As a network infrastructure expert and cybersecurity researcher with over 10 years of experience, Nmap remains an indispensable tool in my toolkit for comprehensive network mapping, security auditing, and infrastructure analysis.
In this completely updated guide, I‘ll demonstrate advanced Nmap scanning techniques and fundamentals for utilizing this invaluable open-source tool effectively. Whether you‘re a cybersecurity professional, network administrator, or IT professional getting started with Nmap, this deep dive provides extensive techniques and fundamentals for exploiting Nmap‘s capabilities fully.
Introduction to Nmap Scanning
Initially released in 1997 by Gordon Lyon (aka Fyodor), Nmap revolutionized network administration and security auditing with the novel concept of host and network scanning.
Nmap utilizes raw IP packets crafted with clever techniques enabling inquisitive discovery and interrogation of networked devices and infrastructure.
With consistent improvements for over 20 years now, Nmap has cemented its place as likely the most versatile, trusted, and relied upon scanner tool for network inventory, administration, monitoring, and defense.
Nmap‘s continual enhancements since 1997 make it the go-to network & security scanning tool
Here‘s why Nmap delivers such an effective network comprehension capability:
- Port scanning – Detect open TCP/UDP ports and associated services listening
- Host discovery – Detect live hosts even stealthy systems through creative techniques
- Version detection – Fingerprint service versions running for patch management
- OS fingerprinting – Discern remote operating system types passively
- Mapping network topology – Traceroute function to chart network paths and infrastructure
- Scripts and extensibility – Custom scripts extending functionality immensely
- Flexible output – Facilitates integration for automation or analysis
That covers just some core aspects, and we‘ll expand on applying these techniques through the rest of this Nmap guide.
Now before demonstrating Nmap capabilities, let‘s get it installed if you don‘t already have it.
Installing Nmap on Linux
Most Linux distributions include Nmap in their package managers for quick installation.
On Debian/Ubuntu systems, use APT:
sudo apt install nmapFor RPM-based distros like RHEL/CentOS, use YUM installation:
sudo yum install nmapOr DNF on the latest versions:
sudo dnf install nmapVerify a successful install with nmap -V to show the version:
$ nmap -V
Nmap version 7.93 ( https://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.3.6 openssl-1.1.1g nmap-libpcre-7.6 nmap-libssh2-1.9.0 nmap-libz-1.2.11 nmap-libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without: nmap-libandroidNow let‘s get into utilizing Nmap for comprehensive scanning and analysis.
Fundamental Scanning with Target Specification
The simplest Nmap invocation specifies a target IP address or hostname:
sudo nmap 192.168.1.105This performs what‘s called a TCP connect scan on the top 1000 most popular TCP ports by default.
Here we determine basic details like live status, open ports, host MAC address and hostname (through reverse DNS lookup).
This gathers essential host discovery and port data. But much more advanced functionality exists as well.
Next let‘s discuss one of the most important aspects – Nmap scan types.
Understanding Nmap Scan Types
Nmap features over 15 distinct scan types utilizing creative packet crafting and socket handling methods to elicit responses from hosts and perform interrogation.
Here‘s a comparison of some primary scan types available:
| Scan Type | TCP Connect -sT |
TCP SYN -sS |
UDP -sU |
ACK -sA |
Window -sW |
|---|---|---|---|---|---|
| How it Works | Full 3-way Handshake | Half-open SYN | Empty UDP Packets | ACK probes | Window probes |
| Speed | Slow | Medium | Medium | Fast | Fast |
| Stealth | No | Strong | Strong | Medium | Medium |
| Firewall Evasion | No | Some | Yes | Yes | Yes |
| Common Uses | Basic scanning | Firewall/IDS evasion | Discover open UDP ports | Firewall rule mapping | Firewall rule mapping |
Comparison of primary Nmap scan types
Additionally less common types like IP Protocol, FTP bounce, orIdle/zombie scans exist, which we‘ll demonstrate later.
Scan types utilize varied mechanisms to elicit responses from hosts and traverse firewalls and IDS systems. Understanding these differences allows selecting what‘s appropriate for a given scanning scenario.
Now that we understand scan types available in Nmap‘s arsenal, let‘s explore essential scanning techniques.
Essential Scanning Techniques and Options
I‘ll demonstrate some ubiquitous examples of applying Nmap scans:
Detecting Live Hosts with Ping Sweep
nmap -sn 192.168.1.0/24- What? ICMP Echo Request ping packets to every IP on subnet
- Why? Discover all live hosts without wasting scans on unavailable devices
- Key Options
-sn– Ping scan only-PR– ARP ping for local ethernet networks
Checking Common Ports Status
nmap 192.168.1.105- What? TCP connect scan on 1000 most popular ports
- Why? Inventory what network services are available
- Key Options:
- Default scan if no type specified
- Can specify TCP
-sT, UDP-sU, or other scan types
Detecting Host Operating Systems
nmap -O 192.168.1.1- What? TCP/IP fingerprinting to determine device OS
- Why? Recon and inventory management
- Key Options:
-Oenable OS detection- More accurate with root privileges
Scanning Specific Port Ranges
nmap -p22,80,443 192.168.1.1- What? Scan only SSH, HTTP, HTTPS ports
- Why? Focus on ports of interest
- Key Options:
-p <port ranges>specify custom ports
Detecting Firewall Presence
nmap -sA 192.168.1.1- What? ACK scan to elicit firewall RST packets
- Why? Verify if firewall is present
- Key Options:
-sATCP ACK scan
This demonstrates just a sample of essential scan types you‘ll likely utilize routinely. But Nmap offers extensive further functionality.
Now that we‘ve covered fundamental scanning, let‘s discuss some advanced techniques.
Advanced Nmap Scanning Techniques and Examples
Nmap delivers tremendous capabilities through advanced scan types, specialized options, timing configurations, output formats, and the powerful Nmap Scripting Engine.
I‘ll provide an overview of some advanced yet useful techniques and apply them in demonstrations.
Stealth SYN Scans -sS
For bypassing firewall rulesets restricting scans, a stealth SYN scan transmitting half-open packets can avoid restrictions looking for complete connections:
sudo nmap -sS -p 22,80 192.168.1.1
This establishes connections halfway without completing the TCP handshake to stealthily spot listening ports.
UDP Scanning -sU
Unlike TCP‘s reliable handshake, UDP is connectionless so requires custom manipulation to elicit responses from open ports:
sudo nmap -sU -p 123,161 192.168.1.10
This allows discovery of key open UDP services often missed on TCP scans like SNMP or NTP.
Privilege Escalation
Since Nmap utilizes raw packets, privilege escalation to root access gains full visibility past limitations:
sudo nmap 192.168.1.254Escalated administrator privileges expand possibilities like sniffing traffic or evading firewall rules fully.
Fragmented Packet Evasion -f
Many firewalls block non-fragmented packet scans so we can split packets over 8 bytes to bypass this:
sudo nmap -f 192.168.1.100
Fragmenting packets enables penetrating rules filtering larger packets with scans.
IP Protocol Scanning -sO
Beyond TCP and UDP, some services run on other IP protocols so we enumerate using a IP protocol scan:
sudo nmap -sO 192.168.1.20This tests common IP protocols like ICMP, IGMP, and more for additional exposure.
Output Scan Reports
To save scan results for further inspection, utilization, or distribution, output to various formats like plain text, XML, s|r, or grep-able:
nmap 192.168.1.105 -oX scan.xml
nmap 192.168.1.105 -oN scan.txt 
This persists complete scan data for integration or records.
Nmap Timing Control
Tuning scan timing presents tradeoffs between accuracy and speed configurable through six timing template levels with -T<0-5>:
nmap -sS -T4 192.168.1.100Faster timing risks missing open ports but expedites overall scanning. Configure to your needs.
Scan Automation
For frequent scanning or scheduled network audits, scripting scan jobs promotes automation:
#!/bin/bash
for ip in 192.168.1.{1..254}; do
nmap -sV -O -oA "scans/$ip" $ip
doneThis checks every IP with service detection, OS fingerprinting, saving output, without managing scans individually.
As shown Nmap provides versatile options for connectivity checking, host inventory, port and service analysis, fingerprinting, packet crafting, output, timing, and automation.
Now let‘s move on to some very advanced components and capabilities under Nmap‘s hood – the Nmap Scripting Engine.
Nmap Scripting Engine (NSE)
NSE represents the most powerful and customizable aspect of Nmap, enabling developers to write scripts using the Lua programming language which integrate directly with Nmap functionality.
Scripts enhance assessments and analysis through added inspection, detection capabilities, vulnerability discovery, exploit integration, automated actions, and far more.
Let‘s inspect some examples demonstrating these extensions.
Built-in Script Categories
NSE scripts comprise over 600 scripts spanning categories like:
- Vuln checking – Scan for vulnerabilities like MS08-067, Heartbleed
- Recon – Harvest additional intel through searches, scraping
- Backdoors – Check for backdoors like Back Orifice
- Exploits – Directly exploit known vulnerabilities
- Fuzzers – Stress test services for robustness
- DoS – Demonstrate Denial of Service viability
- Broadcast – Discover broadcast and multicast hosts
- Auth – Check authentication mechanisms like SQL, XWindows
- Malloc – Test for memory allocation issues leading to DoS
And many more categories exist for extensive functionality!
Statistics on some of the most popular NSE scripts:
| Script | Category | Description |
|---|---|---|
| http-enum | recon | Harvest web server details |
| smb-enum-shares | intrusive | Enumerate SMB shares |
| smtp-enum-users | intrusive | Detect SMTP users |
| snmp-sysdescr | safe | SNMP system description |
| dns-service-discovery | safe | Resolve DNS services |
Most commonly utilized NSE scripts
Now let‘s see some NSE scripts applied.
HTTP Script Scanning
sudo nmap -sS -p 80 --script=http-enum 192.168.1.115This extracts details from the web server like headers, server type, traceroute, technologies:
Enumerating such granular info facilitates reconnaissance before intrusive activities.
Discover SMB Shares
nmap -p 445 --script smb-enum-shares.nse 192.168.10.0/24
Scan for Vulnerabilities
nmap -sV --script vuln 192.168.1.30This checks for all vulnerabilities associated with detected services the target hosts are running:
As demonstrated NSE scripts deliver intricate inspection, intelligence gathering, vulnerability scans, and automating assessments otherwise requiring multiple manual tools.
NSE remains one of Nmap‘s most valuable capabilities for versatile network analysis tasks.
Now that we‘ve covered NSE, let‘s discuss generating metrics and statistics from scan results.
Analyzing Nmap Output and Statistics
With a tool as powerful as Nmap that can generate immense scan outputs, what about facilitating analysis?
Ndiff – Compare Scan Results
The ndiff tool allows directly contrasting two Nmap XML scan results highlighting differences:
ndiff scan1.xml scan2.xmlUseful for change detection like new/closed ports over time.
Statistical Charts
Leverage excellent visual analysis tools like:
- Nmap Chart Maker – Charts from XML stats
- Scapy Charts – Packet generation visualizations
- AfterGlow – Graph based reports
These produce intuitive charts from scan metrics:
Centralized Reporting
For collating results into nice looking reports:
- GreyNoise Visualizer – Summary scan charts
- IVRE – Network recon aggregation and visualization
- FancyNmapReporting – Customizable report builder
Central scan reporting enables consolidated analysis.
Complementary Tools
While Nmap delivers extensive network interrogation and mapping abilities itself, integrating with other speciality tools extends capabilities:
- Aircrack-ng – Wireless network analysis
- Wireshark – Network traffic capture and inspection
- tcpdump – CLI network packet analyzer
- Hping3 – Packet crafting and shooting utility
- Yersinia – Layer 2 network protocols attack suite
- Scapy – Programmatic packet manipulation and generation
- Maltego – Graphical network forensics and intel
- Metasploit – Exploitation and shell access
Integrating Nmap scans with packet inspection, wireless data analysis, exploitation frameworks, and other specialized tools provides a very powerful network security assessment platform.
Wrapping Up
In closing, as evident Nmap represents so much more than just simple port scanning. Capabilities like stealth OS detection, advanced evasion techniques, the immensely versatile Scripting Engine, integrated statistics and reporting, timing configurations, specialized output formats, automation, and creative scan types demonstrate why Nmap remains a staple network administration tool over 25 years later.
Yet I‘ve only scratched the surface of Nmap‘s extensive functionality. From beginner to advanced users, Nmap delivers immense value for network infrastructure analysis, security auditing, configuration management, assets inventory, change monitoring, defense fundamentals, and data network comprehension.
I encourage all IT professionals to incorporate Nmap skills into their knowledge base. Understanding your infrastructure and security posture provides the foundation for sound management and defense.
I hope this guide has provided a helpful overview of Nmap capabilities applicable across use cases. The power of Nmap stems from flexibility in customizing scans singularly or automating at scale to deliver the network visibility and comprehension needed across devices, perimeter defense, infrastructure stability, change management and far more.
Stay tuned for more Nmap content as I demonstrate additional features, scripts, use cases, and techniques to further exploit this versatile open source project making understanding complex network environments possible.
