Author: Arnel C. Reyes 
Published: 15 August 2024 
Last Updated: 15 August 2024 

NMap (Network Mapper) is a powerful open-source tool widely used in network security to discover hosts, services, and potential vulnerabilities on a network. Initially created for network inventory and management, it has become a critical tool in penetration testing and security auditing. NMap allows security professionals to scan networks for open ports, detect operating systems, identify running services, and uncover security weaknesses, making it an indispensable tool in the cybersecurity toolkit.


Background

NMap was created by Gordon Lyon (also known as Fyodor) and has evolved into one of the most respected and versatile network scanning tools. The software is designed to handle large networks efficiently while providing detailed insights into each target's security posture. NMap uses a variety of scanning techniques, including TCP, UDP, ICMP, and SYN scans, to gather information about live hosts, open ports, and service versions. Its scripting engine, NSE (NMap Scripting Engine), extends its functionality, allowing for customized scans and vulnerability detection.

Penetration testers and ethical hackers use NMap to simulate real-world attack scenarios, identifying potential points of entry that attackers might exploit. NMap's ability to bypass firewalls and intrusion detection systems (IDS) makes it a valuable tool for testing network defenses.


NMap Port States

• Open: An open port is actively accepting connections via TCP, UDP, or SCTP. Open ports are particularly significant because they indicate available services on a network that could be vulnerable to attacks. These are the primary targets for penetration testers, as open ports often reveal entry points for potential exploits.
   
• Closed: A closed port responds to NMap’s probes, indicating that the host exists, but no service is currently listening on that port. While closed ports aren’t vulnerable, they can provide valuable information for identifying live hosts and assisting in operating system detection.
   
• Filtered: A filtered port means that NMap cannot determine whether the port is open because packet filtering, such as a firewall or router rules, is preventing the probes from reaching the port. Filtered ports often provide limited information during scans, as the filtering devices may drop the probes without responding or reply with generic error messages like "destination unreachable."
   
• Unfiltered: An unfiltered port is accessible, meaning that NMap's probes reach it, but NMap cannot determine whether the port is open or closed. This state is typically identified in an ACK scan, which is used to map firewall rules. Other scan types may be needed to determine the port's actual status.
   
• Open/Filtered: This state indicates that NMap cannot distinguish between an open or filtered port. This occurs when an open port does not respond, which could be due to a packet filter dropping the probes or blocking any responses. This ambiguity makes it challenging to determine the actual status of the port.
   
• Closed/Filtered: This state occurs when NMap is unable to determine whether a port is closed or filtered. This uncertainty usually arises when the port does not provide a clear response, making it difficult for NMap to classify it definitively.

 
Basic Scanning

1. Ping Scan: The Ping Scan ('-sP') is used to discover live hosts within a network without conducting a full port scan. It sends ICMP echo requests and listens for responses, identifying which IP addresses are active.
    
   

   $ nmap -sP 192.168.1.0/24

    
   Usage in Security Testing: Useful for quickly identifying live hosts on a network before conducting more intensive scans.
    
2. Full TCP Connect Scan: The Full TCP Connect Scan ('-sT') establishes a full TCP connection with the target ports (e.g., 80 and 443). This scan is reliable but more easily detected since it completes the three-way handshake.
    
   

   $ nmap -sT -p 80,443 192.168.1.0/24

    
   Usage in Security Testing: Ideal for scanning when stealth is not a priority and when testing for firewalls or intrusion detection systems.
    
   
3. Stealth Scan / SYN Scan / Half Scan: The SYN Scan ('-sS'), also known as Stealth or Half Scan, sends SYN packets to target ports. If a SYN/ACK is received, the port is open, but the scan does not complete the TCP handshake, making it less likely to be detected.
    
   

   $ nmap -sS -p 80,443 192.168.1.0/24

    
   Usage in Security Testing: Commonly used for stealthier scanning, as it minimizes the likelihood of detection by security devices.
    
   
4. UDP Scan: The ('-sU') scans for open UDP ports across multiple targets.
    
   

   $ nmap -sU -iL iplist.txt

    
   Usage in Security Testing: Essential for detecting UDP services, which are often overlooked but can pose significant security risks.
    
   
5. UDP and TCP Scan: This command performs both a UDP scan ('-sU') on port 53 and a TCP connect scan ('-sT') on port 25 simultaneously.
    
   

   $ nmap -sU -sT -p U:53,T:25 192.168.1.8

    
   Usage in Security Testing: Allows for a comprehensive scan of both TCP and UDP services on a target, identifying a broader range of potential vulnerabilities.
    
6. Top Ports Scan: The '--top-ports' option instructs NMap to scan the top 10 most commonly open ports, as determined by NMap's port frequency database.
    
   

   $ nmap --top-ports 10 192.168.1.8

    
   Usage in Security Testing: Useful for a quick check of the most likely open ports, often used in initial reconnaissance.
    
7. OS Detection: The OS Detection Scan ('-O') attempts to identify the operating system of the target based on various characteristics of the network stack.
    
   

   $ nmap -O -p 80,443 192.168.1.0/24

    
   Usage in Security Testing: Helps in determining the target's operating system, which is essential for planning further attacks or penetration tests.
    
   
8. Service Version Detection: The ('-sV') determines the version of the services running on the target.
    
   

   $ nmap -sV 192.168.1.8

    
   Usage in Security Testing: Helps identify specific vulnerabilities tied to particular versions of services.
    
   
9. Fast Mode Scan: The Fast Mode Scan ('-F') scans fewer ports than the default, speeding up the scan process. It can be tailored to include or exclude specific hosts. The ('-iL') instructs NMap to read and scan a list of target IP addresses or hostnames from the file 'iplist.txt'. Instead of specifying each target directly in the command line, it can be listed in a file, with each IP address or hostname on a separate line. NMap will then perform the specified scan on all the targets listed in that file.
    
   

   $ nmap -F -iL iplist.txt $ nmap -F 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.2-5 $ nmap -F 192.168.1.0/24 --excludefile iplist.txt

    
   Usage in Security Testing: Useful for quick reconnaissance, especially in large networks, to identify potentially interesting targets without conducting an exhaustive scan.
    
10. Reason for Open Ports: The '--reason' option shows the reason why a port was marked as open, closed, or filtered, providing insight into how NMap interpreted the response. 
     
    

    $ nmap --reason 192.168.1.8

     
    Usage in Security Testing: Helps in understanding the responses from the target, which can be useful for fine-tuning scans or interpreting results.
     
11. Open Ports Only: The '--open' option instructs NMap to display only open ports in the scan output, filtering out closed or filtered ports.
     
    

    $ nmap --open 192.168.1.8

     
    Usage in Security Testing: Useful when focusing on potentially vulnerable or exploitable services.

Foundational Scanning

1.  No Ping Scan: The No Ping Scan ('-PN') skips the initial ping phase, assuming all hosts are up and ready for scanning.
    
   

   $ nmap -PN 192.168.1.8

    
   Usage in Security Testing: Useful in environments where ping responses are blocked by firewalls.
    
2. TCP Syn Ping: The ('-PS') sends a TCP SYN packet to specified ports to check if the target responds, indicating an open port.
    
   

   $ nmap -PS 192.168.1.8

    
   Usage in Security Testing: A stealthy method for host discovery that can bypass some firewalls and IDS systems.
    
3. TCP Ack Ping: The TCP Ack Ping ('-PA') sends an ACK packet to determine if a host is up by observing the target's response.
    
   

   $ nmap -PA 192.168.1.8

    
   Usage in Security Testing: Helps detect live hosts behind firewalls that allow outbound traffic.
    
4. UDP Ping: The ('-PU') sends a UDP packet to specified ports to detect live hosts.
    
   

   $ nmap -PU 192.168.1.8

    
   Usage in Security Testing: Useful for detecting UDP-based services on the target network.
    
5. ICMP Echo Ping: The ('-PE') sends an ICMP Echo Request to determine if the host is live.
    
   

   $ nmap -PE 192.168.1.8

    
   Usage in Security Testing: Commonly used in local networks where ICMP is not blocked.
    
6. ICMP Timestamp Ping: The ('-PP') uses an ICMP timestamp request to determine if the target is active.
    
   

   $ nmap -PP 192.168.1.8

    
   Usage in Security Testing: Can be used when echo requests are blocked but timestamp requests are allowed.
    
7. ICMP Address Mask Ping: The ('-PM') sends an ICMP Address Mask Request, which can bypass firewalls that block standard echo requests.
    
   

   $ nmap -PM 192.168.1.8

    
   Usage in Security Testing: Useful for discovering hosts when typical ICMP echo requests are filtered.
    
8. IP Protocol Ping: The ('-PO') pings the target using a specified IP protocol (in this case, ICMP).
    
   

   $ nmap -PO icmp 192.168.1.8

    
   Usage in Security Testing: Allows testing of specific protocol responses, useful for detailed network mapping.
    
9. ARP Ping: The ARP Ping ('-PR') sends ARP requests to discover live hosts on a local network.
    
   

   $ nmap -PR 192.168.1.8

    
   Usage in Security Testing: An accurate and efficient method for discovering live hosts in local networks.
    
10. Traceroute: The '--traceroute' option performs a traceroute to the target, mapping out the path packets take to reach the destination.
     
    

    $ nmap --traceroute 192.168.1.8

     
    Usage in Security Testing: Helps identify potential choke points, firewalls, or devices that could affect network security.
     
11. Reverse DNS Resolution: The ('-R') forces reverse DNS resolution of IP addresses to domain names.
     
    

    $ nmap -R 192.168.1.8

     
    Usage in Security Testing: Provides more context by identifying domain names associated with IP addresses.
     
12. Disable Reverse DNS Resolution: The '-n' option disables reverse DNS resolution, speeding up the scan.
     
    

    $ nmap -n 192.168.1.8

     
    Usage in Security Testing: Useful for large scans where reverse DNS lookups are unnecessary.
     
13. Alternative DNS Lookup Method: The '--system-dns' option uses the system’s DNS resolution method, which might be slower but can resolve hostnames that NMap's internal resolver cannot.
     
    

    $ nmap --system-dns 192.168.1.8

     
    Usage in Security Testing: Provides a fallback method for DNS resolution.
     
14. Specify DNS Servers: The '--dns-servers' option Manually specifies DNS servers for name resolution during the scan.
     
    

    $ nmap --dns-servers 8.8.8.8,8.8.4.4,1.1.1.1 192.168.1.8

     
    Usage in Security Testing: Useful when the default DNS server is unreliable or blocked.

 
Advanced Scanning

1. TCP Null Scan: The TCP Null Scan ('-sN') sends packets with no flags set, aiming to identify open ports by observing how the target responds.
    
   

   $ nmap -sN -p 80,443 192.168.1.8

    
   Usage in Security Testing: Useful for identifying open ports on systems where TCP flags are monitored, and stealth is required.
    
2. TCP FIN Scan: The ('-sF') sends TCP FIN packets, expecting no response from open ports.Sends TCP FIN packets, expecting no response from open ports.
    
   

   $ nmap -sF 192.168.1.8

    
   Usage in Security Testing: Useful for identifying ports on systems that filter SYN packets.
    
3. Xmas Scan: The (-sX) sends packets with the FIN, PSH, and URG flags set, expecting no response from open ports.
    
   

   $ nmap -sX 192.168.1.8

    
   Usage in Security Testing: Effective against systems that are not properly configured to handle unusual flag combinations.
    
4. Ack Scan: The ('-sA') sends TCP ACK packets to determine if a port is filtered.
    
   

   $ nmap -sA 192.168.1.8

    
   Usage in Security Testing: Useful for mapping firewall rules and identifying open ports behind them.
    
5. Custom Scan: The '--scanflags' option allows the user to specify custom TCP flags for scanning.
    
   

   $ nmap -sS --scanflags SYNFIN -T4 192.168.1.8

    
   Usage in Security Testing: Useful for testing specific firewall and IDS/IPS rules.
    
6. IP Protocol Scan: The ('-sO') scans for open or closed IP protocols, not just TCP or UDP ports.
    
   

   $ nmap -sO 192.168.1.8

    
   Usage in Security Testing: Useful for identifying unusual or unexpected services.
    
7. Speedup the Scan: The '-T' option adjusts the timing template to speed up the scan (0 [Slow/Paranoid/More Accurate], 3 [Normal], 5 [Fast/Insane/Less Accurate]).
    
   

   $ nmap scanme.nmap.org -T 5

    
   Usage in Security Testing: Useful when speed is essential, though it may increase the likelihood of detection.
    
   
8. Packet Trace: The '--packet-trace' option shows detailed information about each packet sent and received during the scan, providing insight into the scan's operation.
    
   

   $ nmap --packet-trace -p 80 192.168.1.8

    
   Usage in Security Testing: Beneficial for troubleshooting or analyzing the behavior of a scan at the packet level.

Firewall Evasion Techniques

1. Send Raw Ethernet Packet: The '--send-eth' option forces NMap to send raw Ethernet frames, bypassing the IP layer.
    
   

   $ nmap --send-eth 192.168.1.8

    
   Usage in Security Testing: Allows for lower-level network testing.
    
2. Send IP Packet: The '--send-ip' option forces NMap to send IP packets instead of raw Ethernet frames.
    
   

   $ nmap --send-ip 192.168.1.8

    
   Usage in Security Testing: Useful for testing networks that filter Ethernet frames.
    
3. Fragmenting Custom MTU: The '--mtu' option fragments packets to a custom MTU size to evade detection.
    
   

   $ nmap --mtu 16 192.168.1.8

    
   Usage in Security Testing: Helps bypass firewalls and IDS that do not properly reassemble fragmented packets.
    
4. Decoy Scanning: The '-D' option uses decoy IPs to obscure the source of the scan.
    
   

   $ nmap -D RND:5 192.168.1.8

    
   Usage in Security Testing: Useful for evading detection and attribution.
    
5. Idle Zombie Scan: The ('-sI') uses a third-party host (zombie) to send packets, making it harder to trace the scan back to the attacker.
    
   

   $ nmap -sI 192.168.56.1 192.168.1.8

    
   Usage in Security Testing: Effective for stealthy scans and bypassing some firewalls.
    
6. Specify Source Port: The '--source-port' option manually sets the source port for the scan, often using ports associated with trusted services.
    
   

   $ nmap --source-port 53 192.168.1.8

    
   Usage in Security Testing: Can bypass simple firewall rules that allow traffic from certain ports.
    
7. Append Random Data: The '--data-length' option adds random data to packets to change their signature.
    
   

   $ nmap --data-length 25 192.168.1.8

    
   Usage in Security Testing: Helps evade IDS that relies on packet signatures.
    
8. Randomize Target Scan Order: The '--randomize-hosts' option randomizes the order in which hosts are scanned to avoid triggering IDS rules.
    
   

   $ nmap --randomize-hosts 192.168.1.0/24

    
   Usage in Security Testing: Reduces the likelihood of detection by IDS systems that monitor sequential scanning.
    
   
9. Random Port Scan: The '-r' option disables randomization of the scan order, which can be useful for evading firewalls that might detect sequential port scans.
    
   

   $ nmap -r 192.168.1.8

    
   Usage in Security Testing: Helps evade basic firewall rules that block sequential scans, potentially revealing open ports that would otherwise be hidden.
   
   
10. Spoof MAC Address: The '--spoof-mac' option changes the MAC address to obscure the source of the scan.
     
    

    $ nmap --spoof-mac 0 192.168.1.8

     
    Usage in Security Testing: Helps avoid detection by MAC-based filters.
     
11. Send Bad Checksums: The '--badsum' option sends packets with incorrect checksums, which might be ignored by the target but passed by some firewalls.
     
    

    $ nmap --badsum 192.168.1.8

     
    Usage in Security Testing: Useful for testing how firewalls handle malformed packets.

 

NMap Scripting Engine (NSE)

1. WHOIS Lookup: The 'whois-*' script performs a WHOIS query on the specified target domain, gathering registration information, contact details, and other related data.
    
   

   $ nmap -sn --script whois-* scanme.nmap.org

    
   Usage in Security Testing: Useful for gathering domain ownership details and registration history, which can aid in reconnaissance and identifying potential social engineering targets.
    
2. Traceroute with Geolocation Script: The 'traceroute-geolocation' script combines traceroute functionality with a geolocation script to map the physical locations of the hops on the network path to the target.
    
   

   $ nmap --traceroute --script traceroute-geolocation scanme.nmap.org

    
   Usage in Security Testing: Helps to understand the geographic path that data takes, potentially revealing vulnerable or untrusted network segments.
    
3. SMB Vulnerability Scan (EternalBlue - MS17-010): The 'smb-vuln-ms17-010' script scans for the SMB vulnerability MS17-010, famously exploited by the WannaCry ransomware.
    
   

   $ nmap --script smb-vuln-ms17-010 192.168.1.8

    
   Usage in Security Testing: Critical for detecting systems vulnerable to this high-profile exploit, allowing for immediate remediation efforts.
    
4. FTP Backdoor Detection: The 'ftp-vsftpd-backdoor' script checks for the presence of the backdoor in vsftpd (Very Secure FTP Daemon) version 2.3.4, which allows unauthorized command execution.
    
   

   $ nmap --script ftp-vsftpd-backdoor -p 21 192.168.1.8

    
   Usage in Security Testing: Important for identifying compromised FTP servers that could allow attackers to gain unauthorized access to the network.
    
5. HTTP Cross-Site Request Forgery (CSRF) Detection: The 'http-csrf' script scans the target for Cross-Site Request Forgery vulnerabilities in web applications.
    
   

   $ nmap -sV --script http-csrf 192.168.1.8

    
   Usage in Security Testing: Helps identify critical web vulnerabilities that could allow attackers to perform actions on behalf of authenticated users without their consent.
    
6. Apache Server Status Detection: The 'http-apache-server-status' script retrieves the server-status page from Apache web servers, if available, which can expose detailed server performance metrics and configuration data.
    
   

   $ nmap -p80,443 --script http-apache-server-status 192.168.1.8

    
   Usage in Security Testing: Useful for gathering information about the server's current state, which may reveal misconfigurations or sensitive information.
    
7. HTTP Methods Detection: The 'http-methods' script identifies the HTTP methods (e.g., GET, POST, PUT, DELETE) supported by the web server, highlighting those that may be insecure.
    
   

   $ nmap -p80,443 --script http-methods 192.168.1.8

    
   Usage in Security Testing: Helps identify potentially dangerous methods that should be restricted, such as PUT or DELETE, which could allow unauthorized content modification.
    
8. HTTP Errors Detection: The 'http-errors' script detects and reports HTTP error messages that could reveal details about the server’s configuration or underlying technology stack.
    
   

   $ nmap -p80,443 --script http-errors 192.168.1.8

    
   Usage in Security Testing: Provides insights into server misconfigurations or unhandled exceptions that could be exploited by attackers.
    
9. HTTP Content Grep: The 'http-grep' script searches for specific patterns or content within the HTTP responses, allowing for custom detection of keywords, code, or data.
    
   

   $ nmap -p80,443 --script http-grep 192.168.1.8

    
   Usage in Security Testing: Enables targeted searches for sensitive information, such as API keys or internal code comments, within HTTP responses.
    
10. DNS Brute Force: The 'dns-brute' script performs a brute-force attack to discover subdomains associated with a domain name, using a built-in wordlist.
     
    

    $ nmap -p80,443 --script dns-brute scanme.nmap.org

     
    Usage in Security Testing: Useful for uncovering hidden subdomains that might host vulnerable or less-secure services.
     
11. SMB Protocols Detection: The 'smb-protocols' script detects the SMB protocol versions supported by the target, including SMBv1, SMBv2, and SMBv3.
     
    

    $ nmap -sT -p 445 --script smb-protocols 192.168.1.8

     
    Usage in Security Testing: Helps identify outdated or vulnerable SMB versions, such as SMBv1, which should be disabled to prevent attacks like EternalBlue.
     
12. SMB Security Mode Detection: The 'smb-security-mode' script retrieves the SMB security mode configuration, including whether SMB signing is required or enabled.
     
    

    $ nmap -n -sT 445 --script smb-security-mode 192.168.1.8

     
    Usage in Security Testing: Allows security testers to assess whether SMB configurations are secure and adhere to best practices, such as enforcing SMB signing.
     
13. SSL/TLS Cipher Enumeration: The 'ssl-enum-ciphers' script enumerates the supported SSL/TLS ciphers on the target, highlighting weak or outdated ciphers that should be deprecated.
     
    

    $ nmap -p80,443 --script ssl-enum-ciphers 192.168.1.8

     
    Usage in Security Testing: Crucial for ensuring that secure and modern ciphers are used, thereby protecting the integrity and confidentiality of data transmitted over SSL/TLS.
     
14. SSL Certificate Information: The 'ssl-cert' script retrieves and displays details about the SSL certificate used by the target, including issuer, expiration date, and supported extensions.
     
    

    $ nmap -p80,443 --script ssl-cert 192.168.1.8 -v

     
    Usage in Security Testing: Essential for verifying that SSL certificates are properly configured, valid, and not vulnerable to man-in-the-middle attacks.
     
15. Vulnerability Detection: The 'vuln' script runs a comprehensive scan to detect various known vulnerabilities on the target, utilizing multiple NSE scripts.
     
    

    $ nmap -p80,443 --script vuln 192.168.1.8

     
    Usage in Security Testing: Automates the identification of potential vulnerabilities across a wide range of services, providing a broad overview of the target’s security posture.
     
16. Vulners Database Check: The 'vulners' script uses the Vulners database to check for known vulnerabilities associated with the services and software versions detected on the target.
     
    

    $ nmap -sV --script vulners 192.168.1.8

     
    Usage in Security Testing: Provides up-to-date vulnerability information, enabling security testers to quickly identify and prioritize remediation efforts for known issues.

Output Options

1. Vulners Scan with XML Output: The 'vulners' script runs the Vulners vulnerability check and ('-oX') saves the results in XML format for further analysis or reporting.
    
   

   $ nmap -sV --script vulners -oX 192.168.1.8.xml 192.168.1.8

    
   Usage in Security Testing: Allows for easy integration of vulnerability scan results into other tools or systems for automated processing or detailed reporting. 
    
2. Save Scan Output in All Formats: The ('-oA') saves the scan results in three formats: Normal, XML, and Grepable.
    
   

   $ nmap -oA scan.txt 192.168.1.8

    
   Usage in Security Testing: Ensures flexibility in processing and reporting scan results.
    
3. Display Scan Statistics: The '-stats-every' option provides regular updates on the progress of the scan.
    
   

   $ nmap -stats-every 2s 192.168.1.8

    
   Usage in Security Testing: Useful for monitoring long-running scans to ensure they are progressing as expected.

Conclusion

NMap is a powerful and versatile tool for penetration testing, offering a wide array of options for network discovery, vulnerability detection, and firewall evasion. Its versatility and efficiency make it a cornerstone in the field of penetration testing. Its broad range of scanning options, combined with its scripting capabilities, provides security professionals with a robust toolset to assess and secure networks. Its various scanning techniques, combined with the NMap Scripting Engine (NSE), make it an indispensable asset in the security tester’s toolkit. Whether conducting a simple ping sweep or performing advanced vulnerability assessments, NMap remains an essential tool for identifying and mitigating security risks in today's complex network environments. By understanding and leveraging the different commands and options, security professionals can effectively assess and improve the security posture of networks.


References
https://nmap.org/book/man.html
https://nmap.org/nsedoc/scripts/


Disclaimer: This documentation is intended for educational purposes only. The content provided herein is meant to inform and educate individuals about security practices, techniques, and tools. Security-Science does not support, endorse, or encourage any illegal or unethical activities, including but not limited to unauthorized access to computer systems, networks, or data. Users are advised to apply the knowledge gained responsibly and ensure compliance with all applicable laws and regulations. Security-Science shall not be held liable for any misuse of the information provided.