Scanning with Nmap
Nmap: The Penetration Tester’s Essential Network Scanner
Nmap (Network Mapper) is a powerful, flexible, and widely-used open-source network scanner. It is the go-to tool for penetration testers, red teamers, and system administrators for discovering live hosts, open ports, running services, and potential vulnerabilities.
Why Nmap?
Efficiently scans single hosts or entire networks.
By default, scans the top 1,000 TCP ports.
Can scan UDP ports if specified.
Offers advanced features through the Nmap Scripting Engine (NSE).
Highly customizable via flags — worth memorizing the most useful ones.
Common Nmap Scan Examples
1. Basic Host Scans
Scan a single IP:
nmap 192.168.1.1
Scan an entire subnet:
nmap 192.168.1.0/24
Scan a range of IP addresses:
nmap 192.168.1.1-100
Scan a list of IPs from a file:
nmap -iL ip-list.txt
Enable verbose output:
nmap -v 192.168.1.1
2. Port Scanning
Scan specific ports:
nmap -p 22,80,443 192.168.1.1
Scan a range of ports:
nmap -p 1-1000 192.168.1.1
Scan all 65,535 ports (recommended for OSCP and thorough testing):
nmap -p- 192.168.1.1
3. UDP Scanning (requires root)
UDP scans are slower and less reliable but essential for discovering services like DNS, SNMP, and NTP:
sudo nmap -sU 192.168.1.1
4. Scan Without Ping
Use this if ping is blocked or ICMP is filtered:
nmap -Pn 192.168.1.1
This treats the host as online without sending a ping.
5. Output Scan Results to File
Save results in various formats:
nmap -oN scan.txt 192.168.1.1 # Normal output
nmap -oX scan.xml 192.168.1.1 # XML format
nmap -oG scan.grep 192.168.1.1 # Grepable format
nmap -oA full-scan 192.168.1.1 # All formats (adds .nmap, .xml, .grep)
6. Timing Templates
Adjust scan speed (T0 to T5):
nmap -T4 192.168.1.1
T4
is a good balance for speed and stealth.T5
is the fastest but more likely to miss responses or trigger alerts.
Advanced Nmap Techniques
Use NSE Scripts
Nmap comes with a powerful scripting engine. For example, to run vulnerability scripts:
nmap --script vuln 192.168.1.1
Run default scripts and detect service versions:
nmap -sC -sV 192.168.1.1
Use an aggressive scan (includes version detection, OS detection, traceroute, and default scripts):
nmap -A 192.168.1.1
Practicals
Command 1:
nmap -sV -sC -vvv 192.168.1.178
Explanation:
-sV
Enables service version detection. Nmap will try to determine what service is running on each open port (e.g., Apache 2.4.41, OpenSSH 8.2, etc.).
-sC
Runs default NSE scripts (from the Nmap Scripting Engine). These include basic checks like banner grabbing, SSL info, and known vulnerabilities.
-vvv
Increases verbosity level. This gives you much more detailed output during the scan, including real-time progress and intermediate results.
192.168.1.178
The target IP address being scanned.
Use Case:
This is a standard enumeration scan that gives detailed info about open ports, the services running on them, and basic script results — perfect for the early stages of penetration testing.
Command 2:
nmap -sV -sC -vvv 192.168.1.178 --script=vuln
Explanation:
This command includes everything from the first one, plus it adds a specific NSE script category:
--script=vuln
Runs vulnerability detection scripts from the NSE library. These scripts attempt to identify known vulnerabilities (e.g., CVEs) in detected services.
Use Case:
This scan builds on the previous one by actively checking for vulnerabilities, making it especially useful for quick vulnerability assessment after identifying open services.
⚠️ Keep in mind: running
--script=vuln
may take longer and can be noisy (it sends more packets and may trigger security systems).
Best Practices
Scan all targets early during assessments or exams like OSCP to prioritize vulnerable hosts.
Be aware: Nmap is noisy and easily detected by intrusion detection systems.
Combine Nmap with tools like Netcat and Masscan for full-spectrum enumeration.
Last updated