Training Curriculum for NMAP

by: Mark Lachniet ( 1/27/2004

The following Tasks have been defined.

NMAP Curriculum (version 3.5)

General Items

1. Understand what an ICMP ping is (icmp_echo, icmp_echo_reply)

2. Perform an ICMP ping sweep with nmap (-sP, -PE)

3. Understand advanced ICMP sweep features including .ICMP Timestamp Request. and .ICMP Netmask Request. (-PP, -PM)

4. Understand the TCP 3-way handshake and TCP port scanning (-sT)

5. Understand how to perform a .TCP Ping. with ACK or SYN flags and specify specific ports to ping (-PT, -PS)

6. Understand why you would specify a specific source port such as UDP/53 or TCP/20 for your scans, and how to use these with NMAP (-g )

7. Understand why you would not want to randomize the port sequence of a scan, and how to configure it in NMAP (-r)

8. Configure NMAP to scan random IP addresses (-iR )

9. Understand UDP messages and ICMP responses such as .ICMP Port Unreachable. and .ICMP Host Unreachable.

10. Understand why firewalls may give unreliable UDP scan results (by blocking ICMP messages)

11. Perform a UDP scan (-sU)

12. Understand how Version Scans work (

13. Perform scanning with version fingerprinting (-sV, -A)

14. Understand and run a TCP SYN Scan (-sS)

15. Understand how non-standard packet header (Stealth FIN, Xmas, or Null) scans work, and why you would want them (-sF, -sX, -sN)

16. Understand and use RPC scanning features (-sR)

17. Understand and use IDENT scanning features (-I)

18. Understand how OS fingerprinting works, and how to enable it (-O)

19. Understand how to specify specific port ranges and sequences at the command line (-p)

20. Understand how to customize a services file and use it to specify port ranges (-F)

21. Understand how ICMP blocking affects NMAP, how to turn off ping sweeps prior to a port scan, and how this can affect scan speed on large networks (-P0)

22. Understand how source IP decoys work, and why you would want them (-Dip)

23. Understand the difference between IP v4 and v6 networks and how to force nessus to scan them (-6)

24. Understand the various timing schemes, how they affect scan speed, the affect they may have on the target host, and how to configure this setting (-T setting)

25. Understand how DNS works, how forward and reverse DNS resolution work, and how to enable or disable this behavior in NMAP (-n / -R)

26. Understand the different NMAP logging options, and how to select them (-oN, -oX, -oG, -oA)

27. Understand how to select a source interface and IP address in multi-homed machines (-S, -e)

28. Understand how to specify a target IP address, DNS name, subnet or range at the command line

29. Understand IDS how evasion techniques such as packet fragmentation work and how to configure a NMAP scan to use them (-f)

30. Understand how to use NMAP to generate a list of target IP addresses for inclusion in a target text file (-sL)

31. Understand how to create a list of target IP addresses or DNS names in a file, and use this file to specify targets ( and how to perform it (-sI host[:probeport])

32. Understand what an FTP bounce scan is, and how to configure it (-b )

33. Understand how to pass FTP server credentials to a FTP bounce scan

34. Understand why you would want to pad scan packets with random data, how it will affect scan time, and how to configure NMAP to do this (--data_length )

35. Understand NMAP output, including different port states (open, closed, filtered) and how these states are derived (RST response, etc.)

External Interfaces

36. Understand how vulnerability assessment tools (e.g. Nessus) use NMAP for discovery

37. Understand how to compare multiple NMAP scans by hand or using available scripts and utilities

Windows Items

38. Use the "regedt32 nmap_performance.reg" fix for better TCP scanning

39. Use the --win_norawsock switch switch if you have trouble in Windows 2000

40. Understand Windows-specific options, and when and why they might be used (especially --win_list_interfaces, --win_nopcap)