Nmap Room

beginner45 minWriteup

Learn to use Nmap for network scanning

Learning Objectives

  • Basic Nmap scans
  • NSE scripting
  • Timing and evasion
  • Output formats

Nmap (Network Mapper) is the industry-standard tool for network discovery and security auditing. This room covers everything from basic scans to advanced NSE scripting. Master Nmap and you'll have X-ray vision into any network!

Nmap was created by Gordon Lyon (Fyodor) in 1997 and has been featured in countless movies, from The Matrix Reloaded to Mr. Robot. It's so iconic that learning it is a rite of passage for every security professional.

Basic Scanning

bash
1606070;"># Simple scan (top 1000 ports)
2nmap TARGET_IP
3 
4606070;"># Scan specific ports
5nmap -p 22,80,443 TARGET_IP
6 
7606070;"># Scan port range
8nmap -p 1-1000 TARGET_IP
9 
10606070;"># Scan all 65535 ports
11nmap -p- TARGET_IP
12 
13606070;"># Quick scan (top 100 ports)
14nmap -F TARGET_IP

Port Specification

-p- scans all ports but takes time. For CTFs, start with default scan, then run -p- in background if you're missing something.

Scan Types

bash
1606070;"># TCP Connect Scan (completes 3-way handshake)
2nmap -sT TARGET_IP
3606070;"># Pros: Reliable, works without root
4606070;"># Cons: Logged by target, slower
5 
6606070;"># SYN Scan (half-open, default with root)
7nmap -sS TARGET_IP
8606070;"># Pros: Faster, stealthier
9606070;"># Cons: Requires root privileges
10 
11606070;"># UDP Scan (slower due to no handshake)
12nmap -sU TARGET_IP
13 
14606070;"># Combined TCP and UDP
15nmap -sS -sU TARGET_IP
16 
17606070;"># Ping Scan (host discovery only)
18nmap -sn TARGET_IP/24
TCP SYN scan (-sS) is the default when running as root. It sends SYN, receives SYN/ACK (port open) or RST (closed), then sends RST instead of completing the connection. Stealthier and faster!

Less Common Scan Types

bash
1606070;"># NULL Scan (no flags set)
2nmap -sN TARGET_IP
3 
4606070;"># FIN Scan (FIN flag only)
5nmap -sF TARGET_IP
6 
7606070;"># Xmas Scan (FIN, PSH, URG flags)
8nmap -sX TARGET_IP
9 
10606070;"># These scans exploit RFC 793 behavior:
11606070;"># - Closed ports respond with RST
12606070;"># - Open ports don't respond
13606070;"># - Useful for firewall evasion but unreliable on Windows

Service & OS Detection

bash
1606070;"># Version detection
2nmap -sV TARGET_IP
3606070;"># Probes open ports to determine service/version
4 
5606070;"># Aggressive version detection
6nmap -sV --version-intensity 5 TARGET_IP
7 
8606070;"># OS detection
9nmap -O TARGET_IP
10 
11606070;"># Aggressive scan (OS, version, scripts, traceroute)
12nmap -A TARGET_IP
13606070;"># Equivalent to: -sV -O -sC --traceroute
OS detection (-O) requires at least one open and one closed port to work accurately. Results are probabilistic - Nmap shows confidence percentages.

Nmap Scripting Engine (NSE)

NSE transforms Nmap from a scanner into a full vulnerability assessment tool. Scripts are organized into categories:

bash
1606070;"># Default scripts (safe and useful)
2nmap -sC TARGET_IP
3606070;"># or
4nmap --script=default TARGET_IP
5 
6606070;"># Script categories:
7606070;"># auth     - Authentication bypass
8606070;"># broadcast - Network discovery
9606070;"># brute    - Brute force attacks
10606070;"># discovery - Information gathering
11606070;"># dos      - Denial of service (careful!)
12606070;"># exploit  - Exploitation scripts
13606070;"># fuzzer   - Fuzzing scripts
14606070;"># intrusive - May crash services
15606070;"># malware  - Malware detection
16606070;"># safe     - Won't harm target
17606070;"># version  - Version detection
18606070;"># vuln     - Vulnerability detection
bash
1606070;"># Run specific category
2nmap --script=vuln TARGET_IP
3 
4606070;"># Run specific script
5nmap --script=http-enum TARGET_IP
6 
7606070;"># Multiple scripts
8nmap --script=http-enum,http-title TARGET_IP
9 
10606070;"># Wildcard matching
11nmap --script=http-* TARGET_IP
12 
13606070;"># Script with arguments
14nmap --script=http-brute --script-args userdb=users.txt,passdb=pass.txt TARGET_IP

Essential Scripts

  • vuln - Runs all vulnerability checks
  • http-enum - Web directory/file enumeration
  • smb-enum-shares - List SMB shares
  • ftp-anon - Check anonymous FTP
  • ssh-brute - SSH brute forcing

Firewall Evasion

bash
1606070;"># Fragment packets
2nmap -f TARGET_IP
3 
4606070;"># Specify MTU (must be multiple of 8)
5nmap --mtu 24 TARGET_IP
6 
7606070;"># Decoy scan (hide among fake IPs)
8nmap -D decoy1,decoy2,ME TARGET_IP
9 
10606070;"># Random decoys
11nmap -D RND:10 TARGET_IP
12 
13606070;"># Spoof source IP (won't receive responses)
14nmap -S SPOOFED_IP TARGET_IP
15 
16606070;"># Spoof MAC address
17nmap --spoof-mac 0 TARGET_IP  606070;"># Random MAC
18nmap --spoof-mac Apple TARGET_IP  606070;"># Vendor MAC
19 
20606070;"># Custom source port (firewalls may allow DNS/HTTP)
21nmap --source-port 53 TARGET_IP
22 
23606070;"># Timing controls
24nmap -T0 TARGET_IP  606070;"># Paranoid (5 min between probes)
25nmap -T1 TARGET_IP  606070;"># Sneaky
26nmap -T2 TARGET_IP  606070;"># Polite
27nmap -T3 TARGET_IP  606070;"># Normal (default)
28nmap -T4 TARGET_IP  606070;"># Aggressive
29nmap -T5 TARGET_IP  606070;"># Insane (may miss ports)

Output Formats

bash
1606070;"># Normal output
2nmap -oN scan.txt TARGET_IP
3 
4606070;"># Grepable output
5nmap -oG scan.gnmap TARGET_IP
6 
7606070;"># XML output
8nmap -oX scan.xml TARGET_IP
9 
10606070;"># All formats at once
11nmap -oA scan TARGET_IP
12606070;"># Creates: scan.nmap, scan.gnmap, scan.xml
13 
14606070;"># Increase verbosity
15nmap -v TARGET_IP   606070;"># Verbose
16nmap -vv TARGET_IP  606070;"># Very verbose
17 
18606070;"># Debug output
19nmap -d TARGET_IP

Practical Examples

bash
1606070;"># CTF Quick Start
2nmap -sC -sV -oA initial TARGET_IP
3 
4606070;"># Full TCP scan
5nmap -p- -sV -sC -oA full TARGET_IP
6 
7606070;"># Vulnerability assessment
8nmap --script=vuln -oA vuln TARGET_IP
9 
10606070;"># Web server enumeration
11nmap -p 80,443 --script=http-enum,http-title,http-methods,http-headers TARGET_IP
12 
13606070;"># SMB enumeration
14nmap -p 445 --script=smb-enum-shares,smb-enum-users,smb-vuln-* TARGET_IP
15 
16606070;"># Full network sweep
17nmap -sn 192.168.1.0/24 -oG - | grep 606070;">#a5d6ff;">"Up" | cut -d " " -f 2
18 
19606070;"># Service scan with timing
20nmap -sV -T4 --min-rate=1000 TARGET_IP

Knowledge Check

Quick Quiz
Question 1 of 3

Which scan type is default when running Nmap as root?

Key Takeaways

  • SYN scan (-sS) is faster and stealthier than connect scan
  • -sC -sV is your go-to combination for service enumeration
  • NSE scripts extend Nmap's capabilities significantly
  • Always save output with -oA for later reference
  • Timing templates balance speed vs. stealth vs. accuracy
  • Firewall evasion techniques help in hardened environments