Nmap Advanced Guide: Mastering Network Reconnaissance
Advanced Nmap techniques for penetration testing including NSE scripting, IDS/firewall evasion, large-scale scanning, and real-world attack scenarios.
NmapNetwork ScanningPenetration TestingNSE ScriptsIDS EvasionReconnaissancePort ScanningSecurity Assessment
Introduction
Nmap (Network Mapper) is far more than a simple port scanner—it's a complete network reconnaissance framework. While basic Nmap usage is straightforward, mastering its advanced features unlocks powerful capabilities for penetration testing, security auditing, and network discovery. This guide covers advanced techniques that go beyond typical usage.
This guide assumes familiarity with basic Nmap concepts. For fundamental commands and quick references, check our Nmap Cheatsheet.
The Nmap Scripting Engine (NSE)
NSE is Nmap's most powerful feature, providing automated vulnerability detection, advanced reconnaissance, and exploitation capabilities through Lua scripts.
NSE Script Categories
Understanding Script Categories
# List all categories
nmap --script-help "*" | grep Categories
# Common categories:
# - auth: Authentication testing
# - broadcast: Broadcast discovery
# - brute: Brute-force attacks
# - default: Safe, fast, useful scripts
# - discovery: Information gathering
# - dos: Denial of service tests
# - exploit: Active exploitation
# - external: Queries external resources
# - fuzzer: Fuzzing tests
# - intrusive: High-risk scripts
# - malware: Malware detection
# - safe: Won't crash services
# - version: Advanced version detection
# - vuln: Vulnerability detectionStrategic Script Selection
# Safe discovery (recommended for initial scan)
nmap -sV -sC --script="safe and not intrusive" target.com
# Vulnerability scanning without DOS risk
nmap -sV --script="vuln and safe" target.com
# Authentication testing
nmap --script="auth" target.com
# SMB enumeration (comprehensive)
nmap --script="smb-enum-* and safe" target.com
# Exclude problematic scripts
nmap --script="default and not (dos or intrusive or exploit)" target.comTargeted Protocol Scanning
HTTP/HTTPS Enumeration:
# Comprehensive HTTP reconnaissance
nmap -p 80,443,8080,8443 --script="http-enum,http-headers,http-methods,http-title,http-robots.txt,http-sitemap-generator,http-git,http-svn-enum,http-config-backup" target.com
# Web vulnerability assessment
nmap -p 80,443 --script="http-vuln-*,http-sql-injection,http-stored-xss,http-dombased-xss,http-phpself-xss,http-unsafe-output-escaping" target.com
# Directory brute-forcing
nmap -p 80 --script http-enum --script-args http-enum.basepath='/admin/' target.comSMB/CIFS Enumeration:
# Complete SMB reconnaissance
nmap -p 445 --script="smb-protocols,smb-security-mode,smb-os-discovery,smb-enum-shares,smb-enum-users,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-domains,smb-system-info" target.com
# SMB vulnerability scanning
nmap -p 445 --script="smb-vuln-*" target.com
# SMB brute-force (use with caution)
nmap -p 445 --script smb-brute --script-args userdb=users.txt,passdb=passwords.txt target.comDatabase Enumeration:
# MySQL
nmap -p 3306 --script="mysql-enum,mysql-info,mysql-databases,mysql-variables,mysql-vuln-*" target.com
# PostgreSQL
nmap -p 5432 --script="pgsql-brute" target.com
# MSSQL
nmap -p 1433 --script="ms-sql-info,ms-sql-empty-password,ms-sql-enum,ms-sql-brute,ms-sql-dump-hashes" target.com
# MongoDB
nmap -p 27017 --script="mongodb-databases,mongodb-info" target.comDNS Reconnaissance:
# DNS enumeration and zone transfer
nmap --script="dns-zone-transfer,dns-recursion,dns-cache-snoop,dns-nsec-enum,dns-brute" -p 53 target.com
# DNS brute-force with custom subdomains
nmap --script dns-brute --script-args dns-brute.hostlist=subdomains.txt target.comCustom NSE Scripts
Create your own NSE scripts for specific reconnaissance needs:
-- File: custom-banner.nse
description = [[
Grabs service banners and extracts version info with custom patterns.
]]
author = "Your Name"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
local shortport = require "shortport"
local stdnse = require "stdnse"
-- Define which ports to run against
portrule = shortport.port_or_service({21, 22, 25, 80, 110, 143}, {"ftp", "ssh", "smtp", "http", "pop3", "imap"})
-- Main script logic
action = function(host, port)
local socket = nmap.new_socket()
local catch = function() socket:close() end
local try = nmap.new_try(catch)
try(socket:connect(host, port))
-- Send protocol-specific probe if needed
if port.service == "http" then
try(socket:send("HEAD / HTTP/1.0\r\n\r\n"))
end
local status, banner = socket:receive_lines(1)
if status then
return banner
else
return nil
end
endUsing custom scripts:
# Save script to Nmap scripts directory
sudo cp custom-banner.nse /usr/share/nmap/scripts/
# Update script database
nmap --script-updatedb
# Run custom script
nmap --script custom-banner target.comAdvanced Firewall and IDS Evasion
Bypass security devices and remain undetected during reconnaissance.
Fragmentation Techniques
# Tiny packet fragments (8 bytes)
nmap -f target.com
# Custom MTU (must be multiple of 8)
nmap --mtu 16 target.com
# Maximum fragmentation
nmap -ff target.comDecoy Scanning
# Simple decoy scan (Nmap picks random decoys)
nmap -D RND:10 target.com
# Manual decoy IPs (your IP should be in the list)
nmap -D 192.168.1.5,192.168.1.10,ME,192.168.1.15,192.168.1.20 target.com
# Decoy with specific source port
nmap -D RND:10 -g 53 target.comTiming Profiles and Custom Timing
# Paranoid - one probe every 5 minutes
nmap -T0 target.com
# Sneaky - one probe every 15 seconds
nmap -T1 target.com
# Custom timing for precise control
nmap --max-rate 10 --max-retries 1 --max-rtt-timeout 500ms --initial-rtt-timeout 250ms target.com
# Slow and low
nmap --scan-delay 5s --max-scan-delay 10s target.comSource Port Manipulation
# Use DNS source port (often allowed through firewalls)
nmap -g 53 target.com
# HTTP source port
nmap -g 80 target.com
# HTTPS source port
nmap -g 443 target.comComplete Stealth Scan
# Maximum evasion configuration
nmap -sS -Pn -f --mtu 24 -g 53 --data-length 64 \
--scan-delay 1s --max-scan-delay 2s \
-D RND:10 -T2 --randomize-hosts \
--spoof-mac Apple --ttl 128 \
target.comIdle Scan (Zombie Scan)
The most stealthy scan - uses a third-party "zombie" host:
# Find potential zombie hosts (low traffic, predictable IPID)
nmap -p 80 --script ipidseq subnet.com/24
# Perform idle scan using zombie
nmap -sI zombie.com:80 target.com
# Idle scan with specific ports
nmap -sI zombie.com:80 -p 22,80,443 target.comIdle scanning can be detected and is considered highly suspicious. Use only with proper authorization in controlled environments.
Enterprise-Scale Scanning
Efficiently scan large networks and manage massive result sets.
Optimized Large Network Scanning
# Fast scan of top 1000 ports across /16 network
nmap -T4 -n --max-retries 1 --max-scan-delay 20 \
--min-rate 1000 --max-rate 10000 \
--open -oG results.gnmap \
10.0.0.0/16
# Parallel scanning with GNU Parallel
cat targets.txt | parallel -j 10 nmap -T4 -sV -oA scan_{} {}
# Distributed scanning (split ranges)
nmap -iR 10000 -PS22,80,443,3389 --open -oG random_scan.gnmapInput from Multiple Sources
# Combine multiple target lists
cat targets1.txt targets2.txt targets3.txt | sort -u > all_targets.txt
nmap -iL all_targets.txt
# Scan from CIDR notation file
nmap -iL cidr_ranges.txt -sn -oG hostdiscovery.gnmap
# Exclude internal networks
nmap 10.0.0.0/8 --exclude 10.1.0.0/16,10.2.0.0/16 --excludefile internal.txtOutput Processing and Analysis
# Convert XML to HTML report
xsltproc /usr/share/nmap/nmap.xsl scan.xml -o scan.html
# Parse grepable output for open ports
grep "Status: Up" scan.gnmap | cut -d' ' -f2 > live_hosts.txt
# Extract all open HTTP ports
grep "80/open" scan.gnmap | awk '{print $2}' > web_servers.txt
# Find hosts with specific service
grep -E "22/open.*ssh" scan.gnmap | awk '{print $2":"$3}' > ssh_servers.txt
# Compare two scans
ndiff scan1.xml scan2.xml
# Parse XML with xmlstarlet
xmlstarlet sel -t -m '//host/address' -v '@addr' -n scan.xmlReal-World Attack Scenarios
Practical examples from actual penetration tests.
Scenario 1: Internal Network Reconnaissance
Initial Host Discovery
# ARP scan for local subnet (fastest)
sudo nmap -sn -PR 192.168.1.0/24 -oG hosts.gnmap
# Extract live hosts
grep "Status: Up" hosts.gnmap | awk '{print $2}' > live_hosts.txtService Enumeration
# Quick SYN scan of top ports
sudo nmap -sS --top-ports 1000 -iL live_hosts.txt -oA quick_scan
# Deep scan on interesting hosts
sudo nmap -sS -sV -sC -p- -oA full_scan interesting_hosts.txtVulnerability Assessment
# Targeted vulnerability scanning
nmap -sV --script="vuln and safe" -iL live_hosts.txt -oA vuln_scan
# SMB vulnerabilities (EternalBlue, etc.)
nmap -p 445 --script="smb-vuln-ms17-010,smb-vuln-ms08-067" 192.168.1.0/24Scenario 2: External Penetration Test
Reconnaissance Phase
# Discover all open ports (stealthy)
sudo nmap -sS -Pn -p- --max-retries 1 -T3 -oA external_full target.com
# Service version detection
sudo nmap -sS -sV -p $(grep -oP '\d+/open' external_full.gnmap | cut -d/ -f1 | tr '\n' ',') target.com -oA external_servicesWeb Application Discovery
# Find all web services
nmap -p 80,443,8000,8080,8443,8888 --open -oG web_services.gnmap target_range
# HTTP enumeration on discovered services
nmap -p 80,443,8080,8443 --script="http-enum,http-title,http-headers,http-methods,http-robots.txt,http-git,http-backup-finder" -iL web_hosts.txtVulnerability Exploitation
# Check for known CVEs
nmap -sV --script="vuln" target.com
# Test for weak SSH configs
nmap -p 22 --script="ssh-auth-methods,ssh2-enum-algos,sshv1" target.com
# Check SSL/TLS vulnerabilities
nmap -p 443 --script="ssl-cert,ssl-enum-ciphers,ssl-known-key,ssl-heartbleed,ssl-poodle,ssl-dh-params" target.comScenario 3: Active Directory Environment
# Discover domain controllers
nmap -p 389,636,3268,3269,88,464 --open -oG dc_candidates.gnmap 10.0.0.0/16
# Enumerate SMB shares and users
nmap -p 445 --script="smb-enum-shares,smb-enum-users,smb-enum-groups,smb-enum-domains" -iL domain_controllers.txt
# Kerberos enumeration
nmap -p 88 --script="krb5-enum-users" --script-args krb5-enum-users.realm=DOMAIN.LOCAL domain_controller
# LDAP enumeration
nmap -p 389,636 --script="ldap-rootdse,ldap-search,ldap-brute" domain_controller
# Check for MS17-010 (EternalBlue)
nmap -p 445 --script smb-vuln-ms17-010 10.0.0.0/16 --openAdvanced Vulnerability Scanning
Vulscan Integration
Install and configure vulscan for comprehensive vulnerability detection:
# Install vulscan
cd /usr/share/nmap/scripts/
sudo git clone https://github.com/scipag/vulscan.git
# Update Nmap script database
nmap --script-updatedb
# Basic vulnerability scan
nmap -sV --script=vulscan/vulscan.nse target.com
# Specify specific vulnerability database
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=cve.csv target.com
# Multiple databases
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=cve.csv,exploitdb.csv,osvdb.csv target.com
# Scan entire network with vulscan
nmap -sV --script=vulscan/vulscan.nse -iL targets.txt -oA vulscan_resultsNmap + Metasploit Integration
# Export Nmap results to Metasploit
msfconsole
> db_import /path/to/nmap_scan.xml
# Use Metasploit for exploitation based on Nmap findings
> search type:exploit platform:windows cve:2017
> use exploit/windows/smb/ms17_010_eternalblue
> set RHOSTS 192.168.1.10
> exploitPerformance Optimization
CPU and Network Tuning
# Use all CPU cores
nmap -T4 --min-parallelism 100 target.com
# Limit bandwidth usage
nmap --max-rate 100 target.com
# Aggressive scanning (fast network)
nmap -T5 --min-rate 10000 --max-retries 1 target.com
# Reduce probe count for faster results
nmap --version-intensity 0 target.comIntelligent Scanning Strategies
# Progressive port scanning
# 1. Scan top 100 ports first
nmap --top-ports 100 --open -oG top100.gnmap target_range
# 2. Extract hosts with open ports
grep "/open" top100.gnmap | awk '{print $2}' > active_hosts.txt
# 3. Deep scan only active hosts
nmap -sV -sC -p- -iL active_hosts.txt -oA deep_scan
# Adaptive timing based on network conditions
nmap --min-rtt-timeout 100ms --max-rtt-timeout 500ms --initial-rtt-timeout 250ms target.comNmap Automation and Scripting
Bash Automation
#!/bin/bash
# auto_recon.sh - Automated network reconnaissance
TARGET=$1
OUTPUT_DIR="nmap_scans_$(date +%Y%m%d_%H%M%S)"
mkdir -p $OUTPUT_DIR
echo "[*] Starting reconnaissance on $TARGET"
# Stage 1: Host discovery
echo "[*] Stage 1: Host Discovery"
nmap -sn -PR $TARGET -oA $OUTPUT_DIR/01_hostdiscovery
# Stage 2: Quick port scan
echo "[*] Stage 2: Quick Port Scan"
nmap -sS --top-ports 1000 --open -iL $OUTPUT_DIR/01_hostdiscovery.gnmap \
-oA $OUTPUT_DIR/02_quickscan
# Stage 3: Service detection
echo "[*] Stage 3: Service Detection"
nmap -sS -sV -sC -iL $OUTPUT_DIR/02_quickscan.gnmap \
-oA $OUTPUT_DIR/03_services
# Stage 4: Vulnerability scanning
echo "[*] Stage 4: Vulnerability Scanning"
nmap -sV --script="vuln and safe" -iL $OUTPUT_DIR/02_quickscan.gnmap \
-oA $OUTPUT_DIR/04_vulnscan
echo "[*] Reconnaissance complete. Results in $OUTPUT_DIR/"Python Integration
#!/usr/bin/env python3
import nmap
import json
def scan_network(target, ports='1-1000'):
"""Automated Nmap scanning with Python"""
nm = nmap.PortScanner()
print(f"[*] Scanning {target}")
nm.scan(hosts=target, ports=ports, arguments='-sV -sC')
results = {}
for host in nm.all_hosts():
results[host] = {
'state': nm[host].state(),
'protocols': {}
}
for proto in nm[host].all_protocols():
ports = nm[host][proto].keys()
results[host]['protocols'][proto] = {}
for port in ports:
service = nm[host][proto][port]
results[host]['protocols'][proto][port] = {
'state': service['state'],
'name': service['name'],
'product': service.get('product', ''),
'version': service.get('version', '')
}
return results
if __name__ == '__main__':
target = '192.168.1.0/24'
results = scan_network(target)
# Save to JSON
with open('scan_results.json', 'w') as f:
json.dump(results, f, indent=2)
print("[+] Results saved to scan_results.json")Best Practices and OpSec
Operational Security Considerations
Legal Considerations:
- Always obtain written authorization before scanning
- Respect scope boundaries in penetration tests
- Be aware of local laws regarding network scanning
- Document all scanning activities
Recommended practices:
# Always use proper scope management
nmap -iL in_scope_targets.txt --excludefile out_of_scope.txt
# Rate limit to avoid detection
nmap --max-rate 100 --scan-delay 500ms target.com
# Use randomization for stealth
nmap --randomize-hosts -iL targets.txt
# Log all activities
nmap target.com -oA scan_results_$(date +%Y%m%d_%H%M%S)Avoiding Common Mistakes
# DON'T: Scan without proper authorization
# DO: Get written permission
# DON'T: Use -T5 on production networks
# DO: Use -T3 or lower for production
# DON'T: Scan entire internet ranges
# DO: Scope scans appropriately
# DON'T: Run exploit scripts without understanding them
# DO: Test in controlled environments first
# DON'T: Ignore output and logging
# DO: Save all results: -oA output_basenameTroubleshooting Advanced Scans
Common Issues and Solutions
Slow Scans:
# Problem: Scan taking too long
# Solution: Optimize timing and retries
nmap -T4 --max-retries 1 --max-rtt-timeout 500ms target.com
# Problem: Too many dropped packets
# Solution: Increase timeout and reduce rate
nmap --max-rate 100 --max-retries 2 target.comFirewall Blocking:
# Problem: All ports show as filtered
# Solution: Try different scan types and evasion
nmap -sA target.com # ACK scan to map firewall rules
nmap -f -D RND:10 target.com # Fragmented packets with decoys
nmap -sI zombie.com target.com # Idle scan via zombie hostNSE Script Errors:
# Problem: Script timeouts
# Solution: Increase script timeout
nmap --script-timeout 60s --script vuln target.com
# Problem: Script not found
# Solution: Update script database
nmap --script-updatedbResources and Further Reading
- Nmap Official Documentation - Complete Nmap guide
- NSE Script Library - All NSE scripts documentation
- Nmap Security Scanner - GitHub repository
- Vulscan Project - Vulnerability scanning module
- High-Speed Nmap - Performance tuning guide
- Nmap Scripting Engine - NSE development guide
Conclusion
Advanced Nmap usage transforms a simple port scanner into a comprehensive reconnaissance and security assessment framework. By mastering NSE scripting, evasion techniques, and automation, you can conduct thorough, efficient security assessments while remaining undetected. Remember: with great power comes great responsibility—always ensure proper authorization before scanning any network.
Combine Nmap with other tools like Masscan for initial discovery, Nessus for comprehensive vulnerability scanning, and Metasploit for exploitation to create a complete security testing workflow.
For basic Nmap commands and quick reference, see our Nmap Cheatsheet.
Last updated on
John the Ripper: Comprehensive Password Cracking Guide
Master John the Ripper for password recovery and security testing. Complete guide covering hash formats, attack modes, rules, and session management.
Nmap Cheatsheet
Essential Nmap commands and techniques for network scanning, service detection, OS fingerprinting, and vulnerability assessment in penetration testing.