LabEx
Log InJoin Free

How to use Nmap scanning flags

NmapBeginner
Practice Now

Introduction

Nmap (Network Mapper) is a fundamental tool in network security and administration. This lab introduces you to Nmap scanning flags, which enable you to perform effective network reconnaissance and vulnerability assessment. Through hands-on practice, you will learn how to use various Nmap commands to discover hosts, scan ports, and identify services on a network. These skills are essential for network administrators and security professionals to maintain secure network environments.

Installing Nmap and Basic Scanning

Installing Nmap

Nmap is not pre-installed on most systems, so our first step is to install it. Open a terminal in your LabEx environment and run the following commands:

sudo apt update
sudo apt install nmap -y

After installation completes, verify that Nmap is installed correctly by checking its version:

nmap --version

You should see output similar to this:

Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f libssh2-1.8.0 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Understanding Nmap Basics

Nmap works by sending specially crafted packets to target hosts and analyzing the responses. This helps determine:

  • Which hosts are available on the network
  • What services (ports) they are offering
  • What operating systems they are running
  • What type of packet filters/firewalls are in use

The basic syntax of an Nmap command is:

nmap [scan type] [options] target

Where:

  • [scan type] specifies the type of scan to perform
  • [options] are additional parameters to customize the scan
  • target is the IP address, hostname, or IP range to scan

Your First Scan: Scanning the Localhost

Let's start with a simple scan of your own machine (localhost). Run:

nmap localhost

This command scans the most common 1000 TCP ports on your local machine. The output will look similar to:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 15:30 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

The output shows:

  • The scan start time
  • The host being scanned (localhost/127.0.0.1)
  • Open ports and their associated services
  • Scan completion time and statistics

Understanding Scan Results

Let's analyze the output:

  • PORT: Shows the port number and protocol (e.g., 22/tcp)
  • STATE: Indicates if the port is open, closed, or filtered
  • SERVICE: Shows the service typically associated with that port

The most common port states are:

  • open: The port is accepting connections
  • closed: The port is accessible but no application is listening on it
  • filtered: Nmap cannot determine if the port is open because packet filtering is blocking its probes

Scanning a Specific Port

To scan a specific port, use the -p flag followed by the port number:

nmap -p 22 localhost

The output will be focused on just port 22:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 15:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds

Scanning a Range of Ports

You can scan a range of ports using a hyphen:

nmap -p 20-25 localhost

This scans ports 20 through 25:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 15:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).

PORT   STATE  SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open   ssh
23/tcp closed telnet
24/tcp closed priv-mail
25/tcp closed smtp

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

Now you have learned how to install Nmap and perform basic port scanning. In the next step, we will explore more advanced scanning techniques using various Nmap flags.

Exploring Essential Nmap Scanning Flags

Now that you understand the basics of Nmap, let's explore some essential scanning flags that will give you more control and information from your scans.

TCP SYN Scan (-sS)

The TCP SYN scan is the default scan type when run as root. It's often called a "half-open" scan because it never completes TCP connections. It's relatively stealthy and quick.

Let's run a SYN scan on localhost:

sudo nmap -sS localhost

The output will look similar to:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

TCP Connect Scan (-sT)

The TCP Connect scan is the default scan when Nmap is not run with root privileges. It completes the full TCP handshake, making it more detectable but also more reliable in some cases.

nmap -sT localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Service Version Detection (-sV)

The version detection flag tells Nmap to try to determine the version of services running on open ports:

nmap -sV localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
631/tcp  open  ipp      CUPS 2.3
3306/tcp open  mysql    MySQL 8.0.30-0ubuntu0.20.04.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 6.41 seconds

Notice how the output now includes detailed version information for each service. This is extremely valuable for security assessments as certain versions may have known vulnerabilities.

OS Detection (-O)

The OS detection flag attempts to determine the operating system of the target:

sudo nmap -O localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds

Notice that Nmap has detected that the system is running Linux kernel version 4.X or 5.X.

Combining Flags for Comprehensive Scanning

You can combine multiple flags to get more comprehensive results. For example, let's combine service version detection and OS detection:

sudo nmap -sV -O localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
631/tcp  open  ipp      CUPS 2.3
3306/tcp open  mysql    MySQL 8.0.30-0ubuntu0.20.04.2
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds

Aggressive Scanning (-A)

The aggressive scan flag combines several scanning options including OS detection, version detection, script scanning, and traceroute:

sudo nmap -A localhost

Output (truncated for brevity):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
|   256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_  256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp  open  ipp      CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open  mysql    MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
|   Protocol: 10
|   Version: 8.0.30-0ubuntu0.20.04.2
|   Thread ID: 11
|   Capabilities flags: 65535
|   Some Capabilities: SupportsLoadDataLocal, Support41Auth, Speaks41ProtocolOld, IgnoreSigpipes, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, ConnectWithDatabase, LongPassword, InteractiveClient, SwitchToSSLAfterHandshake, ODBCClient, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsTransactions, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: \x14\x12\x1Fjw\x182\x15\x0D\x12\x13C\x1F\x14\x0D\x07
|_  Auth Plugin Name: caching_sha2_password
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.12 seconds

Notice the significant amount of additional information provided by the aggressive scan, including SSH key information, HTTP server details, and more detailed MySQL service information.

In this step, you've learned about several essential Nmap scanning flags and how to combine them for more comprehensive results. In the next step, we will explore practical scanning strategies for different scenarios.

Network Scanning Strategies and Timing Controls

In this step, we will learn about network scanning strategies and how to control the timing and performance of Nmap scans. This is crucial when scanning larger networks or when you need to be more discreet.

Scanning Multiple Hosts

Nmap can scan multiple hosts in various ways:

Scanning a List of IPs

You can specify multiple IP addresses separated by spaces:

nmap 127.0.0.1 127.0.0.2

Scanning an IP Range

You can scan a range of IP addresses using the CIDR notation:

nmap 127.0.0.1/30

This command scans 127.0.0.0 through 127.0.0.3. The output will show:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap scan report for 127.0.0.2
Host is up (0.00015s latency).
All 1000 scanned ports on 127.0.0.2 are closed

Nmap scan report for 127.0.0.3
Host is up (0.00013s latency).
All 1000 scanned ports on 127.0.0.3 are closed

Nmap done: 4 IP addresses (3 hosts up) scanned in 0.92 seconds

Host Discovery Options

Ping Scan (-sn)

Sometimes you just want to know which hosts are online without scanning ports. The ping scan is perfect for this:

nmap -sn 127.0.0.1/24

This command will scan the entire 127.0.0.1/24 subnet but will only perform host discovery without port scanning. Due to output length, we'll just show a snippet:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Nmap scan report for 127.0.0.2
Host is up (0.00013s latency).
Nmap scan report for 127.0.0.3
Host is up (0.00014s latency).
...
Nmap done: 256 IP addresses (256 hosts up) scanned in 2.34 seconds

Skipping Host Discovery (-Pn)

Sometimes firewalls block ping requests. To bypass this and scan all hosts regardless of ping responses, use the -Pn flag:

nmap -Pn localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:45 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Timing and Performance Controls

Nmap provides several timing templates that adjust various scanning parameters:

  • -T0: Paranoid - Very slow, used for IDS evasion
  • -T1: Sneaky - Slow, used for IDS evasion
  • -T2: Polite - Slows down to consume less bandwidth
  • -T3: Normal - Default, balances speed with reliability
  • -T4: Aggressive - Faster, assumes a reasonably fast and reliable network
  • -T5: Insane - Very fast, assumes an extremely fast network

Let's try an aggressive scan:

nmap -T4 localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:50 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

Notice that the scan completed slightly faster than the default scan.

Output Formats

Nmap can save scan results in various formats for later analysis or reporting:

Normal Output (-oN)

Save the scan results in a normal format to a file:

nmap -oN scan_results.txt localhost

This command saves the scan output to scan_results.txt in the current directory.

XML Output (-oX)

Save the scan results in XML format, which is useful for parsing with other tools:

nmap -oX scan_results.xml localhost

All Formats (-oA)

Save the scan results in all formats (normal, XML, and grepable):

nmap -oA scan_results localhost

This creates three files: scan_results.nmap, scan_results.xml, and scan_results.gnmap.

Let's examine the contents of the normal output file:

cat scan_results.txt

Output:

## Nmap 7.80 scan initiated Thu Sep 14 16:55:23 2023 as: nmap -oN scan_results.txt localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

## Nmap done at Thu Sep 14 16:55:23 2023 -- 1 IP address (1 host up) scanned in 0.12 seconds

Practical Scanning Strategy

Let's combine what we've learned to create a practical scanning strategy for a comprehensive scan:

sudo nmap -sS -sV -O -T4 -oA comprehensive_scan localhost

This command:

  • Uses SYN stealth scan (-sS)
  • Detects service versions (-sV)
  • Attempts OS detection (-O)
  • Uses aggressive timing (-T4)
  • Saves results in all formats (-oA)

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
631/tcp  open  ipp      CUPS 2.3
3306/tcp open  mysql    MySQL 8.0.30-0ubuntu0.20.04.2
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds

Now you can view the comprehensive scan results in any of the output files:

ls comprehensive_scan.*

Output:

comprehensive_scan.gnmap  comprehensive_scan.nmap  comprehensive_scan.xml

Ethical Considerations

Remember that network scanning should only be performed on networks you own or have explicit permission to scan. Unauthorized scanning can be:

  1. Illegal in many jurisdictions
  2. Considered a hostile act by network administrators
  3. Potentially disruptive to network services

In this lab environment, we've only scanned localhost, which is always permissible as it's your own system.

You have now learned about different network scanning strategies, timing controls, and output formats. You have all the foundational knowledge needed to perform effective network reconnaissance using Nmap.

Script Scanning and Targeted Service Analysis

In this step, we will explore Nmap's powerful scripting engine (NSE) and learn how to perform targeted service analysis. NSE scripts extend Nmap's functionality by enabling more detailed scans for specific services and vulnerabilities.

Introduction to Nmap Scripting Engine (NSE)

The Nmap Scripting Engine allows users to write and share scripts to automate a variety of networking tasks. Nmap comes with hundreds of pre-written scripts categorized into various groups:

  • auth: Authentication related scripts
  • default: Scripts run by default with -sC
  • discovery: Host and service discovery
  • exploit: Attempt to exploit vulnerabilities
  • malware: Detect malware and backdoors
  • safe: Safe, non-intrusive scripts
  • vuln: Vulnerability detection scripts

Running Default Scripts (-sC)

The -sC flag runs the default set of scripts, which are generally safe and provide useful information:

nmap -sC localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey:
|   3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
|   256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_  256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp   open  http
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp  open  ipp
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open  mysql
|_mysql-info: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 3.42 seconds

Notice how the scripts have provided additional information about each service, like SSH host keys and HTTP page titles.

Running Specific Scripts

You can run specific scripts using the --script flag followed by the script name or category:

nmap --script=http-title localhost

This runs only the http-title script, which retrieves the title of HTTP pages:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp  open  ipp
|_http-title: Home - CUPS 2.3.1
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

Running Scripts by Category

You can run all scripts in a specific category:

nmap --script=discovery localhost

This runs all discovery scripts, which can provide a wealth of information about network services (output truncated for brevity):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey:
|   3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
|   256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_  256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp   open  http
|_http-favicon: Unknown favicon MD5: 6D33949773573A11BEBE0D20AC1B7967
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp  open  ipp
| cups-info:
|   CUPS Server:
|     Server: CUPS/2.3 IPP/2.1
|_    Authentication-Method: Basic
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS POST
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open  mysql
| mysql-info:
|   Protocol: 10
|   Version: 8.0.30-0ubuntu0.20.04.2
|   Thread ID: 15
|   Capabilities flags: 65535
|   Some Capabilities: ConnectWithDatabase, SupportsLoadDataLocal, SupportsTransactions, DontAllowDatabaseTableColumn, Support41Auth, InteractiveClient, Speaks41ProtocolOld, FoundRows, IgnoreSigpipes, ODBCClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolNew, SupportsMultipleStatments, LongPassword, SupportsCompression, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: \x7FeL)\x0C\x5C#S\x06N%\x1E\x7EYaC
|_  Auth Plugin Name: caching_sha2_password

Nmap done: 1 IP address (1 host up) scanned in 5.28 seconds

Combining Script Scanning with Service Detection

For the most comprehensive results, combine script scanning with service detection:

nmap -sV -sC localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
|   256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_  256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp  open  ipp     CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open  mysql   MySQL 8.0.30-0ubuntu0.20.04.2
|_mysql-info: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.03 seconds

Targeted Service Analysis

Let's focus on analyzing specific services in more detail.

Analyzing HTTP Services

To analyze HTTP services in detail, we can use the http-* scripts:

nmap --script="http-*" -p 80 localhost

This runs all HTTP-related scripts against port 80:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:30 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-chrono: Request times for /; avg: 32.68ms; min: 32.68ms; max: 32.68ms
|_http-comments-displayer: Couldn't find any comments.
|_http-date: Thu, 14 Sep 2023 17:30:24 GMT; +6s from local time.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-favicon: Unknown favicon MD5: 6D33949773573A11BEBE0D20AC1B7967
|_http-feed: Couldn't find any feeds.
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-generator: Couldn't find any generator in the HTML headers and body
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-mobileversion-checker: No mobile version detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-security-headers:
| http-server-header:
|   Apache/2.4.41
|_  Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-traceroute: ERROR: Script execution failed (use -d to debug)
|_http-useragent-tester:
|_http-xssed: No previously reported XSS vuln.

Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds

Analyzing SSH Services

Similarly, we can analyze SSH services:

nmap --script="ssh-*" -p 22 localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey:
|   3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
|   256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_  256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
|_ssh-run: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Vulnerability Scanning

Nmap includes scripts that can detect potential vulnerabilities. Using the vuln category can help identify security issues:

nmap --script=vuln localhost

This can take some time as it runs various vulnerability checks. Output might look like:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 87.28 seconds

In this case, Nmap has identified that the Apache web server might be vulnerable to a Slowloris DoS attack. This information can be valuable for securing your systems.

Creating a Comprehensive Scan Report

Now, let's combine everything we've learned to create a comprehensive security report:

sudo nmap -sS -sV -O -sC --script=vuln -T4 -oA comprehensive_security_report localhost

This command:

  • Uses SYN stealth scan (-sS)
  • Detects service versions (-sV)
  • Attempts OS detection (-O)
  • Runs default scripts (-sC)
  • Runs vulnerability detection scripts (--script=vuln)
  • Uses aggressive timing (-T4)
  • Saves results in all formats (-oA)

The output will be comprehensive and might take some time to complete. Once finished, you'll have a detailed security report in various formats (normal, XML, and grepable) that you can reference for security analysis.

In this step, you've learned how to use Nmap's scripting engine to gather detailed information about services and detect potential vulnerabilities. These advanced techniques are essential for comprehensive network security assessments.

Summary

In this lab, you have learned the fundamentals of using Nmap for network reconnaissance and security assessment. You now understand:

  1. How to install Nmap and perform basic scanning of hosts and ports
  2. How to use essential Nmap scanning flags for different types of scans
  3. How to implement effective scanning strategies and control timing parameters
  4. How to leverage the Nmap Scripting Engine for detailed service analysis and vulnerability detection

These skills form a foundation for network security assessments and are essential for cybersecurity professionals. Remember to always use these techniques responsibly and only on networks you have permission to scan.

As you continue your cybersecurity journey, consider exploring more advanced Nmap features such as custom NSE script development, firewall evasion techniques, and integration with other security tools. Regular practice with Nmap will help you become more proficient in identifying potential security issues in network environments.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux