Nmap Trivia (http://isc.sans.org/diary.html?storyid=5566)
Name: Jason DePriest

  1.   What are the default target ports used by the current nmap version (4.76)? How can you change the target ports list? What (nmap) options can be used to speed up scans by reducing the number of target ports and still check (potentially) the most relevant ones? How can you force nmap to check all target ports?

The top 1000 ports that appeared in a huge multi-million IP scan of the Internet.
You can manually specify individual ports using -pT:1-1024,U:135,161 or whatever ports you care about.
You can tell nmap how many of the top ports you want it to scan using --top-ports X where X is the number of top ports from the list you want nmap to scan.  You can also tell it to scan a certain percentage of ports from the list using --port-ratio X where X is the port ratio.  I have never used --port-ratio, so I don't know exactly how it works.  There is also a "fast mode" scan using -F that just scans the top 100, but I haven't used that either.  I usually specify how many ports I want using --top-ports.
To force nmap to scan all ports you can use -pT:-,U:- to scan all 65535 TCP and 65535 UDP ports.  You can explicitly specify them with -pT:1-65535,U:1-65535 but that too much like work.
Also, you can try creating your own nmap-services file, which I haver never done.  The defaults have always been good enough.
I used to prefer to run scans with -pT:-,U:[-] which will hit all 65535 TCP ports and only the UDP ports that show up as "well known" to nmap.  I haven't been doing this since the --top-ports came along.  I haven't figured out how to use this feature to scan the top 3000 TCP ports but only the top 500 UDP ports.

  2. How can you force nmap to scan a specific list of 200 target ports, only relevant to you?

You can try creating your own nmap-services file and using --servicedb <file>, which I haver never done.  The defaults have always been good enough.

  3. What is the default port used by nmap for UDP ping discovery (-PU)? Why? If you don't know it from the top of your head ;), how can you easily identify this port without using other tools (such as a sniffer) or inspecting nmap's source code?

"If an open port is reached, most services simply ignore the empty packet and fail to return any response. This is why the default probe port is 31338, which is highly unlikely to be in use."
You could run wireshark or tshark or tcpdump and run an nmap -PU.  An easier way is to just use --packet-trace like this:
$ nmap -PU --packet-trace 10.x.x.5

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-29 17:18 Ame
SENT (0.4070s) UDP 10.x.x.16:49632 > 10.x.x.5:31338 ttl=51 id=27105 iplen=28
SENT (1.4220s) UDP 10.x.x.16:49633 > 10.x.x.5:31338 ttl=41 id=28944 iplen=28
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 2.45 seconds

  4. When nmap is run, sometimes it is difficult to know what is going on the backstage. What two (nmap) options allow you to gather detailed but not overwhelming information about nmap's port scanning operations? What other extra (nmap) options are available for ultra detailed information?

-vv is usually good enough.  You also just hit enter (runtime interaction) and nmap will give you some stats on its current state.  You can interactively turn up / down verbosity and debugging using runtime interaction.  Sometimes hitting enter doesn't work for me, such as when I am running nmap form a shell script instead of directly.
You can specify verbosity two times -vv and add in super debugging up to 9 like this -d9.  Then you can turn on --packet-trace to see what packets are being sent and --script-trace to debug your NSE scripts.  Be prepared to get motion sickness from the scrolling.

  5. What are the preferred (nmap) options to run a stealthy TCP port scan? Particularly, try to avoid detection from someone running a sniffer near the person running nmap and focus on the extra actions performed by the tool (assuming the packets required to complete the port scan are not detected)?

I don't know exactly what you are asking, but the "half-open" is nmap -sS.  It SYNs but doesn't SYN/ACK.  You can slow it down with -T<num> timing options and add decoys with -D <some IP> to further hide yourself.

  6. Why port number 49152 is relevant to nmap?

I really don't know.  Google tells me this: "As you know, public IP addresses are controlled by world-wide registrars, and are unique globally.  Port numbers are not so controlled, but over the decades certain ports have become standard for certain services.  The port numbers are unique only within a computer system.  Port numbers are 16-bit unsigned numbers.  The port numbers are divided into three ranges: the Well Known Ports (0..1023), the Registered Ports (1024..49151), and the Dynamic and/or Private Ports (49152..65535)."
Which implies that it is the first Registered port.
I can't find mention of this port in the Nmap mailing list archives or in the source code.

  7. What is the only nmap TCP scan type that classifies the target ports as "unfiltered"? Why? What additional nmap scan type can be used to discern if those ports (previously identified as "unfiltered") are in an open or closed state?

The ACK scan.  You use this one to determine if a firewall is filtering ports and which ones it is filtering.  The reply from the port will be different (probably) if the actual host RSTs you or if the firewall blocks you.
I would imagine you can use a SYN scan or a connect scan to find out if the unfiltered ports are open or closed.

  8. When (and it what nmap version) the default state for a non-responsive UDP port was changed on nmap (from "open" to "open|filtered")? Why?

Nmap 3.70 [2004-8-31]

False positives and OMG I HAVE TEH BACK ORIFICE! caused this change.  Version detection can fix an open|filtered to an open port or drop it off the output if it still gets nothing.

  9. What is the default scan type used by nmap when none is specified, as in "nmap -T4 scanme.nmap.org"? Is this always the default scan method? If not, what other scan method does nmap default to, under what conditions, and why?

SYN scan is the default if you have root, but connect is the default if you are just a user.  You have to be root to use raw sockets!  Also, it can't do IPv6 as raw sockets (yet), either.

 10. What nmap features (can make or) make use of nmap's raw packet capabilities? What nmap features rely on the OS TCP/IP stack instead?

IPv6 scanning uses the OS TCP/IP stack.  Also, as has previously been mentioned, TCP connect scans use the OS.
Anything else can use raw packets if you are root.

 11. Nmap's performance has been sometimes criticized versus other network scanners. What (nmap) options can you use to convert nmap into a faster, stateless scanner for high performance but less accurate results?

-T5 --max-retries 0 would tell nmap to run "insanely" fast and if it doesn't get an expected reply, carry on anyway.  Notably, these settings were used in a battle royale between Unicornscan, nmap, and Port Bunny (http://www.computerdefense.org/2008/01/13/port-scanner-challenge-nmap-unicornscan-portbunny/).  Nmap won.

 12. What relevant nmap feature does not allow an attacker to use the decoy functionality (-D) and might reveal his real IP address?

A TCP connect scan won't work with decoys since your system actually completes the three-way-handshake.  I didn't know until I just looked it up that version detection also doesn't work with decoys.  It makes sense since you are sending a wide array of specially crafted packets and you need to see the results of the connection attempt to determine version.

 13. What are the (nmap) options you can use to identify all the steps followed by nmap to fingerprint and identify the Web server version running on scanme.nmap.org?

--version-trace and --script-trace should be good enough with maybe a -vv; you could add in -d9 --packet-trace if you are masochistic

 14. As an attacker, what port number would you select to hide a listening service backdoor trying to avoid an accurate detection by nmap's default aggressive fingerprinting tests? Would it be TCP or UDP? Why? What additional (nmap) options do you need to specify as a defender to fingerprint the hidden service backdoor?

udp/53 -- UDP scans take longer and nobody wants to accidentally crash a DNS server; also, a poorly configured firewall or IDS/IPS is more likely to let traffic pass without too much inspection
If the nmapper knows that there is no good reason for DNS to be on a particular system, he could force nmap to run every signature against the port with --version-all

 15. What is the language used to write NSE scripts, and what two other famous open-source security tools/projects currently use the same language?

NSE is written in Lua.  Wireshark also uses Lua.  You can also do World of Warcraft customization with Lua, but I imagine that isn't what you were looking for.

 16. What Linux/Windows command can you use to identify the list of NSE scripts that belong to the "discovery" category and will execute when this set of scripts is selected with the "--script discovery" nmap option?

For Windows
findstr /i categories "\Program Files\Nmap\scripts\*.nse" | findstr /i discovery
seemed to work

For Linux
grep -i categories /usr/share/nmap/scripts/*.nse | grep -i discovery
did the same

 17. How can you know the specific arguments accepted by a specific NSE script, such as those accepted by the whois.nse script?

I would check the NSE Documentation Portal.  whois.nse is http://nmap.org/nsedoc/scripts/whois.html