Leave a Comment / Uncategorized / By

What Is Nmap?

Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. Whether you’re scanning a single host or an entire subnet, Nmap helps you:

  • Discover live hosts
  • Identify open ports
  • Determine services and versions
  • Detect operating systems
  • Run custom scripts to find vulnerabilities

Created by Gordon Lyon (aka Fyodor), it has become an industry standard for reconnaissance and enumeration.

How Nmap Works

Nmap sends raw packets to target hosts and then analyzes the responses. Based on those responses, it determines:

  • Whether a port is open, closed, or filtered
  • Which services are running and on which versions
  • Which operating system is in use

Nmap uses port scanning, banner grabbing, TCP/IP stack fingerprinting, and scripting to build a profile of the target.

Core Nmap Scan Types (with examples)

Host Discovery

nmap -sn 10.10.10.0/24

Ping sweep – lists live hosts.

Port Scannin

nmap -sS 10.10.10.10

SYN scan (stealthy and fast)

nmap -sT 10.10.10.10

TCP Connect scan (less stealthy)

nmap -p- 10.10.10.10

Scan all 65,535 ports

Service and Version Detection

nmap -sV 10.10.10.10

Grabs service banners

OS Detection

nmap -O 10.10.10.10

Tries to fingerprint the OS using TCP/IP stack

Aggressive Scan (be careful!)

nmap -A 10.10.10.10

Performs OS detection, version detection, script scanning, and traceroute

Timing and Performance

nmap -T4 10.10.10.10

Tuning for speed (T4 = faster, T0 = stealthier)

Output Options

nmap -oN normal.txt -oX xmlfile.xml -oG grepable.txt 10.10.10.10

Save results in various formats

The Power of NSE (Nmap Scripting Engine)

Nmap’s scripting engine allows you to automate recon, vuln detection, and exploitation. Scripts are grouped into categories like:

  • auth
  • broadcast
  • brute
  • default
  • discovery
  • exploit
  • vuln
  • malware

How to list all available scripts

ls /usr/share/nmap/scripts/

Or:

nmap --script-help all

How to search for a specific type of script

You can search by keyword (e.g., ftp, http, smb):

ls /usr/share/nmap/scripts/ | grep ftp

ommon NSE Scripts by Service

Here’s a breakdown of must-know scripts by service:

SSH

nmap --script ssh-hostkey,ssh-auth-methods,ssh-brute -p22 10.10.10.10
  • ssh-hostkey: Fetches the host key
  • ssh-auth-methods: Lists auth methods
  • ssh-brute: Brute-forces credentials

HTTP

nmap --script http-title,http-headers,http-methods,http-enum,http-vuln* -p80,443 10.10.10.10
  • http-title: Grabs page title
  • http-headers: Lists HTTP headers
  • http-enum: Enumerates common files/dirs
  • http-vuln-*: Checks for known web vulns

SMB

nmap --script smb-os-discovery,smb-enum-shares,smb-enum-users,smb-vuln* -p445 10.10.10.10
  • smb-os-discovery: OS info via SMB
  • smb-enum-shares: Lists shared folders
  • smb-enum-users: Attempts to list users
  • smb-vuln-ms17-010: Checks for EternalBlue

FTP

nmap --script ftp-anon,ftp-bounce,ftp-syst,ftp-brute -p21 10.10.10.10
  • ftp-anon: Checks for anonymous login
  • ftp-syst: Displays server info
  • ftp-brute: Brute-forces credentials

Telnet

nmap --script telnet-brute,telnet-encryption -p23 10.10.10.10
  • telnet-brute: Brute-force credentials
  • telnet-encryption: Checks for encryption support

SMTP

nmap --script smtp-commands,smtp-enum-users,smtp-brute -p25 10.10.10.10
  • smtp-enum-users: Attempts to enumerate users
  • smtp-brute: Credential brute-force

SNMP

nmap --script snmp-info,snmp-brute -p161 10.10.10.10
  • snmp-info: Collects system data via SNMP
  • snmp-brute: Brute-forces community strings

DNS

nmap --script dns-zone-transfer,dns-brute -p53 10.10.10.10
  • dns-zone-transfer: Attempts zone transfer
  • dns-brute: Brute-forces subdomains

MySQL

nmap --script mysql-info,mysql-users,mysql-brute -p3306 10.10.10.10

PostgreSQL

nmap --script pgsql-brute,pgsql-info -p5432 10.10.10.10

RDP

nmap --script rdp-enum-encryption -p3389 10.10.10.10

Top General NSE Scripts for Pentesters

nmap --script vuln 10.10.10.10

Runs a suite of vulnerability scripts

nmap --script default 10.10.10.10

Runs default scripts: banner grabbing, service info, etc.

nmap --script discovery 10.10.10.10

Useful for host, port, and service enumeration

Nmap Tips for Pentesters

  • Use -p- early on to avoid missing non-standard ports.
  • Run nmap -sV -sC -oN recon.txt often to get a solid first recon.
  • Automate common scan patterns with custom shell aliases or bash scripts.
  • Use --script-updatedb to update your local NSE script database.
  • Chain scans: Start broad and go deeper after filtering.

Final Thoughts

Nmap isn’t just a port scanner—it’s your recon Swiss Army knife. When used properly, it provides deep insight into your target’s infrastructure and potential vulnerabilities.

Mastering Nmap means shaving hours off your enumeration phase and making your exploit path crystal clear.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top