Ethical Hacking series [part4]: The Ultimate Nmap Guide: From Basics to Advanced

Hey everyone! Welcome to the fourth part of this Ethical Hacking Series. This series is a tutorial on Nmap, an essential tool for network scanning. If you’re diving into cybersecurity or ethical hacking, mastering Nmap is a must. It’s like having a Swiss Army knife for network exploration and security auditing.

Why Nmap?

Nmap, short for Network Mapper, helps you discover devices on a network, find open ports, and determine what services those ports are running. Network administrators and security professionals widely use it. Whether you’re performing network inventory, managing service upgrade schedules, or monitoring host uptime, Nmap is your go-to tool.

What Will We Cover?

In this tutorial, we’ll start with the basics of Nmap. You’ll learn how to install it on Kali Linux, a popular Linux distribution used for penetration testing. We’ll then explore how to use Nmap to perform basic scans, interpret the output, and understand what it tells you about the target network.

Once you’re comfortable with the basics, we’ll move on to advanced scanning techniques. This includes options for more detailed scans and stealthy approaches to avoid detection. The Nmap Scripting Engine (NSE) will also be a key focus, enabling you to run scripts that automate complex scanning tasks.

We’ll look at practical examples and case studies to see how these techniques apply in real-world scenarios. From scanning a simple home network to auditing a corporate environment, you’ll get hands-on experience with Nmap’s powerful features.

Finally, we’ll dive into advanced features and customization. This section will show you how to save scan results in different formats, customize your scans for specific tasks, and use advanced options for host discovery and port scanning.

By the end of this tutorial, you’ll have a solid understanding of how to use Nmap effectively. You’ll be equipped to perform detailed network scans, identify vulnerabilities, and secure your network. So, let’s get started and unlock the full potential of Nmap together!

Getting Started with Nmap

Nmap is pre-installed on Kali Linux, which makes it easy to get started. If you’re using another operating system, you’ll need to install it first. Let’s begin by understanding how to use Nmap on Kali Linux.

Step 1: Open the Terminal

1. Click on the terminal icon or press Ctrl+Alt+T to open the terminal.
2. You should see a command prompt where you can start typing commands.

Step 2: Verify Nmap Installation

1. Type nmap -v and press Enter.
2. This command checks if Nmap is installed and displays the version.
3. You should see something like:
   Nmap version 7.91 ( https://nmap.org )
   

If you don’t see this, Nmap might not be installed correctly. You can install it by typing sudo apt-get install nmap and pressing Enter. Follow the on-screen instructions to complete the installation.

Step 3: Running Your First Scan

1. Choose a target. This could be an IP address or a domain name. For example, let’s use scanme.nmap.org, which is a test server set up by the Nmap developers.
2. Type nmap scanme.nmap.org and press Enter.
   

You’ll see an output that looks something like this:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-28 12:00 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.10s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  HTTP
443/tcp  open  https
9929/tcp open  nping-echo

This output tells you:

• The target IP address is 45.33.32.156.
• The host is up and responding.
• There are several open ports (22, 80, 443, 9929).
• The services running on these ports are SSH, HTTP, HTTPS, and Nping Echo.

Step 4: Understanding the Basic Command Syntax

The basic syntax for Nmap commands is:

nmap [options] [target]

• nmap is the command.
• [options] are flags that modify the scan.
• [target] is the IP address or domain you want to scan.

For example:

nmap -A scanme.nmap.org

Here, -A is an option that enables OS detection, version detection, script scanning, and traceroute.

Step 5: Exploring Basic Options

1. Scan a specific IP range: nmap 192.168.1.1-254 (it will scan IP address from 192.168.1.1 to 192.168.1.254)
2. Scan multiple targets: nmap 192.168.1.1 192.168.1.2 scanme.nmap.org
3. Scan a subnet: nmap 192.168.1.0/24

Step 6: Saving Scan Results

You can save the results of your scans for later analysis:

nmap -oN output.txt scanme.nmap.org

• -oN saves the output in a normal format to a file named output.txt.

You’ve now learned the basics of getting started with Nmap in Kali Linux. You know how to open the terminal, verify Nmap installation, run your first scan, and understand basic command syntax. You’ve also explored a few options and learned how to save your scan results. In the next sections, we’ll dive deeper into more advanced features and techniques.

Understanding Nmap Output

When you run an Nmap scan, it produces detailed output that tells you a lot about the target network. Understanding this output is crucial for interpreting the results correctly. Let’s break down the key components of Nmap output.

Basic Scan Results

1. Starting Line:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-06-28 12:00 UTC

• This line shows the Nmap version and the start time of the scan.

2. Scan Report Header:

Nmap scan report for scanme.nmap.org (45.33.32.156)

• It includes the target name and IP address.

3. Host Status:

Host is up (0.10s latency).

• This indicates that the host is active and responding. The latency shows the round-trip time for packets.

4. Ports Information:

Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
9929/tcp open  nping-echo

• Not shown: This line tells you how many ports were scanned but found closed.
• PORT: Lists the port number and protocol (e.g., 22/tcp).
• STATE: Indicates whether the port is open, closed, or filtered.
• SERVICE: Shows the service running on the port (e.g., ssh, http).

5. Service Version Information (with -sV option):

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

• This line includes the service version, which helps identify potential vulnerabilities in specific software versions.

Detailed Output

1. OS Detection (with -O option):

Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 4.9

• Device type: Describes the type of device (e.g., general purpose).
• Running: Indicates the operating system and version.
• OS CPE: Common Platform Enumeration identifier for the OS.
• OS details: Additional details about the detected OS.

2. Traceroute Information (with –traceroute option):

TRACEROUTE (using proto 1/icmp)
HOP RTT     ADDRESS
1   0.32 ms 192.168.1.1
2   10.47 ms 10.0.0.1
3   20.89 ms scanme.nmap.org (45.33.32.156)

• HOP: Each step in the route to the target.
• RTT: Round-trip time for each hop.
• ADDRESS: IP address of each hop.

3. Script Results (with -sC or specific script option):

Host script results:
|_http-title: Example Domain
|_http-server-header: Apache/2.4.18 (Ubuntu)

• Host script results: Output from Nmap Scripting Engine (NSE) scripts.
• Each script result provides specific information (e.g., HTTP server header).

4. MAC Address and Device Information:

MAC Address: 00:11:22:33:44:55 (Vendor Name)

• Shows the MAC address and vendor of the device.

Saving and Analyzing Output

1. Saving Output:

• Save in normal format:

nmap -oN output.txt scanme.nmap.org

• Save in XML format:

nmap -oX output.xml scanme.nmap.org

• Save in grepable format:

nmap -oG output.gnmap scanme.nmap.org

2. Analyzing Output:

• Review open ports and services to identify potential vulnerabilities.
• Check for outdated software versions or weak configurations.
• Use the information to plan further testing or security measures.

Understanding Nmap output is essential for effective network scanning. By interpreting the results, you can identify active hosts, open ports, running services, and operating systems. This information is critical for assessing network security and planning further actions. Keep practicing and exploring different options to get the most out of Nmap.

Advanced Scanning Techniques

Now that you’ve got the basics down, let’s dive into some advanced scanning techniques with Nmap. These techniques will help you get more detailed information about your target and understand the network better.

1. TCP Connect Scan (-sT)

The TCP Connect Scan is the most basic and reliable scan. It completes the TCP handshake, making it easy to detect but very effective.

1. Open your terminal.
2. Type nmap -sT <target> and press Enter.
3. Example: nmap -sT scanme.nmap.org.
   

You’ll see a list of open ports, but remember, it’s noisy and easily detected.

2. SYN Scan (-sS)

The SYN Scan is stealthier. It sends SYN packets and waits for responses without completing the handshake.

1. Open your terminal.
2. Type nmap -sS <target> and press Enter.
3. Example: nmap -sS scanme.nmap.org.
   

This scan is faster and less likely to be detected, making it a favorite for many hackers.

3. UDP Scan (-sU)

The UDP Scan checks for open UDP ports. It’s slower because it doesn’t rely on handshakes.

1. Open your terminal.
2. Type nmap -sU <target> and press Enter.
3. Example: nmap -sU scanme.nmap.org.
   

UDP scans take longer but are useful for finding services like DNS and SNMP.

4. Version Detection (-sV)

Version Detection helps you identify the versions of services running on open ports.

1. Open your terminal.
2. Type nmap -sV <target> and press Enter.
3. Example: nmap -sV scanme.nmap.org.
   

You’ll get detailed information about the services, which is crucial for finding vulnerabilities.

5. OS Detection (-O)

OS Detection reveals the operating system of the target.

1. Open your terminal.
2. Type nmap -O <target> and press Enter.
3. Example: nmap -O scanme.nmap.org.
   

This helps you understand the target environment better.

6. Aggressive Scan (-A)

The Aggressive Scan combines several scans to give you detailed information.

1. Open your terminal.
2. Type nmap -A <target> and press Enter.
3. Example: nmap -A scanme.nmap.org.
   

It’s comprehensive but can be easily detected.

7. Timing Options (-T)

Adjusting timing options can speed up or slow down your scans.

1. Open your terminal.
2. Use -T0 (paranoid) to -T5 (insane) to set the timing.
3. Example: nmap -sS -T4 scanme.nmap.org.
   

Faster scans are quicker but noisier, while slower scans are stealthier.

8. Fragmentation (-f)

Fragmenting packets can help evade some firewalls.

1. Open your terminal.
2. Type nmap -f <target> and press Enter.
3. Example: nmap -f scanme.nmap.org.

It sends smaller packets, making it harder for firewalls to detect.

9. Decoys (-D)

Using decoys can hide your IP by making the scan appear to come from multiple sources.

1. Open your terminal.
2. Type nmap -D RND:10 <target> and press Enter.
3. Example: nmap -D RND:10 scanme.nmap.org.
   

This option makes it harder for the target to identify your IP address.

10. Idle Scan (-sI)

The Idle Scan uses another host to send packets, making it highly stealthy.

1. Open your terminal.
2. Type nmap -sI <zombie_host> <target> and press Enter.
3. Example: nmap -sI 192.168.1.1 scanme.nmap.org.

This scan is complex but very effective for avoiding detection.

These advanced scanning techniques provide more detailed information and help evade detection. Practice these techniques to become proficient. Remember, the goal is to gather as much information as possible while staying undetected.

NMAP Scripting Engines (NSE)

Now, let’s dive into one of the most powerful features of Nmap: the Nmap Scripting Engine (NSE). NSE allows you to extend Nmap’s capabilities using scripts. These scripts can perform advanced network reconnaissance, vulnerability detection, and even exploit vulnerabilities.

What is NSE?

NSE is a framework within Nmap that uses Lua scripting language. It enables you to automate a wide range of network tasks.

Running Default Scripts

To start, let’s run the default scripts.

1. Open your terminal.
2. Type nmap -sC <target> and press Enter.
3. Example: nmap -sC scanme.nmap.org.

This command runs a set of default scripts that perform common tasks like service detection and security checks.

Finding and Using Specific Scripts

Nmap comes with many pre-installed scripts. You can find them in the /usr/share/nmap/scripts directory on Linux.

• To list available scripts, open your terminal and type:

ls /usr/share/nmap/scripts

• To use a specific script, use the --script option followed by the script name.

nmap --script=<script_name> <target>

Example: nmap --script=http-title scanme.nmap.org.

This command will run the http-title script, which fetches the title of web pages.

Using Multiple Scripts

You can run multiple scripts by separating their names with commas.

1. Open your terminal.
2. Type nmap --script=<script1>,<script2> <target> and press Enter.
3. Example: nmap --script=http-title,http-methods scanme.nmap.org.

This command runs both the http-title and http-methods scripts.

Categories of NSE Scripts

• NSE scripts are categorized based on their functions. Some categories include:
• Auth: Scripts for authentication bypass and brute force.
• Vuln: Scripts for vulnerability detection.
• Exploit: Scripts for exploiting vulnerabilities.
• Discovery: Scripts for gathering information about the target.

To run all scripts in a category, use the following syntax:

nmap --script=<category> <target>

Example: nmap --script=vuln scanme.nmap.org.

Writing Your Own Scripts

If you want to write your own NSE scripts, you’ll need to know a bit of Lua scripting language.

• Create a new script file with a .nse extension.
• Write your script using Lua. Here’s a simple example:

description = [[
A simple script to check HTTP server headers.
]]
author = "Your Name"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery"}
-- The action function is called when the script is run
action = function(host, port)
    local socket = nmap.new_socket()
    socket:connect(host, port)
    socket:send("HEAD / HTTP/1.0\r\n\r\n")
    local response = socket:receive_lines(1)
    return response
end

• Save your script in the scripts directory.
• Run your script with Nmap:

nmap --script=<your_script> <target>

Useful NSE Scripts

Here are a few useful NSE scripts to get you started:

• http-enum: Enumerates directories on web servers.

nmap --script=http-enum <target>

• ftp-anon: Checks for anonymous FTP login.

nmap --script=ftp-anon <target>

• smb-os-discovery: Discovers OS information over SMB.

nmap --script=smb-os-discovery <target>

The Nmap Scripting Engine is a powerful tool for automating complex network tasks. With NSE, you can perform advanced scanning, detect vulnerabilities, and even exploit them. Experiment with different scripts and try writing your own to fully harness the power of NSE

Network Mapping and Discovery

Now, let’s talk about network mapping and discovery with Nmap. This is essential for understanding the structure of a network and identifying all active devices.

What is Network Mapping?

Network mapping is the process of discovering devices on a network and understanding their relationships. It helps you visualize the network’s layout and identify all the connected devices.

Discovering Live Hosts

To start, you need to find all the live hosts on your network.

1. Open your terminal.
2. Type nmap -sn <network_range> and press Enter.
3. Example: nmap -sn 192.168.1.0/24.

This command sends ping requests to all addresses in the specified range and lists the live hosts.

Scanning Subnets

You can scan entire subnets to discover hosts and services.

1. Open your terminal.
2. Type nmap <subnet> and press Enter.
3. Example: nmap 192.168.1.0/24.

This command scans all IP addresses in the subnet and provides detailed information about each host.

Creating Network Maps

To create a visual map of your network, you can use the -oX option to output the scan results in XML format, which you can then visualize with tools like Zenmap or other network mapping tools.

1. Open your terminal.
2. Type nmap -oX scan_results.xml <network_range> and press Enter.
3. Example: nmap -oX scan_results.xml 192.168.1.0/24.

Next, open Zenmap or another visualization tool and load the XML file to see a visual representation of your network.

Using Nmap for ARP Discovery

For local networks, ARP discovery is a quick way to find live hosts.

1. Open your terminal.
2. Type nmap -PR <network_range> and press Enter.
3. Example: nmap -PR 192.168.1.0/24.

ARP discovery uses Address Resolution Protocol to identify live hosts more quickly and accurately than ping.

Service Discovery

To find out what services are running on discovered hosts, you can perform a service scan.

• Open your terminal.
• Type nmap -sV <target> and press Enter.
• Example: nmap -sV 192.168.1.1.

This command provides detailed information about the services running on the host, including versions.

OS Detection

You can also determine the operating systems running on discovered hosts.

1. Open your terminal.
2. Type nmap -O <target> and press Enter.
3. Example: nmap -O 192.168.1.1.

OS detection helps you understand the types of devices on your network.

Combining Scans

For comprehensive discovery, you can combine different types of scans.

1. Open your terminal.
2. Type nmap -sS -sU -O -sV -p- <target> and press Enter.
3. Example: nmap -sS -sU -O -sV -p- 192.168.1.1.

This command performs TCP SYN scan, UDP scan, OS detection, service version detection, and scans all ports.

Network Discovery Tools

Nmap integrates with various tools for enhanced network discovery. Here are a few:

1. Zenmap: Nmap’s official GUI. It’s great for visualizing scan results.

• Install Zenmap:

sudo apt-get install zenmap

• Open Zenmap and load your Nmap scan results.

2. Netcat: Useful for manual network interaction and discovery.

• Install Netcat:

sudo apt-get install netcat

• Use Netcat for port scanning:

nc -zv <target> <port_range>

Example: nc -zv 192.168.1.1 1-1000.

3. Masscan: A high-speed network scanner.

• Install Masscan:

sudo apt-get install masscan

• Use Masscan for quick scans:

masscan <target> -p<port_range>

Example: masscan 192.168.1.0/24 -p1-1000.

Network mapping and discovery are vital for understanding your network’s structure and identifying all connected devices. Using Nmap, you can discover live hosts, identify running services, detect operating systems, and create visual maps. Practice these techniques to become proficient at network mapping.

Evading Detection and Bypassing Firewalls

In this section, we’ll learn how to evade detection and bypass firewalls when using Nmap. These techniques help you scan networks without raising alarms.

Why Evade Detection?

When you perform network scans, security systems like Intrusion Detection Systems (IDS) and firewalls might detect your activities. This can alert network administrators and block your scans. To avoid this, you need to use techniques that make your scans less noticeable.

Timing Options

Adjusting scan timing can help avoid detection.

1. Slow Scans: Slow scans are less likely to be detected.
   • Open your terminal.
   • Type nmap -T2 <target> and press Enter.
   • Example: nmap -T2 scanme.nmap.org.
2. Fast Scans: Fast scans are quick but noisier.
   • Type nmap -T4 <target> and press Enter.
   • Example: nmap -T4 scanme.nmap.org.
3. Timing Levels: Use timing levels from -T0 (paranoid) to -T5 (insane) to adjust your scan speed.

Fragmenting Packets

Fragmenting packets can help bypass some firewalls.

1. Open your terminal.
2. Type nmap -f <target> and press Enter.
3. Example: nmap -f scanme.nmap.org.

Fragmented packets are harder for firewalls to analyze, making it easier to slip through.

Using Decoys

Decoys make it appear that the scan is coming from multiple IP addresses.

1. Open your terminal.
2. Type nmap -D RND:10 <target> and press Enter.
3. Example: nmap -D RND:10 scanme.nmap.org.

This technique confuses IDS systems by generating traffic from random IPs.

Idle Scan

Idle Scan uses a “zombie” host to send packets, hiding your IP address.

1. Find a suitable zombie host.
2. Open your terminal.
3. Type nmap -sI <zombie_host> <target> and press Enter.
4. Example: nmap -sI 192.168.1.2 scanme.nmap.org.

This is a stealthy technique but requires a suitable zombie host.

Source Port Manipulation

Changing the source port can bypass simple firewall rules.

1. Open your terminal.
2. Type nmap --source-port <port_number> <target> and press Enter.
3. Example: nmap --source-port 53 scanme.nmap.org.

Firewalls might trust traffic from specific ports like port 53 (DNS).

Randomizing Target Order

Scanning targets in random order can avoid detection.

1. Open your terminal.
2. Type nmap --randomize-hosts <target_range> and press Enter.
3. Example: nmap --randomize-hosts 192.168.1.0/24.

This technique prevents security systems from detecting a sequential scan pattern.

Using IPv6

Some firewalls are less effective at blocking IPv6 traffic.

1. Open your terminal.
2. Type nmap -6 <target> and press Enter.
3. Example: nmap -6 scanme.nmap.org.

IPv6 scanning can bypass firewalls not configured for IPv6.

Spoofing MAC Address

Changing your MAC address can help evade network access controls.

1. Open your terminal.
2. Type nmap --spoof-mac <mac_address> <target> and press Enter.
3. Example: nmap --spoof-mac 00:11:22:33:44:55 scanme.nmap.org.

Spoofing your MAC address makes it harder to track your real device.

Using Proxies

Proxies can hide your IP address.

1. Open your terminal.
2. Type nmap -sS -Pn --proxy <proxy_ip> <target> and press Enter.
3. Example: nmap -sS -Pn --proxy 192.168.1.3 scanme.nmap.org.

Proxies route your traffic through another server, masking your IP.

Evading detection and bypassing firewalls is crucial for stealthy scanning. Use techniques like adjusting scan timing, fragmenting packets, using decoys, and more to stay under the radar. Practice these methods to become proficient.

Practical Examples and Case Studies

Let’s dive into some practical examples and case studies to see how we can apply what we’ve learned about Nmap in real-world scenarios. This section will help you understand the techniques we’ve covered through hands-on examples.

Example 1: Basic Network Scan

Let’s start with a simple network scan. Suppose you want to scan your local network to identify active devices.

1. Identify the Network Range:
   • Open your terminal.
   • Type ifconfig or ip a to find your network range. Look for your IP address and subnet mask.
2. Perform the Scan:
   • Type nmap -sn 192.168.1.0/24 and press Enter.
   • This command scans the entire subnet for live hosts.

You should see a list of active devices on your network, including their IP addresses and MAC addresses.

Example 2: Service and Version Detection

Next, let’s detect the services and versions running on a specific host.

1. Select a Target:
   • Identify the IP address of a device you want to scan (e.g., 192.168.1.10).
2. Perform the Scan:
   • Type nmap -sV 192.168.1.10 and press Enter.
   • This command detects the services and versions on the target.

The output will show you the open ports, running services, and their versions.

Example 3: OS Detection

Let’s detect the operating system of a target host.

1. Select a Target:
   • Use the same IP address (e.g., 192.168.1.10).
2. Perform the Scan:
   • Type nmap -O 192.168.1.10 and press Enter.
   • This command attempts to determine the OS of the target.

The output will provide an OS guess, including details like OS family and version.

Example 4: Evading Detection

Now, let’s perform a stealthy scan to evade detection.

1. Select a Target:
   • Use the same IP address (e.g., 192.168.1.10).
2. Use Decoys:
   • Type nmap -D RND:5 192.168.1.10 and press Enter.
   • This command uses random decoys to obscure your scan’s origin.

The output will be similar to a normal scan, but it’s harder for IDS systems to trace the source.

Case Study 1: Scanning a Web Server

Imagine you’re scanning a web server to check for vulnerabilities.

1. Select the Web Server:
   • Use a public web server (e.g., scanme.nmap.org).
2. Perform a Comprehensive Scan:
   • Type nmap -sS -sV -O -p 1-1000 scanme.nmap.org and press Enter.
   • This command performs a SYN scan, service/version detection, OS detection, and scans the first 1000 ports.
     The output will show you the open ports, running services, versions, and an OS guess.
3. Check for HTTP Vulnerabilities:
   • Type nmap --script=http-vuln* scanme.nmap.org and press Enter.
   • This command uses scripts to check for HTTP vulnerabilities.
     The output will list any detected vulnerabilities on the web server.

Case Study 2: Internal Network Audit

Suppose you need to audit your internal network for security issues.

1. Identify the Network Range:
   • Use ifconfig or ip a to find your network range.
2. Perform a Network Scan:
   • Type nmap -sn 192.168.1.0/24 and press Enter.
   • This command identifies active hosts.
3. Scan for Open Ports:
   • Type nmap -p 1-65535 192.168.1.0/24 and press Enter.
   • This command scans all ports on all active hosts.
4. Check for Vulnerabilities:
   • Type nmap --script=vuln 192.168.1.0/24 and press Enter.
   • This command runs vulnerability detection scripts.
     Review the output to identify potential security issues on your network.

Practical examples and case studies help you apply Nmap skills in real scenarios. By performing basic scans, service detection, OS detection, and using advanced techniques like evasion, you can gain valuable insights into your network’s security. Keep practicing these techniques to become proficient with Nmap

Advanced Features and Customization

Now that we’ve covered the basics, let’s dive into the advanced features and customization options that Nmap offers. These powerful tools will help you tailor your scans to your specific needs and gather more detailed information.

Using Nmap Scripts (NSE)

Nmap Scripting Engine (NSE) allows you to use custom scripts for various tasks, from vulnerability detection to network discovery.

1. Running Default Scripts:
   • Open your terminal.
   • Type nmap -sC <target> and press Enter.
   • Example: nmap -sC scanme.nmap.org.
   • This command runs a set of default scripts that come with Nmap, providing additional information about the target.
2. Specifying a Script:
   • Type nmap --script <script_name> <target> and press Enter.
   • Example: nmap --script http-title scanme.nmap.org.
   • This command runs a specific script, such as http-title, which retrieves the title of the web page.
3. Combining Scripts:
   • Type nmap --script "http-* and not http-slowloris" <target> and press Enter.
   • Example: nmap --script "http-* and not http-slowloris" scanme.nmap.org.
     This command runs all scripts starting with http- except http-slowloris.

Customizing Scan Outputs

Nmap allows you to save scan results in various formats for later analysis.

1. Saving to a File:
   • Type nmap -oN <filename> <target> and press Enter.
   • Example: nmap -oN scan_results.txt scanme.nmap.org.
     This command saves the scan results in a normal format to scan_results.txt.
2. Saving in XML Format:
   • Type nmap -oX <filename> <target> and press Enter.
   • Example: nmap -oX scan_results.xml scanme.nmap.org.
     XML format is useful for integrating with other tools.
3. Saving in Multiple Formats:
   • Type nmap -oA <basename> <target> and press Enter.
   • Example: nmap -oA scan_results scanme.nmap.org.
     This command saves the results in normal, XML, and grepable formats with a base name of scan_results.

Customizing Scans with Advanced Options

Nmap offers several options to fine-tune your scans.

1. Adjusting Timing:
   • Type nmap -T<level> <target> and press Enter.
   • Example: nmap -T4 scanme.nmap.org.
     Timing levels range from -T0 (paranoid) to -T5 (insane). -T4 is a good balance for faster scans.
2. Aggressive Scanning:
   • Type nmap -A <target> and press Enter.
   • Example: nmap -A scanme.nmap.org.
     Aggressive scanning combines OS detection, version detection, script scanning, and traceroute.
3. Using Proxies:
   • Type nmap --proxies <proxy_url> <target> and press Enter.
   • Example: nmap --proxies http://proxy.example.com:8080 scanme.nmap.org.
     Using proxies helps you anonymize your scans.

Customizing Host Discovery

Customizing host discovery helps you find hosts more effectively.

1. Disabling Ping:
   • Type nmap -Pn <target> and press Enter.
   • Example: nmap -Pn scanme.nmap.org.
     Disabling ping skips the host discovery phase and treats all hosts as online.
2. ARP Scan:
   • Type nmap -PR <target> and press Enter.
   • Example: nmap -PR 192.168.1.0/24.
     ARP scan is useful for discovering hosts in your local network.
3. Custom Ping Probes:
   • Type nmap -PE -PP -PM <target> and press Enter.
   • Example: nmap -PE -PP -PM scanme.nmap.org.
     This command uses ICMP Echo, Timestamp, and Netmask requests for host discovery.

Custom Port Scanning

You can customize which ports to scan based on your needs.

• Specific Ports:
  • Type nmap -p <port_range> <target> and press Enter.
  • Example: nmap -p 80,443 scanme.nmap.org.
    This command scans only ports 80 and 443.
• Top Ports:
  • Type nmap --top-ports <number> <target> and press Enter.
  • Example: nmap --top-ports 100 scanme.nmap.org.
    Scanning the top 100 ports gives you the most commonly open ports.
• Port Ranges:
  • Type nmap -p <start>-<end> <target> and press Enter.
  • Example: nmap -p 1-1024 scanme.nmap.org.
    This command scans ports from 1 to 1024.

Mastering advanced features and customization options in Nmap enhances your scanning capabilities. Using Nmap scripts, saving scan results in different formats, adjusting scan timing, and customizing host discovery are powerful tools in your arsenal. Practice these techniques to become a proficient network scanner.

Conclusion

We’ve covered a lot about Nmap in this tutorial. Let’s recap what we’ve learned.

First, we explored what Nmap is and why it’s a crucial tool for network scanning. We learned how to install Nmap on Kali Linux and got familiar with its basic functions. Understanding Nmap output is essential to make sense of the data you collect, and we covered how to read and interpret these outputs.

We then dove into advanced scanning techniques. These allow you to perform more detailed and stealthy scans, helping you gather more information without being detected. The Nmap Scripting Engine (NSE) was a game-changer. We learned how to run default and specific scripts, and even how to combine them to automate complex tasks.

Network mapping and discovery were other key areas. You now know how to use Nmap to create a detailed map of your network, identifying all the active devices and their services. Evading detection and bypassing firewalls were crucial skills to learn, ensuring your scans can proceed without raising alarms.

In the practical examples and case studies, we applied these techniques to real-world scenarios. These examples showed how to perform basic network scans, service and version detection, OS detection, and even stealthy scans using decoys. The case studies helped put everything into context, demonstrating how these skills are used in network auditing and web server scanning.