| name | recon-nmap | |||||||
|---|---|---|---|---|---|---|---|---|
| description | Network reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls. | |||||||
| version | 0.1.0 | |||||||
| maintainer | sirappsec@gmail.com | |||||||
| category | offsec | |||||||
| tags |
|
|||||||
| frameworks |
|
|||||||
| dependencies |
|
|||||||
| references |
Nmap (Network Mapper) is the industry-standard tool for network discovery, security auditing, and vulnerability assessment. This skill provides structured workflows for authorized reconnaissance operations including port scanning, service enumeration, OS fingerprinting, and vulnerability detection using Nmap Scripting Engine (NSE).
IMPORTANT: Network scanning may be disruptive and must only be conducted with proper authorization. Always ensure written permission before scanning networks or systems you do not own.
Basic host discovery and port scanning:
# Quick scan of common ports
nmap -F <target-ip>
# Scan top 1000 ports with service detection
nmap -sV <target-ip>
# Comprehensive scan with OS detection and default scripts
nmap -A <target-ip>Progress: [ ] 1. Verify authorization and scope [ ] 2. Perform host discovery and asset enumeration [ ] 3. Conduct port scanning on live hosts [ ] 4. Enumerate services and versions [ ] 5. Perform OS fingerprinting and detection [ ] 6. Run NSE scripts for vulnerability detection [ ] 7. Document findings and generate reports [ ] 8. Validate results and identify false positives
Work through each step systematically. Check off completed items.
CRITICAL: Before any scanning activities:
- Confirm written authorization from network owner
- Review scope document for in-scope IP ranges and domains
- Verify scanning windows and rate-limiting requirements
- Document emergency contact for accidental disruption
- Confirm blacklisted hosts (production databases, critical infrastructure)
Identify live hosts in target network:
# Ping sweep (ICMP echo)
nmap -sn <target-network>/24
# ARP scan (local network only, faster and more reliable)
nmap -sn -PR <target-network>/24
# TCP SYN ping (when ICMP blocked)
nmap -sn -PS22,80,443 <target-network>/24
# UDP ping (for hosts blocking TCP)
nmap -sn -PU53,161 <target-network>/24
# Disable ping, assume all hosts alive
nmap -Pn <target-network>/24Host discovery techniques:
- ICMP Echo (-PE): Standard ping, often blocked
- TCP SYN (-PS): Half-open connection to specified ports
- TCP ACK (-PA): Sends ACK packets, useful for stateful firewalls
- UDP (-PU): Sends UDP packets to specified ports
- ARP (-PR): Layer 2 discovery, only works on local network
Output live hosts to file for subsequent scanning:
nmap -sn <target-network>/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txtScan discovered hosts for open ports:
# Fast scan (top 100 ports)
nmap -F -iL live_hosts.txt
# Top 1000 ports (default)
nmap -iL live_hosts.txt
# Scan all 65535 ports
nmap -p- -iL live_hosts.txt
# Scan specific ports
nmap -p 22,80,443,3389,8080 -iL live_hosts.txt
# Scan port ranges
nmap -p 1-1024,3000-9000 -iL live_hosts.txtScan techniques:
-
TCP SYN Scan (-sS): Default, stealthy half-open scan (requires root)
sudo nmap -sS <target-ip>
-
TCP Connect Scan (-sT): Full TCP connection (no root required)
nmap -sT <target-ip>
-
UDP Scan (-sU): Scan UDP ports (slow but critical)
sudo nmap -sU -p 53,161,500 <target-ip>
-
Version Detection (-sV): Probe services for version information
nmap -sV <target-ip>
-
Aggressive Scan (-A): Enable OS detection, version detection, script scanning, traceroute
sudo nmap -A <target-ip>
Timing and performance:
# Paranoid (0) - Extremely slow, IDS evasion
nmap -T0 <target-ip>
# Sneaky (1) - Very slow, IDS evasion
nmap -T1 <target-ip>
# Polite (2) - Slows down to use less bandwidth
nmap -T2 <target-ip>
# Normal (3) - Default timing
nmap -T3 <target-ip>
# Aggressive (4) - Faster, assumes reliable network
nmap -T4 <target-ip>
# Insane (5) - Very fast, may miss results
nmap -T5 <target-ip>Rate limiting for safety:
# Limit to 100 packets/second
nmap --max-rate 100 <target-ip>
# Minimum 10 packets/second
nmap --min-rate 10 <target-ip>
# Scan with delays to avoid detection
nmap --scan-delay 1s <target-ip>Identify services and extract version information:
# Service version detection
nmap -sV <target-ip>
# Aggressive version detection (more probes)
nmap -sV --version-intensity 5 <target-ip>
# Light version detection (fewer probes, faster)
nmap -sV --version-intensity 0 <target-ip>
# Specific service enumeration
nmap -sV -p 80,443 --script=http-headers,http-title <target-ip>Service-specific enumeration:
# SMB enumeration
nmap -p 445 --script=smb-os-discovery,smb-security-mode <target-ip>
# SSH enumeration
nmap -p 22 --script=ssh-hostkey,ssh-auth-methods <target-ip>
# DNS enumeration
nmap -p 53 --script=dns-nsid,dns-recursion <target-ip>
# HTTP/HTTPS enumeration
nmap -p 80,443 --script=http-methods,http-robots.txt,http-title <target-ip>
# Database enumeration
nmap -p 3306 --script=mysql-info <target-ip>
nmap -p 5432 --script=pgsql-brute <target-ip>
nmap -p 1433 --script=ms-sql-info <target-ip>Identify target operating systems:
# OS detection
sudo nmap -O <target-ip>
# Aggressive OS detection with version scanning
sudo nmap -A <target-ip>
# Limit OS detection to promising targets
sudo nmap -O --osscan-limit <target-ip>
# Guess OS aggressively
sudo nmap -O --osscan-guess <target-ip>OS fingerprinting indicators:
- TCP/IP stack characteristics
- Open port patterns
- Service banners and versions
- TTL values and TCP window sizes
Nmap Scripting Engine for advanced reconnaissance and vulnerability detection:
# Run default NSE scripts
nmap -sC <target-ip>
# Run all scripts in category
nmap --script=vuln <target-ip>
nmap --script=exploit <target-ip>
nmap --script=discovery <target-ip>
# Run specific script
nmap --script=http-sql-injection <target-ip>
# Multiple scripts
nmap --script=smb-vuln-ms17-010,smb-vuln-cve-2017-7494 <target-ip>
# Script with arguments
nmap --script=http-brute --script-args http-brute.path=/admin <target-ip>NSE script categories:
- auth: Authentication testing
- broadcast: Network broadcast/multicast discovery
- brute: Brute-force password auditing
- default: Default safe scripts (-sC)
- discovery: Network and service discovery
- dos: Denial of service testing (use with caution)
- exploit: Exploitation attempts (authorized only)
- external: External resource queries (WHOIS, etc.)
- fuzzer: Fuzzing attacks
- intrusive: Intrusive scanning (may crash services)
- malware: Malware detection
- safe: Safe scripts unlikely to crash services
- version: Version detection enhancement
- vuln: Vulnerability detection
Common vulnerability detection scripts:
# Check for EternalBlue (MS17-010)
nmap -p 445 --script=smb-vuln-ms17-010 <target-ip>
# Heartbleed detection
nmap -p 443 --script=ssl-heartbleed <target-ip>
# Shellshock detection
nmap --script=http-shellshock --script-args uri=/cgi-bin/test.sh <target-ip>
# Check for weak SSL/TLS
nmap -p 443 --script=ssl-enum-ciphers <target-ip>
# SQL injection testing
nmap -p 80 --script=http-sql-injection <target-ip>
# Check for anonymous FTP
nmap -p 21 --script=ftp-anon <target-ip>Generate reports in multiple formats:
# Normal output to screen and file
nmap <target-ip> -oN scan_results.txt
# XML output (for parsing/import)
nmap <target-ip> -oX scan_results.xml
# Grepable output (for easy parsing)
nmap <target-ip> -oG scan_results.gnmap
# All formats
nmap <target-ip> -oA scan_results
# Script kiddie output (for fun)
nmap <target-ip> -oS scan_results.skidConvert and process results:
# Convert XML to HTML report
xsltproc /usr/share/nmap/nmap.xsl scan_results.xml -o report.html
# Parse XML with Python
python3 -c "import xml.etree.ElementTree as ET; tree = ET.parse('scan_results.xml'); root = tree.getroot(); [print(host.find('address').get('addr')) for host in root.findall('host')]"
# Extract open ports from grepable output
grep 'Ports:' scan_results.gnmap | awk '{print $2, $5}'Techniques to evade detection (authorized testing only):
# Fragment packets
sudo nmap -f <target-ip>
# Use decoys
sudo nmap -D RND:10 <target-ip>
sudo nmap -D decoy1,decoy2,ME,decoy3 <target-ip>
# Spoof source IP (requires raw packet privileges)
sudo nmap -S <spoofed-ip> -e <interface> <target-ip>
# Randomize target order
nmap --randomize-hosts -iL targets.txt
# Use proxy
nmap --proxies http://proxy:8080 <target-ip>
# Idle scan (zombie host required)
sudo nmap -sI <zombie-host> <target-ip>- Written Permission: Obtain explicit authorization before scanning any network
- Scope Definition: Only scan explicitly authorized IP ranges and ports
- Disruption Risk: Some scans (DOS, exploit scripts) can crash services
- Privacy: Service enumeration may expose sensitive information
- Log Traces: Scanning activities are typically logged by firewalls and IDS
- Rate Limiting: Use
--max-rateto avoid overwhelming targets - Timing: Schedule scans during approved maintenance windows
- Bandwidth: Consider network impact, especially for large scans
- Noise: Aggressive scans are easily detected by security monitoring
- False Positives: Validate findings before reporting vulnerabilities
Document all reconnaissance activities:
- Scan start and end timestamps
- Source IP address and scanner hostname
- Target IP ranges and ports scanned
- Nmap command-line arguments used
- Number of hosts discovered and ports found
- Vulnerabilities identified via NSE scripts
- Any service disruptions or anomalies
- PTES: Reconnaissance phase of Penetration Testing Execution Standard
- OWASP: ASVS verification requirements for network security
- MITRE ATT&CK: T1046 (Network Service Scanning)
- PCI-DSS 11.2: External and internal vulnerability scanning
- ISO 27001: A.12.6 Technical vulnerability management
# Phase 1: Identify live hosts
nmap -sn -PE -PS80,443 -PA3389 <external-network>/24 -oG - | awk '/Up$/{print $2}' > external_hosts.txt
# Phase 2: Scan common external services
nmap -Pn -sV -p 21,22,25,53,80,110,143,443,587,993,995,3389,8080,8443 -iL external_hosts.txt -oA external_scan
# Phase 3: Vulnerability detection
nmap -Pn -sV --script=vuln -p 21,22,25,80,443,3389,8080,8443 -iL external_hosts.txt -oA external_vulns
# Phase 4: SSL/TLS security audit
nmap -Pn -p 443,8443 --script=ssl-enum-ciphers,ssl-cert -iL external_hosts.txt -oA ssl_audit# Phase 1: Fast host discovery
nmap -sn -PR <internal-network>/24 -oG - | awk '/Up$/{print $2}' > internal_hosts.txt
# Phase 2: Comprehensive port scan
nmap -sV -p- -T4 -iL internal_hosts.txt -oA internal_full_scan
# Phase 3: OS fingerprinting
sudo nmap -O -iL internal_hosts.txt -oA internal_os_detection
# Phase 4: Service enumeration
nmap -sV --script=default,discovery -iL internal_hosts.txt -oA internal_services# Identify web servers
nmap -p 80,443,8000,8080,8443 --open -oG - <target-network>/24 | grep 'open' | awk '{print $2}' > web_servers.txt
# Enumerate web technologies
nmap -sV -p 80,443,8080,8443 --script=http-enum,http-headers,http-methods,http-title,http-server-header -iL web_servers.txt -oA web_enum
# Check for common web vulnerabilities
nmap -p 80,443 --script=http-sql-injection,http-csrf,http-vuln-cve2017-5638 -iL web_servers.txt -oA web_vulns# Enumerate SMB hosts
nmap -p 445 --open <target-network>/24 -oG - | grep 'open' | awk '{print $2}' > smb_hosts.txt
# SMB version and configuration
nmap -p 445 --script=smb-protocols,smb-security-mode,smb-os-discovery -iL smb_hosts.txt -oA smb_enum
# Check for SMB vulnerabilities
nmap -p 445 --script=smb-vuln* -iL smb_hosts.txt -oA smb_vulns
# Enumerate shares (authentication may be required)
nmap -p 445 --script=smb-enum-shares,smb-enum-users -iL smb_hosts.txt -oA smb_shares# Scan for common database ports
nmap -sV -p 1433,1521,3306,5432,5984,6379,9200,27017 <target-network>/24 -oA database_scan
# MySQL enumeration
nmap -p 3306 --script=mysql-info,mysql-databases,mysql-variables <target-ip>
# PostgreSQL enumeration
nmap -p 5432 --script=pgsql-brute <target-ip>
# MongoDB enumeration
nmap -p 27017 --script=mongodb-info,mongodb-databases <target-ip>
# Redis enumeration
nmap -p 6379 --script=redis-info <target-ip>Automated security scanning in pipelines:
#!/bin/bash
# ci_network_scan.sh - Continuous network security validation
TARGET_NETWORK="$1"
OUTPUT_DIR="scan_results/$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
# Quick security scan
nmap -Pn -sV --script=vuln -p 21,22,25,80,443,3389,8080 \
"$TARGET_NETWORK" -oA "$OUTPUT_DIR/security_scan"
# Parse results for critical findings
if grep -i "VULNERABLE" "$OUTPUT_DIR/security_scan.nmap"; then
echo "CRITICAL: Vulnerabilities detected!"
exit 1
fi
echo "Security scan completed successfully"
exit 0- Metasploit Integration: Import Nmap XML with
db_import - Vulnerability Scanners: Feed Nmap results to Nessus, OpenVAS, Qualys
- SIEM Integration: Parse Nmap output for security monitoring
- Asset Management: Update CMDB with discovered hosts and services
- Shodan/Censys: Validate external exposure findings
Map Nmap reconnaissance to ATT&CK framework:
- Reconnaissance: T1595 (Active Scanning)
- T1595.001 (Scanning IP Blocks)
- T1595.002 (Vulnerability Scanning)
- Discovery: T1046 (Network Service Scanning)
- Discovery: T1040 (Network Sniffing)
- Credential Access: T1110 (Brute Force) - when using NSE brute scripts
Causes:
- ICMP blocked by firewall
- Host-based firewall dropping probes
- Network ACLs filtering traffic
Solutions:
# Skip ping, assume all hosts up
nmap -Pn <target-ip>
# Try TCP ping instead of ICMP
nmap -PS80,443 -PA3389 <target-ip>
# Try multiple discovery techniques
nmap -PE -PS22,80,443 -PA3389 -PU53,161 <target-ip>Solutions:
# Increase timing template
nmap -T4 <target-ip>
# Scan fewer ports
nmap -F <target-ip> # Top 100 ports
nmap --top-ports 1000 <target-ip>
# Parallelize by splitting targets
nmap -T4 192.168.1.1-50 &
nmap -T4 192.168.1.51-100 &
nmap -T4 192.168.1.101-150 &
wait
# Use masscan for very fast port scanning
masscan -p 1-65535 --rate 10000 <target-network>/24Solutions:
- Manually verify findings with specific exploit tools
- Check service version against CVE databases
- Use
--version-intensity 9for more accurate version detection - Run vulnerability-specific NSE scripts instead of broad categories
- Cross-reference with authenticated vulnerability scanners
Solutions:
# Slow down scan
nmap -T1 --scan-delay 1s <target-ip>
# Fragment packets
sudo nmap -f <target-ip>
# Randomize scan order
nmap --randomize-hosts -iL targets.txt
# Use source port 53 (often allowed)
nmap -g 53 <target-ip>
# Split into smaller scans over time
nmap -p 1-1000 <target-ip>
# Wait several hours
nmap -p 1001-2000 <target-ip>Organizations can detect Nmap scanning by:
- Network IDS: Signature detection of scan patterns (vertical/horizontal sweeps)
- Firewall Logs: Multiple connection attempts from single source
- Port Scan Detection: Monitoring for SYN packets without completion
- Honeypots: Triggering alerts when accessing decoy services
- Traffic Analysis: Unusual packet patterns (fragmentation, timing anomalies)
Enhance defensive posture:
- Deploy network intrusion detection systems (Snort, Suricata)
- Enable firewall logging and monitor for scan patterns
- Use port knocking or service hiding for sensitive services
- Implement rate limiting on border firewalls
- Deploy honeypots to detect and track reconnaissance