Mastering Network Reconnaissance with Nmap: A Comprehensive Guide
Nmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. This guide will walk you through the process of using Nmap to discover open ports, identify services, and detect vulnerabilities.
1. Installing Nmap
Before we begin, ensure Nmap is installed on your system.
- For Linux:
sudo apt-get install nmap
- For macOS:
brew install nmap
- For Windows: Download the installer from nmap.org
2. Basic Port Scanning
Let’s start with a simple port scan:
nmap <target_ip>
This command scans the 1000 most common ports. For a more comprehensive scan:
nmap -p- <target_ip>
This scans all 65535 ports, which takes longer but is more thorough.
3. Service/Version Detection
To identify services running on open ports:
nmap -sV 192.168.1.100
This performs version scanning, attempting to determine the service/version info for open ports.
4. Operating System Detection
To guess the target’s operating system:
sudo nmap -O 192.168.1.100
Note: This requires root privileges on Unix-like systems.
5. Combining Scans
For a comprehensive scan that includes OS detection, version scanning, and script scanning:
nmap -A 192.168.1.100
6. Output Options
Save your results for later analysis:
nmap -oN output.txt 192.168.1.100
This saves the output in normal format. Use -oX
for XML output or -oG
for grepable output.
7. Vulnerability Scanning
Nmap’s Scripting Engine (NSE) can detect vulnerabilities:
nmap --script vuln 192.168.1.100
This runs vulnerability-related scripts against the target.
8. Stealth Scanning
For a more discreet approach, use SYN scanning:
sudo nmap -sS 192.168.1.100
This performs a SYN scan, which is less likely to be logged by the target.
9. Timing and Performance
Control the scan timing for speed or stealth:
nmap -T4 192.168.1.100
T0 is slowest and stealthiest, T5 is fastest and noisiest.
10. Script Usage
Nmap has a vast library of scripts for various purposes:
nmap --script=http-enum 192.168.1.100
This example enumerates HTTP services.
11. Putting It All Together
A comprehensive scan might look like this:
sudo nmap -sV -sC -O -p- -T4 --script vuln -oN full_scan.txt 192.168.1.100
This performs:
- Service/version detection (-sV)
- Default script scan (-sC)
- OS detection (-O)
- All ports scan (-p-)
- Aggressive timing (-T4)
- Vulnerability scripts ( — script vuln)
- Saves output to full_scan.txt (-oN)
12. Advanced Port Scanning Techniques
Idle Scan
The idle scan is a stealthy way to scan a target using a zombie host:
sudo nmap -sI 192.168.1.101 192.168.1.100
FTP Bounce Scan
Exploit vulnerable FTP servers to port scan other hosts:
nmap -b ftp:password@192.168.1.102 192.168.1.100
13. Custom NSE Script Development
Create your own NSE (Nmap Scripting Engine) scripts for specialized tasks:
- Write your script in Lua, e.g.,
custom-script.nse
:
description = [[
Custom script to check for a specific vulnerability.
]]
-- The rest of your Lua code here
action = function(host, port)
-- Your scan logic here
end
- Place the script in the Nmap scripts directory (usually
/usr/share/nmap/scripts/
). - Run your custom script:
nmap --script custom-script 192.168.1.100
14. Network Mapping and Visualization
Generate network topology maps using Nmap’s output:
# Perform a scan with XML output:
nmap -sn -oX network_scan.xml 192.168.1.0/24
# Use xsltproc to visualize the network:
xsltproc network_scan.xml -o network_map.html
15. Timing Templates and Parallelization
Optimize scanning speed and stealth:
nmap -T4 -min-parallelism 100 -max-parallelism 256 192.168.1.100
16. Firewall/IDS Evasion Techniques
Fragmentation
Split TCP headers over several packets:
nmap -f 192.168.1.100
Decoy Scanning
Generate decoy scans to confuse IDS systems:
nmap -D RND:10 192.168.1.100
17. IPv6 Scanning
Scan IPv6 networks:
nmap -6 2001:db8::1
18. Nmap Scripting Engine (NSE) Automation
Create a script to automate complex scanning scenarios:
#!/bin/bash
target=$1
nmap -sV -sC -p- $target -oN initial_scan.txt
open_ports=$(grep "open" initial_scan.txt | cut -d'/' -f1 | tr '\n' ',')
nmap -sV -sC -p$open_ports --script vuln $target -oN vulnerability_scan.txt
Save this as advanced_scan.sh
and run it with ./advanced_scan.sh 192.168.1.100
.
19. Integration with Other Tools
Combine Nmap with other security tools:
# Identify web servers:
nmap -p 80,443 --open -oG web_servers.txt 192.168.1.0/24
# Feed results into Nikto:
cat web_servers.txt | grep Http | cut -d' ' -f2 | nikto -h -
20. Nmap in the Cloud
Adapt Nmap for cloud environments:
# Scan AWS EC2 instances:
nmap -sV -p- $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].PublicIpAddress' --output text)
Remember to always use these methods ethically and with proper authorization. The power of these tools comes with the responsibility to use them correctly and legally.