Scanning with Nmap

Nmap: The Penetration Tester’s Essential Network Scanner

Nmap (Network Mapper) is a powerful, flexible, and widely-used open-source network scanner. It is the go-to tool for penetration testers, red teamers, and system administrators for discovering live hosts, open ports, running services, and potential vulnerabilities.


Why Nmap?

  • Efficiently scans single hosts or entire networks.

  • By default, scans the top 1,000 TCP ports.

  • Can scan UDP ports if specified.

  • Offers advanced features through the Nmap Scripting Engine (NSE).

  • Highly customizable via flags — worth memorizing the most useful ones.


Common Nmap Scan Examples

1. Basic Host Scans

Scan a single IP:

nmap 192.168.1.1

Scan an entire subnet:

nmap 192.168.1.0/24

Scan a range of IP addresses:

nmap 192.168.1.1-100

Scan a list of IPs from a file:

nmap -iL ip-list.txt

Enable verbose output:

nmap -v 192.168.1.1

2. Port Scanning

Scan specific ports:

nmap -p 22,80,443 192.168.1.1

Scan a range of ports:

nmap -p 1-1000 192.168.1.1

Scan all 65,535 ports (recommended for OSCP and thorough testing):

nmap -p- 192.168.1.1

3. UDP Scanning (requires root)

UDP scans are slower and less reliable but essential for discovering services like DNS, SNMP, and NTP:

sudo nmap -sU 192.168.1.1

4. Scan Without Ping

Use this if ping is blocked or ICMP is filtered:

nmap -Pn 192.168.1.1

This treats the host as online without sending a ping.


5. Output Scan Results to File

Save results in various formats:

nmap -oN scan.txt 192.168.1.1     # Normal output
nmap -oX scan.xml 192.168.1.1     # XML format
nmap -oG scan.grep 192.168.1.1    # Grepable format
nmap -oA full-scan 192.168.1.1    # All formats (adds .nmap, .xml, .grep)

6. Timing Templates

Adjust scan speed (T0 to T5):

nmap -T4 192.168.1.1
  • T4 is a good balance for speed and stealth.

  • T5 is the fastest but more likely to miss responses or trigger alerts.


Advanced Nmap Techniques

Use NSE Scripts

Nmap comes with a powerful scripting engine. For example, to run vulnerability scripts:

nmap --script vuln 192.168.1.1

Run default scripts and detect service versions:

nmap -sC -sV 192.168.1.1

Use an aggressive scan (includes version detection, OS detection, traceroute, and default scripts):

nmap -A 192.168.1.1

Practicals

Command 1:

nmap -sV -sC -vvv 192.168.1.178

Explanation:

Flag
Meaning

-sV

Enables service version detection. Nmap will try to determine what service is running on each open port (e.g., Apache 2.4.41, OpenSSH 8.2, etc.).

-sC

Runs default NSE scripts (from the Nmap Scripting Engine). These include basic checks like banner grabbing, SSL info, and known vulnerabilities.

-vvv

Increases verbosity level. This gives you much more detailed output during the scan, including real-time progress and intermediate results.

192.168.1.178

The target IP address being scanned.

Use Case:

This is a standard enumeration scan that gives detailed info about open ports, the services running on them, and basic script results — perfect for the early stages of penetration testing.


Command 2:

nmap -sV -sC -vvv 192.168.1.178 --script=vuln

Explanation:

This command includes everything from the first one, plus it adds a specific NSE script category:

Flag / Option
Meaning

--script=vuln

Runs vulnerability detection scripts from the NSE library. These scripts attempt to identify known vulnerabilities (e.g., CVEs) in detected services.

Use Case:

This scan builds on the previous one by actively checking for vulnerabilities, making it especially useful for quick vulnerability assessment after identifying open services.

⚠️ Keep in mind: running --script=vuln may take longer and can be noisy (it sends more packets and may trigger security systems).


Best Practices

  • Scan all targets early during assessments or exams like OSCP to prioritize vulnerable hosts.

  • Be aware: Nmap is noisy and easily detected by intrusion detection systems.

  • Combine Nmap with tools like Netcat and Masscan for full-spectrum enumeration.

Last updated