Mastering Nmap: The Ultimate Guide to Network Discovery and Security Auditing

Table of Contents#

1. What is Nmap?
2. Installation and Setup
3. Basic Scanning Techniques
4. Port Scanning Fundamentals
5. Service and Version Detection
6. OS Detection
7. Nmap Scripting Engine (NSE)
8. Vulnerability Scanning with NSE
9. Output Formats
10. Timing and Performance
11. Common Practices and Best Practices
12. Example Usage Scenarios
13. Conclusion
14. References

What is Nmap?#

Nmap is a free and open-source network scanner created by Gordon Lyon (known by his pseudonym Fyodor). It's designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine:

• What hosts are available on the network
• What services (application name and version) those hosts are offering
• What operating systems (and OS versions) they are running
• What type of packet filters/firewalls are in use
• And dozens of other characteristics

Nmap is released under the Nmap Public Source License (NPSL), which is based on GPLv2. Starting with version 7.90, Nmap transitioned to this custom license while maintaining free usage for end users.

Installation and Setup#

Linux Installation#

Most Linux distributions include Nmap in their package repositories:

Ubuntu/Debian:

sudo apt update
sudo apt install nmap

RHEL/Fedora:

# RHEL/Fedora (use dnf, the modern package manager)
sudo dnf install nmap

Windows Installation#

Download the installer from the official Nmap website (https://nmap.org/download.html) and run the executable. The installer includes Zenmap (the graphical interface) and Npcap (the Windows packet capture library, the modern replacement for WinPcap).

macOS Installation#

Using Homebrew:

brew install nmap

Or download the official installer from the Nmap website.

Basic Scanning Techniques#

Ping Scan (Host Discovery)#

The simplest form of Nmap scan, which only determines if hosts are online:

nmap -sn 192.168.1.0/24

This sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests to determine if hosts are up.

TCP SYN Scan (Stealth Scan)#

The default and most popular scan option:

nmap -sS 192.168.1.1

This scan is relatively stealthy since it doesn't complete TCP connections.

TCP Connect Scan#

The default TCP scan type when SYN scan is not an option:

nmap -sT 192.168.1.1

This scan completes the TCP connection handshake, making it less stealthy but more reliable in some environments.

Aggressive Scan#

The -A option enables OS detection, version detection, script scanning, and traceroute in a single flag:

nmap -A 192.168.1.1

This is a comprehensive scan that combines multiple detection methods. Use -T4 for faster execution on reliable networks:

nmap -A -T4 192.168.1.1

Port Scanning Fundamentals#

Common Port States#

• Open: The port is actively accepting connections
• Closed: The port is accessible but no application is listening
• Filtered: Nmap can't determine if the port is open because of packet filtering
• Unfiltered: The port is accessible but Nmap can't determine if it's open or closed
• Open|Filtered: Nmap can't determine if the port is open or filtered
• Closed|Filtered: Nmap can't determine if the port is closed or filtered

Specifying Ports#

Scan specific ports:

nmap -p 22,80,443 192.168.1.1

Scan a range of ports:

nmap -p 1-1000 192.168.1.1

Scan top N most common ports:

nmap --top-ports 100 192.168.1.1

Scan all ports (1-65535):

nmap -p- 192.168.1.1

Service and Version Detection#

Basic Service Detection#

nmap -sV 192.168.1.1

This probe ports to determine service/version info. For more aggressive detection:

nmap -sV --version-intensity 5 192.168.1.1

Lightweight Version Detection#

nmap -sV --version-light 192.168.1.1

Version Detection with All Probes#

nmap -sV --version-all 192.168.1.1

OS Detection#

Nmap can often identify the operating system of target machines:

nmap -O 192.168.1.1

For more aggressive OS detection:

nmap -O --osscan-guess 192.168.1.1

Nmap Scripting Engine (NSE)#

The Nmap Scripting Engine allows users to write scripts for automated networking tasks. NSE includes over 612 scripts written in the Lua programming language, organized into categories based on their purpose and risk level.

Categories of NSE Scripts#

• auth: Authentication related scripts
• broadcast: Network broadcast scripts
• brute: Performs brute-force attacks
• default: scripts that are run with -sC or -A
• discovery: Discovers network hosts and services
• dos: Denial of service attacks
• exploit: Exploits security vulnerabilities
• external: May send data to third-party databases
• fuzzer: Sends random data to services
• info: Information gathering scripts
• intrusive: Scripts that are considered intrusive
• malware: Checks for malware infections
• safe: Scripts that are considered safe
• version: Enhances version detection
• vuln: Checks for security vulnerabilities

Using NSE Scripts#

Run default scripts:

nmap -sC 192.168.1.1

Run specific script categories:

nmap --script safe 192.168.1.1

Run individual scripts:

nmap --script http-title 192.168.1.1

Run multiple scripts:

nmap --script http-title,ssl-cert 192.168.1.1

Run vulnerability scripts:

nmap --script vuln 192.168.1.1

Vulnerability Scanning with NSE#

The built-in --script vuln option runs Nmap's bundled vulnerability detection scripts, which check for known issues like Heartbleed, EternalBlue, and Shellshock. For more comprehensive CVE matching against service versions, you can use third-party NSE scripts.

Using vulners.nse for CVE Detection#

The vulners.nse script queries the vulners.com API to match detected service versions against their CVE database. It is not included with Nmap by default and must be installed separately:

cd /usr/share/nmap/scripts/
sudo git clone https://github.com/vulnersCom/nmap-vulners.git
sudo cp nmap-vulners/vulners.nse .
sudo nmap --script-updatedb

Once installed, combine it with version detection for CVE matching:

nmap -sV --script vulners target.com

Filter results by CVSS score to focus on high-severity findings:

nmap -sV --script vulners --script-args mincvss=7.0 target.com

Useful CVSS thresholds:

• mincvss=9.0 — Critical severity only
• mincvss=7.0 — High and Critical severity
• mincvss=5.0 — Medium severity and above

Using vulscan.nse for Offline CVE Matching#

The vulscan.nse script uses local offline databases (NVD, Exploit-DB, etc.) for environments where internet access is unavailable. It requires downloading and manually updating the databases, but works without network connectivity.

Vulnerability Scanning Workflow#

For a comprehensive vulnerability assessment:

# Step 1: Service detection with default scripts
nmap -sV -sC target.com
 
# Step 2: Built-in vulnerability checks
nmap -sV --script vuln target.com
 
# Step 3: CVE matching with vulners (if installed)
nmap -sV --script vulners --script-args mincvss=7.0 target.com

Output Formats#

Normal Output to File#

nmap -oN output.txt 192.168.1.1

XML Output#

nmap -oX output.xml 192.168.1.1

Grepable Output#

nmap -oG output.gnmap 192.168.1.1

All Formats at Once#

nmap -oA output 192.168.1.1

This creates output.nmap, output.xml, and output.gnmap.

Timing and Performance#

Nmap offers timing templates from -T0 (paranoid) to -T5 (insane):

# Paranoid (slower, less likely to be detected)
nmap -T0 192.168.1.1
 
# Normal (default)
nmap -T3 192.168.1.1
 
# Aggressive (faster, may be less accurate)
nmap -T4 192.168.1.1
 
# Insane (very fast, may overwhelm networks)
nmap -T5 192.168.1.1

Custom Timing Controls#

# Set maximum round-trip time
nmap --max-rtt-timeout 100ms 192.168.1.1
 
# Set host timeout
nmap --host-timeout 30m 192.168.1.1
 
# Set delay between probes
nmap --scan-delay 1s 192.168.1.1

Common Practices and Best Practices#

Legal and Ethical Considerations#

• Always obtain proper authorization before scanning networks
• Respect privacy and only scan networks you own or have permission to test
• Be aware of laws and regulations in your jurisdiction
• Use appropriate scanning techniques to avoid disrupting network services

Performance Optimization#

1. Use timing templates appropriately: -T3 for normal scans, -T4 for fast reliable networks
2. Limit parallel host scanning: Use --max-hostgroup to control how many hosts are scanned in parallel
3. Adjust retries: Use --max-retries to reduce the number of retransmissions
4. Use exclude lists: For large networks, exclude known hosts with --exclude

Stealth and Evasion Techniques#

# Fragment packets
nmap -f 192.168.1.1
 
# Use decoy scans
nmap -D RND:10 192.168.1.1
 
# Use specific source port
nmap --source-port 53 192.168.1.1
 
# Use random data in packets
nmap --data-length 100 192.168.1.1

Comprehensive Scanning Approach#

# Comprehensive scan with timing optimization
nmap -sS -sV -sC -O -T4 --min-parallelism 64 --min-hostgroup 64 \
     --max-retries 1 --host-timeout 15m --script-timeout 5m \
     -oA comprehensive_scan 192.168.1.0/24

Example Usage Scenarios#

Scenario 1: Basic Network Inventory#

# Discover active hosts and their basic services
nmap -sn 192.168.1.0/24
nmap -sS -sV -O --top-ports 1000 -oA network_inventory 192.168.1.0/24

Scenario 2: Web Server Security Audit#

# Comprehensive web server scan
nmap -sS -sV -sC -p 80,443,8000-8100 --script http-* -oA web_audit webserver.com

Scenario 3: Firewall Rule Testing#

# Test firewall rules with various scan types
nmap -sS -sT -sU -sN -sF -sX -p 1-1000 -T4 firewall.example.com

Scenario 4: Vulnerability Assessment#

# Run vulnerability assessment scripts
nmap -sV --script vuln -oA vulnerability_assessment target.com

Scenario 5: Continuous Monitoring#

# Compare current scan with previous results
nmap -sS -sV -oX current_scan.xml 192.168.1.0/24
ndiff current_scan.xml baseline_scan.xml

Scenario 6: Service-Specific Scanning#

# Database server scan
nmap -sS -sV -p 1433,1521,3306,5432 --script ms-sql*,oracle*,mysql*,pgsql* dbserver.com
 
# SSH security scan
nmap -sS -sV -p 22 --script ssh2-enum-algos,ssh-hostkey,ssh-auth-methods sshserver.com

Conclusion#

Nmap is an incredibly powerful tool that forms the foundation of network discovery and security auditing. Its versatility allows it to be used for everything from simple network inventory to complex penetration testing scenarios. Mastering Nmap requires understanding not just the commands, but also the underlying networking concepts and the ethical considerations of network scanning.

Remember that with great power comes great responsibility. Always ensure you have proper authorization before scanning networks, and use Nmap's capabilities to improve security rather than compromise it.

As you continue to work with Nmap, you'll discover that its true power lies in combining different techniques and scripts to create custom scanning solutions tailored to your specific needs. The Nmap scripting engine, with its 612+ scripts, opens up endless possibilities for automation and specialized detection—from basic banner grabbing to comprehensive vulnerability assessment using tools like vulners.nse for CVE matching.

References#

1. Nmap Official Website
2. Nmap Network Scanning Book by Gordon Lyon
3. Nmap Reference Guide
4. NSE Script Documentation
5. Nmap Scripting Engine Guide
6. Nmap Changelog

Additional Resources#

• Nmap Mailing Lists
• vulners.nse GitHub Repository

This guide is intended for educational purposes only. Always ensure you have proper authorization before scanning any network.