Get the Preplance app for a seamless learning experience. Practice offline, get daily streaks, and stay ahead with real-time interview updates.
Get it on
Google Play
4.9/5 Rating on Store
Ethical hacking · Question Set
Scanning & Enumeration interview questions for placements and exams.
Questions
15
Included in this set
Subject
Ethical hacking
Explore more sets
Difficulty
Mixed
Level of this set
Go through each question and its explanation. Use this set as a focused practice pack for Ethical hacking.
SYN scan sends a SYN and reads the response without completing the handshake. It is fast and common for discovery.
nmap -sS 10.10.10.0/24
For complete preparation, combine this set with full subject-wise practice for Ethical hacking. You can also explore other subjects and sets from the links below.
Use smaller port sets and slower timing. Prefer host discovery first, then targeted version checks. Use safe NSE categories. Throttle concurrency. Split scans by subnet and time. Correlate with passive data to skip low-value hosts.
nmap -sn 10.10.10.0/24 nmap -sS -p 22,80,443 -sV -T2 --max-rate 50 selective_hosts.txt
The sV flag probes detected ports with fingerprints to identify product and version. It helps confirm real services behind ports.
nmap -sS -sV -p 22,80,443 target
The capital letter O turns on OS detection using TCP and ICMP probes and fingerprint matching.
sudo nmap -O 10.10.10.10
NSE runs Lua scripts to automate discovery, enumeration, and some vulnerability checks. It is modular and runs with categories.
nmap --script=vuln -p80,443 target
Scripts tagged safe aim to avoid disruptive actions. Intrusive, brute, and exploit can cause more risk and need approval.
nmap --script "safe" target
Timing templates range from T0 to T5. T4 speeds up scans but may trigger controls. Use slower templates on fragile networks.
nmap -sS -T4 10.10.10.0/24
Pn skips ping probes. Useful when ping is filtered, but it will try every host which can be slow.
nmap -Pn -p 80,443 203.0.113.0/24
Many services present a banner on connect. A quick netcat or telnet session can reveal product names and hints.
nc -v target 25 GET / HTTP/1.0
Scripts like smb-enum-shares and smb-enum-users query SMB services for share lists and account info when permissions allow.
nmap -p445 --script smb-enum-shares,smb-enum-users target
Scan only high-value ports first like 53, 123, and 161. Use sudo to send proper probes. Increase parallelism gradually. Combine with service checks such as snmpwalk or dig to verify. Accept that many results will be filtered or open|filtered.
sudo nmap -sU --top-ports 30 --defeat-rst-ratelimit --max-retries 2 target
Fetch headers and titles, detect tech, and crawl a little. Probe for robots and common paths. Note redirects and status codes. Then run focused scripts or tools if allowed.
httpx -l hosts.txt -title -status-code -tech-detect curl -I https://site nikto -h https://site (only if approved)
Group by exposure and risk. First, auth surfaces like SSH, RDP, VPN, and web admin. Then legacy or risky services like SMBv1, Telnet, F T P, and outdated SSL. Check business-critical hosts next. Always validate with version detection and one proof.
nmap -sV -p 21,22,80,139,445,3389 --script banner target
UDP services may not answer, and many hosts rate limit ICMP unreachable messages. Scans rely on timeouts and retries, which increases duration.
sudo nmap -sU --top-ports 50 10.10.10.10
Use an approved target list and window. Start with conservative timing like T2 or T3. Limit ports and protocols first, then expand if stable. Monitor with the owner and stop on alert.
nmap -sS -T2 --top-ports 100 --max-retries 2 --host-timeout 30m targets.txt