This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Nmap Network Mapper How-to Documents

This Document is actively being developed as a part of ongoing Nmap learning efforts. Chapters will be added periodically.

Nmap

1 - Mastering Nmap and Network Mapping Tools

This comprehensive roadmap will guide you through mastering Nmap and network mapping tools, covering everything from beginner to advanced topics.

Here’s a comprehensive roadmap for mastering Nmap and network mapping tools, covering everything from beginner to advanced topics.

Phase 1: Introduction to Nmap and Network Scanning Basics

1. Understanding Nmap and Network Mapping

  • What is Nmap?
  • Why is network scanning important?
  • Ethical considerations and legal aspects of network scanning.
  • Installing Nmap on Windows, Linux, and macOS.
  • Using Zenmap (Nmap’s GUI) for visualization.

2. Basic Nmap Commands and Syntax

  • Nmap command structure.
  • Scanning a single target vs. multiple targets.
  • Using hostnames vs. IP addresses.
  • Excluding specific hosts from scans (--exclude).

3. Host Discovery Techniques

  • ICMP Echo Request Scan (-PE) – Check if a host is online.
  • ICMP Timestamp Scan (-PP) – Check system uptime.
  • ICMP Address Mask Scan (-PM) – Detect network subnet mask.
  • TCP SYN Ping (-PS) – Send SYN packets to specific ports.
  • TCP ACK Ping (-PA) – Detect firewall rules.
  • UDP Ping (-PU) – Send UDP packets to determine live hosts.
  • ARP Discovery (-PR) – Used in local networks for host discovery.

Phase 2: Intermediate Scanning Techniques

4. Basic and Advanced Port Scanning

  • What are ports? Understanding TCP/UDP.
  • Default vs. custom port scans (-p option).
  • Scanning multiple ports, port ranges, and excluding ports.
  • Detecting open, closed, filtered, and unfiltered ports.

5. Common Scan Types and Their Purposes

  • TCP Connect Scan (-sT) – Full TCP connection.
  • SYN (Stealth) Scan (-sS) – Half-open scan to avoid detection.
  • UDP Scan (-sU) – Identifying open UDP ports.
  • NULL Scan (-sN) – Evading IDS detection by sending no TCP flags.
  • FIN Scan (-sF) – Sends FIN packet to bypass firewalls.
  • Xmas Tree Scan (-sX) – Highly evasive scan.
  • ACK Scan (-sA) – Firewall rule testing.
  • Window Scan (-sW) – Identifies open ports using TCP window sizes.
  • Maimon Scan (-sM) – Similar to FIN scan but less common.

6. Service and Version Detection

  • Basic version detection (-sV).
  • Intense version scanning (--version-intensity).
  • Customizing version detection with probes.

7. OS Detection and Fingerprinting

  • Basic OS detection (-O).
  • Aggressive OS scanning (-A).
  • Bypassing OS detection limitations.

Phase 3: Advanced Nmap Scanning Techniques

8. Firewall, IDS, and Evasion Techniques

  • Fragmentation Scans (-f, --mtu) – Sending smaller fragmented packets.
  • Decoy Scans (-D) – Hiding the real attacker’s IP.
  • Spoofing Source Address (-S) – Impersonating another machine.
  • Using Randomized IPs (-iR) – Scanning random IPs to hide activity.
  • Using the --badsum option – Sending packets with incorrect checksums.
  • Packet Timing Adjustments (--scan-delay) – Slowing scans to avoid detection.

9. Advanced Host Enumeration

  • Identifying running services and their configurations.
  • Detecting default or misconfigured services.
  • Finding hidden services behind firewalls.

10. Timing and Performance Optimization

  • Understanding timing templates (-T0 to -T5).
  • Adjusting parallelism (--min-parallelism, --max-parallelism).
  • Limiting packet transmission rates (--min-rate, --max-rate).

11. Advanced Output and Reporting

  • Normal output (-oN).
  • Grepable output (-oG).
  • XML output (-oX).
  • JSON output (-oJ).
  • Saving results for later analysis.

Phase 4: Nmap Scripting Engine (NSE)

12. Understanding NSE and Its Capabilities

  • What is NSE?
  • Where to find NSE scripts.
  • How to execute scripts (--script option).

13. Using NSE Scripts for Security Testing

  • Discovery Scripts (discovery) – Finding hidden hosts and services.
  • Vulnerability Detection Scripts (vuln) – Identifying known exploits.
  • Exploitation Scripts (exploit) – Testing common security flaws.
  • Brute Force Scripts (brute) – Testing weak authentication.
  • Malware Detection Scripts (malware) – Checking for malicious services.

14. Writing Custom NSE Scripts

  • Basics of Lua programming.
  • Writing a simple NSE script.
  • Debugging and optimizing scripts.

Phase 5: Real-World Applications of Nmap

15. Reconnaissance for Penetration Testing

  • Using Nmap for footprinting.
  • Mapping an organization’s attack surface.
  • Identifying security weaknesses before an attack.

16. Vulnerability Scanning with Nmap

  • Finding open ports that expose vulnerabilities.
  • Checking for outdated services and exploits.
  • Automating vulnerability scanning.

17. Integrating Nmap with Other Security Tools

  • Using Nmap with Metasploit.
  • Importing Nmap results into Nessus.
  • Combining Nmap with Wireshark for deeper analysis.

18. Automating Nmap Scans

  • Writing Bash scripts for automation.
  • Scheduling scans with cron.
  • Setting up email alerts for scan results.

Phase 6: Expert-Level Nmap Techniques

19. Large-Scale Network Scanning

  • Scanning entire subnets efficiently.
  • Best practices for scanning large networks.
  • Handling massive amounts of scan data.

20. IPv6 Scanning with Nmap

  • Scanning IPv6 addresses (-6 option).
  • Differences between IPv4 and IPv6 scanning.
  • Identifying IPv6-only hosts.

21. Bypassing Intrusion Detection Systems (IDS)

  • Detecting IDS in a network.
  • Using custom packet manipulation.
  • Evading detection with slow scans.

22. Advanced Packet Crafting with Nmap

  • Manually modifying scan packets.
  • Analyzing responses for deeper insights.
  • Using external packet crafting tools (Scapy, Hping3).

Final Steps: Mastering Nmap

23. Continuous Learning and Staying Updated

  • Following Nmap changelogs and updates.
  • Exploring third-party Nmap tools and add-ons.
  • Contributing to Nmap’s open-source development.

24. Practice Scenarios and Real-World Challenges

  • Setting up a local lab environment.
  • Testing against different firewall configurations.
  • Engaging in Capture The Flag (CTF) challenges.

Where to Go Next?

2 - Understanding Nmap: The Network Mapper - An Essential Tool for Network Discovery and Security Assessment

In this comprehensive guide, we’ll explore what Nmap is, how it works, and why it has become an indispensable tool in the network administrator’s arsenal.

Network security professionals and system administrators have long relied on powerful tools to understand, monitor, and secure their networks. Among these tools, Nmap (Network Mapper) stands out as one of the most versatile and widely-used utilities for network discovery and security auditing. In this comprehensive guide, we’ll explore what Nmap is, how it works, and why it has become an indispensable tool in the network administrator’s arsenal.

What is Nmap?

Nmap is an open-source network scanner created by Gordon Lyon (also known as Fyodor) in 1997. The tool is designed to rapidly scan large networks, although it works equally well for scanning single hosts. At its core, Nmap is used to discover hosts and services on a computer network, creating a “map” of the network’s architecture.

Key Features and Capabilities

Network Discovery

Nmap’s primary function is to identify what devices are running on a network. It can determine various characteristics about each device, including:

  • What operating systems they’re running (OS detection)
  • What types of packet filters/firewalls are in use
  • What ports are open (port scanning)
  • What services (application name and version) are running on those ports

The tool accomplishes these tasks by sending specially crafted packets to target systems and analyzing their responses. This process allows network administrators to create an inventory of their network and identify potential security issues.

Port Scanning Techniques

One of Nmap’s most powerful features is its ability to employ various port scanning techniques:

TCP SYN Scan: Often called “half-open” scanning, this is Nmap’s default and most popular scanning option. It’s relatively unobtrusive and stealthy since it never completes TCP connections.

TCP Connect Scan: This scan completes the normal TCP three-way handshake. It’s more noticeable but also more reliable in certain scenarios.

UDP Scan: While often overlooked, UDP scanning is crucial since many services (like DNS and DHCP) use UDP rather than TCP.

FIN, NULL, and Xmas Scans: These specialized scans use variations in TCP flag settings to attempt to bypass certain types of firewalls and gather information about closed ports.

Operating System Detection

Nmap’s OS detection capabilities are particularly sophisticated. The tool sends a series of TCP and UDP packets to the target machine and examines virtually dozens of aspects of the responses. It compares these responses against its database of over 2,600 known OS fingerprints to determine the most likely operating system.

NSE (Nmap Scripting Engine)

The Nmap Scripting Engine (NSE) dramatically extends Nmap’s functionality. NSE allows users to write and share scripts to automate a wide variety of networking tasks, including:

  • Vulnerability detection
  • Backdoor detection
  • Vulnerability exploitation
  • Network discovery
  • Version detection

Scripts can be used individually or in categories such as “safe,” “intrusive,” “vuln,” or “exploit,” allowing users to balance their scanning needs against potential network impact.

Practical Applications

Network Inventory

Organizations can use Nmap to maintain an accurate inventory of all devices connected to their network. This is particularly valuable in large networks where manual tracking would be impractical. Regular Nmap scans can identify:

  • New devices that have joined the network
  • Devices that may have changed IP addresses
  • Unauthorized devices that shouldn’t be present

Security Auditing

Security professionals use Nmap as part of their regular security assessment routines. The tool can help:

  • Identify potential vulnerabilities
  • Verify firewall configurations
  • Detect unauthorized services
  • Find open ports that shouldn’t be accessible
  • Identify systems that may be running outdated software

Network Troubleshooting

Nmap is invaluable for diagnosing network issues:

  • Verifying that services are running and accessible
  • Identifying connectivity problems
  • Detecting network configuration errors
  • Finding bandwidth bottlenecks

Best Practices and Ethical Considerations

While Nmap is a powerful tool, it’s important to use it responsibly:

Permission: Always obtain explicit permission before scanning networks you don’t own or manage. Unauthorized scanning can be illegal in many jurisdictions.

Timing: Consider the impact of scanning on network performance. Nmap offers various timing templates from slow (less impactful) to aggressive (faster but more noticeable).

Documentation: Maintain detailed records of your scanning activities, including when and why scans were performed.

Integration with Other Tools

Nmap works well with other security and network management tools:

  • Security Information and Event Management (SIEM) systems
  • Vulnerability scanners
  • Network monitoring tools
  • Custom scripts and automation frameworks

This integration capability makes it a valuable component of a comprehensive network management and security strategy.

Limitations and Considerations

While powerful, Nmap does have some limitations:

  • Scan results can be affected by firewalls and IDS/IPS systems
  • Some scanning techniques may disrupt sensitive services
  • Results require interpretation and can sometimes be misleading
  • Resource-intensive scans can impact network performance

The Future of Nmap

Nmap continues to evolve with regular updates and new features. The tool’s development is driven by community needs and emerging network technologies. Recent developments focus on:

  • Enhanced IPv6 support
  • Improved performance for large-scale scans
  • New NSE scripts for emerging threats
  • Better integration with modern network architectures

Conclusion

Nmap remains one of the most essential tools in network security and administration. Its combination of powerful features, flexibility, and active development makes it invaluable for understanding and securing modern networks. Whether you’re a network administrator, security professional, or IT student, understanding Nmap’s capabilities and proper usage is crucial for effective network management and security assessment.

As networks continue to grow in complexity and importance, tools like Nmap become even more critical for maintaining security and efficiency. By using Nmap responsibly and effectively, organizations can better understand their network infrastructure and protect against potential threats.