Nmap & Nmap Scripting Engine (NSE)
Powerful tools for network security, reconnaissance, and enumeration.
- Purpose: Discover hosts, services, vulnerabilities; automate advanced probes
- Importance: Essential for mapping and securing network infrastructure
Lesson Previews
- Discovery Scans: Identify live hosts (
nmap -sn) - Port Scans: Check port states (open/closed/filtered) with
-sS,-sU, etc. - Fingerprinting: OS, service version, device type via
-sV,-O,-A - Live Demo: Hands‑on Nmap usage
- NSE: Automate vulnerability detection and custom scripts
Nmap Discovery Scans
Footprint the network by probing for responsive hosts.
- Basic Syntax:
nmap 192.168.1.0/24
- **Host Discovery**:
```bash
nmap -sn 192.168.1.0/24
```
- **Useful Switches**:
- **List Scan** (`-sL`): Reverse-DNS only
- **TCP SYN Ping** (`-PS80,443`): Ping via TCP ports
- **Sparse Scan** (`--scan-delay 500ms`): Stealthier timing
- **Timing** (`-T0..5`): 0=paranoid → 5=insane
- **Idle Scan** (`-sI zombie`): Spoof source host
- **Fragmentation** (`-f`/`--mtu <bytes>`): Split packets
---
### Nmap Port Scans
Determine port states and running services.
- **TCP SYN** (`-sS`): Half-open handshake
- **TCP Connect** (`-sT`): Full handshake
- **Null Scan** (`-sN`): No flags set
- **FIN Scan** (`-sF`): FIN flag only
- **Xmas Scan** (`-sX`): FIN+PSH+URG flags
- **UDP Scan** (`-sU`): Probe UDP ports
- **Port Range** (`-p 1-65535`): Scan specified ports
**Output Formats**:
- **Interactive** (screen)
- **Normal** (`-oN file.txt`)
- **XML** (`-oX file.xml`)
- **Grepable** (`-oG file.gnmap`)
---
### Port States
- **Open**: Service accepting connections
- **Closed**: Responds RST, no service
- **Filtered**: No response (firewalled)
- **Unfiltered**: Accessible but unknown state
- **Open | Filtered**, **Closed | Filtered** for ambiguous scans
---
### Nmap Fingerprinting
Intensive probes to identify detailed host attributes.
- **Service Version** (`-sV`):
```bash
nmap -sV 192.168.1.1
```
- **Aggressive Scan** (`-A`): OS detection, version, script scans
```bash
nmap -A 192.168.1.1
```
- **OS Detection** (`-O`): TCP/IP fingerprinting
- **CPE**: Common Platform Enumeration tags for matched services
---
### Nmap Scripting Engine (NSE)
Extend Nmap via **Lua** scripts for automation and vulnerability checks.
- **Script Categories**: discovery, safe, intrusive, exploit, external
- **Run Default Scripts**:
```bash
nmap --script=default,safe 192.168.1.1
```
- **Specific Script Examples**:
- **SMB User Enum**: `--script smb-enum-users.nse`
- **HTTP Vuln Checks**: `--script http-vuln*`
- **OS Detection**: `--script=ip-geolocation-geoplugin.nse`
> **Tip**: Combine `-sC` (default scripts) with `-sV` for quick reconnaissance.