Nmap

Overview

Nmap (Network Mapper) is a powerful, open-source network scanning tool used for network discovery, security auditing, and vulnerability detection. It's one of the most essential tools in a penetration tester or network administrator's toolkit. Nmap works by sending specially crafted packets to target hosts and analyzing the responses to determine hosts' availability, open ports, services running, versions, and operating systems.

Nmap supports powerful features such as scriptable interactions with the target (via NSE — Nmap Scripting Engine), stealth scanning, version detection, and more. It is widely used in both offensive (reconnaissance, enumeration) and defensive (network auditing, exposure assessment) contexts.

Features

Host Discovery: Identifies live hosts on a network.
Port Scanning: Detects open TCP/UDP ports on target systems.
Service Version Detection: Identifies versions of services running on ports.
OS Detection: Attempts to determine the target host’s operating system and hardware.
Scriptable Interactions (NSE): Automates tasks using the Nmap Scripting Engine (NSE).
Stealth Scanning: Includes options like SYN scan to avoid detection.
Flexible Output: Results can be output in plain text, XML, grepable, or JSON-like formats.

Website

Nmap Official Site

Installation

On Debian/Ubuntu:

bash

sudo apt update
sudo apt install nmap

On macOS (via Homebrew):

bash

brew install nmap

On Windows:

Download from the official download page.
Run the installer. It includes both the CLI and the GUI (Zenmap).

Basic Usage

Host Discovery (Ping Sweep)

bash

nmap -sn 192.168.1.0/24

Scans a subnet for live hosts without scanning ports.

Port Scanning (Default TCP)

bash

nmap 192.168.1.1

Scans 1000 most common TCP ports on the target.

Specific Ports

bash

nmap -p 22,80,443 192.168.1.1

Full TCP Port Scan

bash

nmap -p- 192.168.1.1

Service and Version Detection

bash

nmap -sV 192.168.1.1

Operating System Detection

bash

nmap -O 192.168.1.1

Combine Everything

bash

nmap -A 192.168.1.1

Enables OS detection, version detection, script scanning, and traceroute.

Aggressive Scan on a Subnet

bash

nmap -A 192.168.1.0/24

Nmap Scan Types

Scan Type	Command Flag	Description
TCP SYN Scan	`-sS`	Stealth scan, default for root
TCP Connect Scan	`-sT`	Full TCP connection
UDP Scan	`-sU`	Scans UDP ports
TCP FIN Scan	`-sF`	Bypasses some firewalls
NULL Scan	`-sN`	No flags set, evasion technique
Xmas Scan	`-sX`	FIN, URG, and PSH flags set
SCTP INIT Scan	`-sY`	SCTP INIT scan for SCTP ports

Nmap Scripting Engine (NSE)

Running Default Scripts

bash

nmap -sC 192.168.1.1

Running Specific Script

bash

nmap --script http-title 192.168.1.1

Running a Category of Scripts

bash

nmap --script vuln 192.168.1.1

Combine with Service Detection

bash

nmap -sV --script=vuln 192.168.1.1

Output Options

Output Format	Flag	Description
Normal	`-oN`	Human-readable output
XML	`-oX`	Useful for parsing
Grepable	`-oG`	Output in grep-friendly format
All formats	`-oA`	Output in all three major formats

Example:

bash

nmap -oA scan_results -sV 192.168.1.1

Real-World Usage Scenarios

Reconnaissance in Pentesting

Use Nmap to map a target’s open ports, services, and potential vulnerabilities prior to exploitation.

Firewall Evasion

bash

nmap -sS -Pn -D decoy1,decoy2,target 192.168.1.1

Uses decoys and disables host discovery to bypass firewalls and IDS.

Discover Vulnerable Services

bash

nmap --script vuln -sV 192.168.1.1

Identifies known vulnerabilities using NSE scripts.

Scan for Specific Protocols

bash

nmap -sU -p 161 192.168.1.0/24

Scans for SNMP (UDP 161) on a subnet.

Common NSE Script Categories

Category	Description
`auth`	Authentication bypass checks
`broadcast`	Network broadcast discovery
`brute`	Brute force logins
`default`	Default scripts for quick info
`discovery`	Host and service discovery
`exploit`	Known exploits
`external`	External services (e.g., WHOIS)
`malware`	Malware-related detection
`vuln`	Vulnerability detection

Best Practices

Use Stealth When Needed: Use -sS for stealthier scans if you're root.
Avoid Overly Noisy Scans: Avoid aggressive scans (-A) on sensitive networks unless authorized.
Use Timing Controls: Control scan speed using -T0 (paranoid) to -T5 (insane).
Whitelist Your IP When Testing: If scanning internal services, avoid blocking yourself.
Scan During Maintenance Windows: Avoid disruptions by scanning during off-peak hours if possible.
Always Document Findings: Use -oA for outputting scan results and store them in a report.

Combine with Other Tools

Masscan for high-speed scanning
Nikto and Dirb for web directories and vulnerabilities
Metasploit for exploitation based on Nmap findings
Shodan and Censys for confirming public exposure

Nmap

Overview

Features

Website

Installation

On Debian/Ubuntu:

On macOS (via Homebrew):

On Windows:

Basic Usage

Host Discovery (Ping Sweep)

Port Scanning (Default TCP)

Specific Ports

Full TCP Port Scan

Service and Version Detection

Operating System Detection

Combine Everything

Aggressive Scan on a Subnet

Nmap Scan Types

Nmap Scripting Engine (NSE)

Running Default Scripts

Running Specific Script

Running a Category of Scripts

Combine with Service Detection

Output Options

Real-World Usage Scenarios

Reconnaissance in Pentesting

Firewall Evasion

Discover Vulnerable Services

Scan for Specific Protocols

Common NSE Script Categories

Best Practices

Combine with Other Tools

References