.0/16 -j DROP

      Correction: The rule is syntactically incorrect. -S is used to list rules, not specify a source. Assuming the intent was to block traffic *from* the source network, it should be: iptables -A INPUT -s 192.168.0.0/16 -j DROP (or specify the correct chain like FORWARD/OUTPUT).

    • b) nmap -sS -f -mtu -p 80 192.168.56.103

      Correction: The --mtu option requires a value (a multiple of 8). Example correction: nmap -sS -f --mtu 8 -p 80 192.168.56.103.

    • c) iptables -A INPUT -p icmpecho-request -j DROP

      Correction: The protocol type icmpecho-request is invalid. Use -p icmp --icmp-type echo-request. Correct rule: iptables -A INPUT -p icmp --icmp-type echo-request -j DROP.

    • d) iptables -A INPUT --s 213.10.10.13 --d 192.168.1.4 -p tcp --dport 21

      Correction: Options need single dashes (-s, -d), and a target action (like -j DROP) is missing. Correct rule: iptables -A INPUT -s 213.10.10.13 -d 192.168.1.4 -p tcp --dport 21 -j DROP.

    • e) SCAPY Command: p1=TCP(flags='S')/IP(dst="192.168.56.103",src="192.168.56.101")

      Correction: The order is wrong in Scapy; the lower layer (IP) should come first. Correct command: p1=IP(dst="192.168.56.103",src="192.168.56.101")/TCP(flags='S').

  2. Configure your own iptables firewall according to this setup:

    • a) Create a user-defined chain called ‘ICMP’.

      Command: iptables -N ICMP

    • b) Add a rule to your ‘INPUT’ chain to have all ICMP traffic ‘jump’ to your newly created ‘ICMP’ chain.

      Command: iptables -A INPUT -p icmp -j ICMP

    • c) Add a rule to your ‘ICMP’ chain that denies ICMP traffic from 157.32.23.12.

      Command: iptables -A ICMP -s 157.32.23.12 -j DROP

    • d) Add a rule to your ‘ICMP’ chain to rate limit the number of ICMP packets coming from anywhere else to 30 packets per minute.

      Commands:

      iptables -A ICMP -m limit --limit 30/minute -j ACCEPT
      iptables -A ICMP -j DROP

  3. What are ingress filtering and egress filtering? Why used?

    Ingress filtering: Filters traffic entering a network. It typically checks if incoming packets have source IP addresses that are valid for the network they are coming from, preventing spoofed packets from entering.

    Egress filtering: Filters traffic leaving a network. It typically checks if outgoing packets have source IP addresses that belong to the internal network, preventing internal users from launching spoofed attacks.

    Purpose: Both are used to enhance network security by controlling traffic flow at network boundaries and preventing various types of attacks, including IP spoofing and DoS.

  4. What are the design goals for a firewall?

    Firewall design goals include:

    • Accuracy: Enforce the security policy correctly, blocking unauthorized traffic while allowing legitimate traffic.
    • Dependability/Reliability: Operate continuously without failure.
    • Efficiency/Performance: Handle network traffic without introducing significant latency or becoming a bottleneck.
    • Cost-effectiveness: Provide adequate security within budget constraints.
    • Manageability: Easy to configure, monitor, and update.

    Can you use iptables for traffic monitoring like an IDS/sniffer?

    Yes, iptables can be used for basic traffic monitoring, although it’s not a full replacement for a dedicated IDS or sniffer. This can be done using the LOG target. Rules can be created to log specific types of packets that match certain criteria (e.g., suspected malicious traffic). The logged information typically includes packet headers and can be sent to the system log (syslog) for analysis.

    Example: iptables -A INPUT -s 1.2.3.4 -j LOG --log-prefix "Suspicious traffic from 1.2.3.4: "

  5. What is a Decoy scan? Why is it used? Write an nmap command.

    A Decoy scan is an Nmap technique where scan packets are sent seemingly from other IP addresses (decoys) in addition to the attacker’s real IP address. The target system sees scan attempts from multiple sources.

    Purpose: It’s used to obfuscate the true source of the scan, making it harder for the target system’s administrator to determine the actual attacker’s IP address among the decoys. It can also overwhelm logging systems.

    Nmap Command Example: nmap -sS -D 192.168.56.1,192.168.56.2,ME 192.168.56.104 (Here, ME represents the attacker’s real IP, or it can be omitted and placed randomly).

  6. Define DoS attack. Explain node sampling in IP Traceback.

    A Denial of Service (DoS) attack aims to make a machine or network resource unavailable to its intended users by overwhelming it with traffic or exploiting a vulnerability, thus exhausting its resources (like bandwidth, CPU, or memory).

    Node Sampling (for IP Traceback): This is a probabilistic packet marking technique used to trace the path of attack traffic back towards the source. Routers along the path probabilistically sample packets passing through them. When a packet is sampled, the router adds information (like its own IP address or parts of it) to the packet’s header or sends a separate message to a collector. By collecting enough marked packets at the victim’s end, the path taken by the attack traffic can be reconstructed by analyzing the router information embedded in the packets. The routers appearing most frequently in the samples likely form the attack path.

Midterm 2 Review

  1. What is a honeypot?

    A honeypot is a security resource (e.g., a system, network, or data) whose value lies in being probed, attacked, or compromised. It acts as a decoy to attract and trap attackers, diverting them from legitimate targets.

  2. What different services can a honeypot provide?

    Honeypots provide services such as:

    • Attack Detection: Identifying unauthorized access attempts or malicious activity.
    • Monitoring & Logging: Recording attacker methods, tools, and keystrokes.
    • Analysis: Understanding attack vectors, malware behavior, and attacker motives.
    • Threat Intelligence Gathering: Collecting information about new threats and vulnerabilities.
    • Deterrence/Deception: Misleading attackers and wasting their time and resources.

  3. Differences between stream cipher and block cipher?

    • Stream Cipher: Encrypts data one bit or byte at a time. It uses a keystream generated from the key, which is XORed with the plaintext. Typically faster and requires less memory than block ciphers. Examples: RC4, ChaCha20.
    • Block Cipher: Encrypts data in fixed-size blocks (e.g., 64 or 128 bits). The same key is used to encrypt each block. Modes of operation (like CBC, ECB, GCM) are needed to handle messages larger than one block. Examples: DES, AES.

  4. What is a meet-in-the-middle attack on Double-DES?

    A Meet-in-the-Middle (MitM) attack is a cryptographic attack that tries to break a composition of two functions (like Double DES encryption) more efficiently than a brute-force attack. For Double DES (Encrypt-Encrypt with keys K1, K2), the attacker encrypts a known plaintext (P) with all possible K1 values and stores the intermediate results (C1 = E(K1, P)). Simultaneously, they decrypt the corresponding ciphertext (C) with all possible K2 values (P1 = D(K2, C)). They look for a match where C1 equals P1. If a match is found, the pair (K1, K2) is likely the correct key pair. This reduces the complexity from 2^(56+56) = 2^112 (brute force) to roughly 2*2^56 = 2^57 operations, making Double DES vulnerable.

  5. What is the mechanism of Triple-DES (3DES)?

    Triple DES (3DES) applies the Data Encryption Standard (DES) algorithm three times to each data block. Common variants are:

    • EDE with 3 keys (Keying Option 1): Encrypt(K1) -> Decrypt(K2) -> Encrypt(K3). Uses three independent 56-bit keys (total 168 bits). Most secure variant.
    • EDE with 2 keys (Keying Option 2): Encrypt(K1) -> Decrypt(K2) -> Encrypt(K1). Uses two keys (K1 and K2), where K3=K1 (total 112 bits).

    The Encrypt-Decrypt-Encrypt (EDE) sequence is used specifically to provide backward compatibility with single DES (if K1=K2=K3) and to defend against the meet-in-the-middle attack that weakens Double DES.

  6. Write Snort rules for the following cases:

    • (a) Alert on TCP packets from a client to a web server (port 80) containing “serverattack” or “rootattack” in the payload.

      Rule: alert tcp any any -> any 80 (msg:"Server or Root Attack Detected"; content:"serverattack"; nocase; sid:1000001; rev:1;)
      alert tcp any any -> any 80 (msg:"Server or Root Attack Detected"; content:"rootattack"; nocase; sid:1000002; rev:1;)
      (Alternatively, using pcre):
      alert tcp any any -> any 80 (msg:"Server or Root Attack Detected"; pcre:"/serverattack|rootattack/i"; sid:1000003; rev:1;)

      Note: Using specific client/server IPs/variables ($HOME_NET, $EXTERNAL_NET) is recommended over ‘any any’.

    • (b) Alert on a worm targeting TCP port 8008 or UDP port 4004, containing the signature 03 0E FE CC A0 followed by “PASS” within the first 50 bytes.

      Rules:

      alert tcp any any -> any 8008 (msg:"Worm Attack Detected"; content:"|03 0e fe cc a0|PASS"; depth:50; sid:1000004; rev:1;)
      alert udp any any -> any 4004 (msg:"Worm Attack Detected"; content:"|03 0e fe cc a0|PASS"; depth:50; sid:1000005; rev:1;)

      Note: Corrected UDP port to 4004 as per description. `offset` checks *at* that position, `depth` checks *within* the first N bytes.

  7. Router/Firewall Rule: Redirect traffic from attacker (192.168.56.102) destined for Assets (192.168.140.101) to DMZ machine (192.168.22.139).

    iptables Command (on the router/firewall):

    iptables -t nat -A PREROUTING -s 192.168.56.102 -d 192.168.140.101 -j DNAT --to-destination 192.168.22.139

  8. Where should Intrusion Detection Systems (IDS) be placed? Why?

    Effective IDS placement depends on monitoring goals, but common locations include:

    • Behind the Firewall (Inside the Network): Monitors traffic that has already passed firewall filters. Useful for detecting attacks that bypass the firewall or originate internally. Can see traffic destined for internal servers.
    • In the DMZ (Demilitarized Zone): Monitors traffic to and from publicly accessible servers (web, email), a common target area.
    • Between Firewall and Internet Router (Outside): Monitors all traffic attempting to enter the network, including attacks blocked by the firewall. Can generate many alerts.
    • On Critical Subnets or Hosts (Host-based IDS): Monitors activity specific to important servers or network segments.

    Justification for placing *within* the firewall (or just behind it): This placement allows the IDS to analyze traffic that the firewall has permitted, focusing on potentially malicious activity targeting internal resources. It reduces noise from attacks already blocked by the firewall and provides visibility into threats that have penetrated the first line of defense.

  9. Why is the Diffie-Hellman algorithm used?

    The Diffie-Hellman (DH) algorithm is used for key exchange. Its primary purpose is to allow two parties, who have not previously met, to securely establish a shared secret key over an insecure communication channel (like the internet). This shared secret key can then be used with a symmetric encryption algorithm (like AES) to encrypt subsequent communications between them, ensuring confidentiality.

Quiz 1 Review

  1. Major difference between Direct DoS and Reflector DoS attack?

    Direct DoS: The attacker sends attack traffic directly from their system(s) to the victim.

    Reflector DoS: The attacker spoofs the victim’s IP address and sends requests to legitimate third-party servers (reflectors, e.g., DNS, NTP servers). These servers then send responses (often amplified) to the victim’s spoofed IP address, overwhelming the victim. The attacker’s IP is hidden.

  2. Which command checks TCP states to see if a machine is under DoS?

    Answer: b) netstat -n (or netstat -an). This command shows network connections, listening ports, Ethernet statistics, the IP routing table, IPv4 statistics (for IP, ICMP, TCP, and UDP protocols), IPv6 statistics (for IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols), and network adapter statistics. A large number of connections in states like SYN_RECV can indicate a SYN flood DoS attack.

  3. Major difference between Ingress and Egress filtering?

    Ingress Filtering: Checks incoming traffic (entering the network), often verifying source IP addresses to prevent spoofing from outside.

    Egress Filtering: Checks outgoing traffic (leaving the network), often verifying source IP addresses to ensure they belong to the internal network, preventing internal users from launching spoofed attacks.

  4. How will an unfiltered open port react to direct/stealth scan?

    Direct Port Scan (e.g., TCP Connect Scan – nmap -sT): An unfiltered open port will complete the TCP three-way handshake. The scanner sends SYN, the target responds with SYN/ACK, and the scanner completes with ACK.

    Stealth Port Scan (e.g., TCP SYN Scan – nmap -sS): An unfiltered open port will respond with a SYN/ACK packet to the scanner’s initial SYN packet. The scanner then sends an RST packet instead of an ACK to tear down the connection before it’s fully established, making it ‘stealthier’.

    (Note: The original answer ‘Stealth port, no response’ is incorrect for an open port during a SYN scan. No response typically indicates a filtered port. A FIN scan might get no response on an open port.)

  5. A computer receiving a SYN packet responds with ___ if port closed?

    Answer: b) RST (Reset). If a TCP port is closed, the receiving system typically responds with a TCP packet having the RST flag set.

Quiz 2 Review

  1. Craft a Scapy SYN packet: 192.168.56.101:50001 -> 192.168.56.103:80

    Scapy Command: IP(src="192.168.56.101", dst="192.168.56.103")/TCP(sport=50001, dport=80, flags='S')

    (Note: Corrected destination IP and source/destination ports based on question.)

  2. Craft Scapy stealth scan packet: 192.168.56.101:50001 -> 192.168.56.103:25. Expected reply if port 25 is open?

    Scapy Command (assuming SYN scan for stealth): IP(src="192.168.56.101", dst="192.168.56.103")/TCP(sport=50001, dport=25, flags='S')

    Expected Reply (if port 25 is open): A TCP packet with SYN/ACK flags set, originating from 192.168.56.103:25 and destined for 192.168.56.101:50001.

    (Note: The original answer mentioned flags=’f’ which is likely a typo for ‘F’ (FIN scan). A FIN scan to an open port typically yields no response. A SYN scan is the most common ‘stealth’ scan.)

  3. Ideally, where should a firewall be placed for an organization?

    Answer: Typically, a primary network firewall is placed at the network perimeter, between the internal network (e.g., internal switch) and the external network (e.g., gateway router connected to the internet). It can also be placed to segment internal networks.

  4. Write iptables rule to drop all ICMP traffic but allow TCP traffic.

    iptables Commands (applied to INPUT chain):

    iptables -A INPUT -p icmp -j DROP
    iptables -A INPUT -p tcp -j ACCEPT

    Note: This assumes a default policy that might block TCP otherwise, or that other rules might exist. Order can matter depending on the full ruleset. Allowing all TCP might be too permissive; specific ports are usually allowed.

Quiz 3 Review

  1. Difference between Snort actions: alert, log, pass?

    alert: Generates an alert notification (using the method configured in snort.conf) and then logs the packet.

    log: Logs the packet information to the configured log file(s) without generating an explicit alert.

    pass: Ignores the packet. The packet will not be checked against subsequent rules (unless specific flow configurations apply).

  2. Write Snort rule: alert ICMP from any to 102.168.10.1:23?

    Snort Rule: alert icmp any any -> 102.168.10.1 any (msg:"ICMP to port 23 detected"; icmp_id:0; icmp_seq:0; sid:1000006; rev:1;)

    Note: ICMP doesn’t use ports like TCP/UDP. The original rule specified port 23, which is invalid for ICMP. The rule above alerts on any ICMP traffic to that IP. If the intent was related to Telnet (port 23) somehow involving ICMP, the rule needs clarification. Added basic ICMP fields for completeness.

  3. Write Snort rule: alert if “password” detected in payload?

    Snort Rule: alert ip any any -> any any (msg:"Password detected in payload"; content:"password"; nocase; sid:1000007; rev:1;)

    Note: Changed protocol to ‘ip’ to check any packet type, or could use ‘tcp’/’udp’ if specific protocols are targeted. Added ‘nocase’ for case-insensitivity.

  4. What is wrong with the following Snort rules?

    • alert udp any 80 <> any any (msg:”UDP Attack!”;)
      Errors:
      • Port 80 specified on the source side (‘any 80’), which might be unusual for UDP unless it’s a specific protocol.
      • Directional operator <> means bidirectional traffic matching.
      • Missing sid (Signature ID) and rev (Revision number) options, which are mandatory.
    • alert tcp any 53 -> any any (msg:”No Attack!;);
      Errors:
      • Missing closing quotation mark for the message string. Should be msg:"No Attack!";.
      • Missing sid and rev options.
    • alert tcp any any <> 192.168.56.101 (nocase;)
      Errors:
      • Missing port specification for the IP address 192.168.56.101. Should be 192.168.56.101 any or a specific port.
      • Missing msg option.
      • Missing sid and rev options.
      • nocase option usually applies to content matching, not meaningful here without content.

Quiz 4 Review

  1. Difference between private key and public key cryptography?

    Private Key Cryptography (Symmetric): Uses a single, shared secret key for both encryption and decryption. Faster but requires a secure method to exchange the key. Examples: DES, AES, RC4.

    Public Key Cryptography (Asymmetric): Uses a pair of keys: a public key (shared openly) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. Used for encryption, digital signatures, and key exchange. Slower than symmetric. Examples: RSA, ECC, Diffie-Hellman.

  2. Difference between confidentiality and integrity in CIA model?

    Confidentiality: Ensures that information is not disclosed to unauthorized individuals, entities, or processes. Achieved primarily through encryption.

    Integrity: Ensures that data has not been altered or tampered with in an unauthorized manner. Achieved using hashing algorithms and message authentication codes (MACs).

  3. Key size and rounds in DES?

    Key Size: DES uses a 64-bit key block, but 8 bits are parity bits, so the effective key size is 56 bits.

    Rounds: DES performs 16 rounds of substitution and permutation operations.

  4. Possible key sizes in AES?

    AES supports key sizes of 128 bits, 192 bits, and 256 bits.

  5. Checking the URL provides no info about website security?

    Answer: False. While not foolproof, checking the URL provides important clues:

    • HTTPS: Indicates the connection is encrypted (confidentiality, basic integrity).
    • Domain Name: Helps verify if you are on the legitimate site and not a phishing lookalike.
    • Certificate Details: Clicking the lock icon shows certificate information, including the owner, which helps verify identity (authentication).

  6. What is 3’s multiplicative inverse in Z9 (modulo 9)?

    Answer: The multiplicative inverse of 3 modulo 9 does not exist. An inverse exists if and only if the number (3) and the modulus (9) are relatively prime (their greatest common divisor is 1). Since gcd(3, 9) = 3, there is no integer x such that (3 * x) mod 9 = 1.

Quiz 5 Review

  1. Why is MAC used in cryptography?

    Answer: A Message Authentication Code (MAC) is used to provide integrity (verifying data hasn’t been altered) and authenticity (verifying the message originated from the expected sender who possesses the shared secret key).

  2. Digital signatures provide ability to?

    Answer: Digital signatures provide:

    • Integrity: Ensure the message hasn’t been tampered with.
    • Authenticity: Verify the sender’s identity.
    • Non-repudiation: Prevent the sender from denying they sent the message.

    They can be verified by third parties using the sender’s public key.

  3. Alice signs a message. To sign, Alice will use:

    Answer: Alice’s private key. To create a digital signature, the sender encrypts a hash of the message (or the message itself in some schemes) using their own private key.

  4. Which statement is true? (KDC vs CA)

    Answer: Key Distribution Center (KDC) methodology uses a symmetric key approach (like Kerberos, where the KDC shares secrets with principals), while a Certification Authority (CA) uses an asymmetric key approach (CAs issue digital certificates binding public keys to identities).

  5. Correct difference between MD5 and HMAC?

    Answer: MD5 is a hash function, primarily providing integrity checks but is cryptographically broken for collision resistance and not recommended for security. HMAC (Hash-based Message Authentication Code) is a mechanism for calculating a MAC using a hash function (like SHA-256) and a secret key. HMAC provides message authentication (integrity and authenticity) and is cryptographic; MD5 alone does not provide authentication and is considered insecure for many cryptographic purposes.

    (Note: The original answer ‘MD5 is non-cryptographic’ is slightly inaccurate; it’s a cryptographic hash function, just a broken one. The key difference is HMAC uses a secret key for authentication.)

  6. Which statement is true? (AH vs ESP)

    Answer: In IPSec, AH (Authentication Header) provides integrity and authentication for the IP packet, but not confidentiality (encryption). ESP (Encapsulating Security Payload) provides confidentiality (encryption) and can optionally provide integrity and authentication.

    (Note: Corrected original answer ‘AH provides integrity only’ – it also provides authentication).

  7. Correct difference between IPSec transport and tunnel mode?

    Answer: Transport mode encrypts and/or authenticates only the payload of the IP packet; the original IP header remains intact (with possible modifications). It’s typically used for host-to-host communication. Tunnel mode encrypts and/or authenticates the entire original IP packet (header and payload) and then encapsulates it within a new IP packet with a new IP header. It’s typically used for site-to-site VPNs (gateway-to-gateway) or remote access VPNs (host-to-gateway).

  8. In IPSec, IKE phase 1, the 6 message handshake order?

    Answer: IKEv1 Main Mode (6 messages) involves three two-message exchanges: 1. Security Association (SA) parameter negotiation (agreeing on algorithms), 2. Diffie-Hellman key exchange (generating shared secrets), and 3. Mutual authentication (verifying identities, often using pre-shared keys or certificates).

Class Review Highlights

  • Check for DoS Attack TCP States: Use netstat -n (or netstat -an) to view connection states. A high number of SYN_RECV states can indicate a SYN flood.
  • Response to SYN on Closed Port: A TCP RST (Reset) packet.
  • KDC vs CA: KDC uses symmetric keys; CA uses asymmetric keys (PKI).
  • IPSec Transport vs Tunnel Mode: Transport mode protects the payload; Tunnel mode protects the entire original IP packet by encapsulating it.
  • Risk Calculation: Risk often involves likelihood, impact/value, existing controls, and uncertainty. (Risk = Likelihood * Value – % Controlled + Uncertainty)
  • Basic Crypto: Symmetric vs Asymmetric:
    • Symmetric: Single shared key (e.g., DES, AES). Faster. Key exchange is a challenge.
    • Asymmetric: Key pair (public/private) (e.g., RSA, ECC). Slower. Simplifies key distribution, used for signatures.
  • Diffie-Hellman Key Exchange:
    1. Alice and Bob agree on public parameters: prime P and generator g.
    2. Alice chooses private ‘a’, computes A = g^a mod P, sends A to Bob.
    3. Bob chooses private ‘b’, computes B = g^b mod P, sends B to Alice.
    4. Alice computes shared secret: S = B^a mod P.
    5. Bob computes shared secret: S = A^b mod P.
    6. Both arrive at the same secret S = g^(ab) mod P.
  • DDoS Reflector Attack: Attacker spoofs victim’s IP, sends requests to legitimate servers (reflectors), reflectors send responses to the victim, overwhelming them. Hides attacker’s IP.
  • Cryptographic Assurances (CIA+):
    • Confidentiality: Secrecy (Encryption – DES, AES).
    • Integrity: Data unaltered (Hashing – SHA, MD5; MACs – HMAC).
    • Availability: Service accessible.
    • Authenticity: Proof of origin (MACs, Digital Signatures).
    • Non-repudiation: Cannot deny action (Digital Signatures).
  • Assurances Provided:
    • DES: Confidentiality only.
    • Hash (e.g., SHA-256): Integrity only.
    • Digital Signature (Hash + Asymmetric Encryption): Integrity, Authenticity, Non-repudiation.
  • PKI (Public Key Infrastructure): Framework to manage public keys and digital certificates. Binds identities to public keys. Used in BGP (e.g., RPKI) for route origin validation (binding IP prefixes to AS numbers).
  • Public Key Crypto Scenario (Alice -> Router -> Bob):

    Let Kx = Private Key of X, Ux = Public Key of X. Message = m.

    • a) Alice sends to Router (Confidentiality for Router, Auth/Non-repudiation from Alice): Ur[Ka[m]] (Encrypt with Router’s Public Key, Sign with Alice’s Private Key)
    • b) Router ensures: Decrypts outer layer with Kr (Router’s Private Key), Verifies signature with Ua (Alice’s Public Key).
    • c) Router sends to Bob (Confidentiality for Bob, Auth/Non-repudiation from Router): Ub[Kr[m']] (Encrypt with Bob’s Public Key, Sign with Router’s Private Key, where m’ might be the original m or transformed data)
    • d) Bob retrieves: Decrypts outer layer with Kb (Bob’s Private Key), Verifies signature with Ur (Router’s Public Key).

    (Note: The original notation was complex and ambiguous; the above provides a standard interpretation. Ensuring non-repudiation often involves signing a hash of the message.)

Nmap Command Examples

Basic Scans

  • nmap -sT 192.168.56.103 : TCP Connect Scan (Full handshake)
  • nmap -sS 192.168.56.103 : TCP SYN Scan (Stealth Scan)
  • nmap -sU 192.168.56.103 : UDP Scan
  • nmap -sN -p 80 192.168.56.103 : TCP Null Scan
  • nmap -sF -p 80 192.168.56.103 : TCP FIN Scan
  • nmap -sX -p 80 192.168.56.103 : TCP Xmas Scan
  • nmap -sA -p 80 192.168.56.103 : TCP ACK Scan (Used for firewall rule testing)

Port Specification

  • nmap -sT -p 80 192.168.56.103 : Scan specific port 80
  • nmap -sT -p 80-82 192.168.56.103 : Scan port range 80 through 82
  • nmap -sT -p 80,81,82 192.168.56.103 : Scan ports 80, 81, and 82
  • nmap -sT -p T:80,U:53,80-100 192.168.56.103 : Scan TCP port 80, UDP port 53, TCP ports 80-100

Timing and Performance

  • nmap -T0 -p 80 192.168.56.103 : Paranoid timing (very slow)
  • nmap -T1 -p 80 192.168.56.103 : Sneaky timing
  • nmap -T2 -p 80 192.168.56.103 : Polite timing
  • nmap -T3 -p 80 192.168.56.103 : Normal timing (default)
  • nmap -T4 -p 80 192.168.56.103 : Aggressive timing
  • nmap -T5 -p 80 192.168.56.103 : Insane timing (very fast)
  • nmap -sT -p 80-82 --scan-delay 5s 192.168.56.103 : Wait 5 seconds between probes
  • nmap -sT -p 80-82 --max-rate 0.1 192.168.56.103 : Send max 1 packet every 10 seconds

Firewall/IDS Evasion

  • nmap -sS -f -p 80 192.168.56.103 : Fragment packets (default MTU)
  • nmap -sS --mtu 8 -p 80 192.168.56.103 : Fragment packets with specific MTU (multiple of 8)
  • nmap -sS -D RND:3,192.168.56.1,ME 192.168.56.103 : Decoy scan with 3 random IPs, one specific IP, and your real IP (ME)

Output Formats

  • nmap -sT -p 80 192.168.56.103 -oN output.txt : Normal output
  • nmap -sT -p 80 192.168.56.103 -oX output.xml : XML output
  • nmap -sT -p 80 192.168.56.103 -oG output.grep : Grepable output
  • nmap -sT -p 80 192.168.56.103 -oA output_all : Output in all major formats (N, X, G)
  • nmap -sT -p 80 192.168.56.103 -oN output.txt --append-output : Append to normal output file