The following Tasks have been defined.
NMAP Curriculum (version 3.5)
http://www.insecure.org/nmap/data/nmap_manpage.html
General Items
1. Understand what an ICMP ping is (icmp_echo, icmp_echo_reply)
2. Perform an ICMP ping sweep with nmap (-sP, -PE)
3. Understand advanced ICMP sweep features including .ICMP Timestamp Request. and .ICMP Netmask Request. (-PP, -PM)
4. Understand the TCP 3-way handshake and TCP port scanning (-sT)
5. Understand how to perform a .TCP Ping. with ACK or SYN flags and
specify specific ports to ping (-PT 6. Understand why you would specify a specific source port such as
UDP/53
or TCP/20 for your scans, and how to use these with NMAP (-g 7. Understand why you would not want to randomize the port sequence of
a
scan, and how to configure it in NMAP (-r)
8. Configure NMAP to scan random IP addresses (-iR 9. Understand UDP messages and ICMP responses such as .ICMP Port
Unreachable. and .ICMP Host Unreachable.
10. Understand why firewalls may give unreliable UDP scan results (by
blocking ICMP messages)
11. Perform a UDP scan (-sU)
12. Understand how Version Scans work
(http://www.insecure.org/nmap/versionscan.html)
13. Perform scanning with version fingerprinting (-sV, -A)
14. Understand and run a TCP SYN Scan (-sS)
15. Understand how non-standard packet header (Stealth FIN, Xmas, or
Null)
scans work, and why you would want them (-sF, -sX, -sN)
16. Understand and use RPC scanning features (-sR)
17. Understand and use IDENT scanning features (-I)
18. Understand how OS fingerprinting works, and how to enable it (-O)
19. Understand how to specify specific port ranges and sequences at the
command line (-p)
20. Understand how to customize a services file and use it to specify
port
ranges (-F)
21. Understand how ICMP blocking affects NMAP, how to turn off ping
sweeps
prior to a port scan, and how this can affect scan speed on large networks
(-P0)
22. Understand how source IP decoys work, and why you would want them
(-Dip)
23. Understand the difference between IP v4 and v6 networks and how to
force nessus to scan them (-6)
24. Understand the various timing schemes, how they affect scan speed,
the
affect they may have on the target host, and how to configure this setting
(-T setting)
25. Understand how DNS works, how forward and reverse DNS resolution
work,
and how to enable or disable this behavior in NMAP (-n / -R)
26. Understand the different NMAP logging options, and how to select
them
(-oN, -oX, -oG, -oA)
27. Understand how to select a source interface and IP address in
multi-homed machines (-S, -e)
28. Understand how to specify a target IP address, DNS name, subnet or
range at the command line
29. Understand IDS how evasion techniques such as packet fragmentation
work and how to configure a NMAP scan to use them (-f)
30. Understand how to use NMAP to generate a list of target IP
addresses
for inclusion in a target text file (-sL)
31. Understand how to create a list of target IP addresses or DNS names
in
a file, and use this file to specify targets
(http://www.insecure.org/nmap/idlescan.html) and how to perform it (-sI
host[:probeport])
32. Understand what an FTP bounce scan is, and how to configure it (-b
33. Understand how to pass FTP server credentials to a FTP bounce scan
34. Understand why you would want to pad scan packets with random data,
how it will affect scan time, and how to configure NMAP to do this
(--data_length 35. Understand NMAP output, including different port states (open,
closed,
filtered) and how these states are derived (RST response, etc.)
External Interfaces
36. Understand how vulnerability assessment tools (e.g. Nessus) use NMAP
for discovery
37. Understand how to compare multiple NMAP scans by hand or using
available scripts and utilities
Windows Items
38. Use the "regedt32 nmap_performance.reg" fix for better TCP
scanning
39. Use the --win_norawsock switch switch if you have trouble in
Windows
2000
40. Understand Windows-specific options, and when and why they might be
used (especially --win_list_interfaces, --win_nopcap)