Introduction
In this lab, you will learn the fundamentals of network scanning using Nmap (Network Mapper), a powerful open-source tool for network discovery and security auditing. You will start with basic port scans, advance to service and version detection, and then explore the Nmap Scripting Engine (NSE) to perform vulnerability checks. Finally, you will learn how to analyze and save your scan results in various formats for reporting. This lab provides a step-by-step, hands-on introduction to Nmap's core features for effective network security assessment.
Perform a Basic Network Scan
In this first step, you will get acquainted with Nmap by performing a basic scan. A basic scan is used to discover which ports are open on a target machine. An open port indicates that a service (like a web server or SSH) is running and listening for connections.
The lab environment has been pre-configured with several services running on localhost (your own virtual machine) for you to practice on. The nmap tool is already installed.
First, let's verify that Nmap is installed and check its version. Open the terminal and run the following command:
nmap --versionYou should see output confirming the Nmap version, similar to this:
Nmap version 7.80 ( https://nmap.org ) Platform: x86_64-pc-linux-gnu Compiled with: liblua-5.3.3 openssl-1.1.1f libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.9.1 Compiled without: Available nsock engines: epoll poll selectNow, perform your first scan against
localhost. This command tells Nmap to check for the most common open ports on your local machine.nmap localhostExamine the output. Nmap will list the ports it found to be open, along with the state and the common service associated with that port. The output will look something like this, showing the services prepared for this lab:
Starting Nmap 7.80 ( https://nmap.org ) at ... Nmap scan report for localhost (127.0.0.1) Host is up (0.000092s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 2121/tcp open ccproxy-ftp 2222/tcp open EtherNetIP-1 3001/tcp open nessus 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
This initial scan gives you a map of the running services, which is the first step in any network security assessment.
Detect Service Versions
Knowing which ports are open is useful, but knowing the exact software and version running on those ports is much more powerful for a security analyst. Outdated software is a primary source of vulnerabilities. In this step, you will use Nmap to perform service and version detection.
We will use the -sV flag, which instructs Nmap to probe open ports to determine detailed service and version information.
Run a version detection scan against
localhost. To make the scan more efficient, we'll target the specific ports we discovered in Step 1 (22, 2121, 2222, 3001, 8080) rather than scanning all ports.nmap -sV -p 22,8080 localhostPro Tip: Targeting specific ports dramatically reduces scan time. A full port range scan with
-sVcan take several minutes, while this targeted approach typically completes in seconds.Compare the output with the basic scan from Step 1. You will now see an additional column,
VERSION, which provides details about the software running on each port.The output will be more detailed, similar to this:
Starting Nmap 7.80 ( https://nmap.org ) at ... Nmap scan report for localhost (127.0.0.1) Host is up (0.00011s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) 8080/tcp open http nginx 1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
This information is critical. For example, if the scan revealed an old version of nginx with a known critical vulnerability, you would know exactly where to focus your remediation efforts.
Use the Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful features. It allows you to automate a wide variety of networking tasks using a library of scripts. These scripts can be used for more advanced discovery, vulnerability detection, and even exploitation.
In this step, you will use the -sC flag, which runs a set of default scripts that are considered safe and useful for discovery.
Run an Nmap scan with the default scripts enabled against
localhost. The-sCflag is a convenient way to get more information without specifying individual scripts.nmap -sC localhostReview the output. You will see additional information indented under each port. This is the output from the NSE scripts. For example, the
http-titlescript might grab the title of the web page on port8080, and SSL scripts might report on certificate details.The output will be even more verbose:
Starting Nmap 7.80 ( https://nmap.org ) at ... Nmap scan report for localhost (127.0.0.1) Host is up (0.000099s latency). Other addresses for localhost (not scanned): ::1 Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 2121/tcp open ccproxy-ftp 2222/tcp open EtherNetIP-1 3001/tcp open nessus | ssl-cert: Subject: commonName=localhost | Subject Alternative Name: DNS:localhost | Not valid before: 2024-07-18T03:37:05 |_Not valid after: 2034-07-16T03:37:05 8080/tcp open http-proxy |_http-open-proxy: Proxy might be redirecting requests |_http-title: Site doesn't have a title (text/html). Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
As you can see, the default scripts discovered that anonymous FTP login is allowed on port 2121 and retrieved the title of the web page on port 8080. This is valuable intelligence gathered automatically.
Run a Vulnerability Scan
Now it's time to hunt for vulnerabilities. The NSE includes a category of scripts specifically designed to check for known security flaws. You can run all scripts in the vuln category to perform a broad vulnerability scan.
It is best practice to always save the output of long or important scans to a file. We will use the -oN flag to save the output in Nmap's normal format.
First, let's combine what you've learned. Run a scan that includes service detection (
-sV) and executes all vulnerability scripts (--script vuln). Save the output to a file namedvuln_scan.txt.nmap -sV --script vuln -oN vuln_scan.txt localhostThis scan may take a few minutes as it is running many scripts against each open port.
Once the scan is complete, a file named
vuln_scan.txtwill be created in your current directory (/home/labex/project). You can view its contents using thecatcommand:cat vuln_scan.txtThe output file is long, so it's more efficient to search for keywords. Use
grepto look for lines that indicate a vulnerability. The term "VULNERABLE" is a strong indicator.grep "VULNERABLE" vuln_scan.txtYou should see output showing any vulnerabilities found. In this lab environment, you'll likely see a vulnerability related to Apache's byterange filter:
| VULNERABLE: | State: VULNERABLETo see the full vulnerability details, you can search for the specific CVE or look at the complete scan output. For example, you might find an Apache DoS vulnerability (CVE-2011-3192) on port 8080. Note that you may also see some script errors (like
clamav-exec: ERROR) which are normal and can be ignored - these occur when certain vulnerability scripts cannot execute properly in the lab environment.
This step demonstrates how to actively probe for weaknesses, moving from simple discovery to a targeted security audit.
Save and Format Scan Findings
Properly documenting and reporting your findings is a critical skill for any security professional. Nmap supports several output formats suitable for different purposes. In this final step, you will learn how to save your results in multiple formats and create a user-friendly HTML report.
First, create a dedicated directory to keep your reports organized.
mkdir -p ~/project/reportsNow, run the scan again, but this time save the output in two formats simultaneously: normal text (
-oN) and XML (-oX). XML is a structured format that is ideal for processing with other tools.nmap -sV -p 8080 --script vuln -oN ~/project/reports/scan_report.txt -oX ~/project/reports/scan_report.xml localhostThe XML format is not very human-readable. Nmap provides a utility called
xsltprocto convert the XML file into a clean HTML report. Run the following command to generatescan_report.html.xsltproc ~/project/reports/scan_report.xml -o ~/project/reports/scan_report.htmlLet's verify that all your report files have been created in the
~/project/reportsdirectory. Use thels -lcommand to list the files and their details.ls -l ~/project/reportsYou should see your three report files:
total 40 -rw-rw-r-- 1 labex labex 14276 Aug 28 15:12 scan_report.html -rw-rw-r-- 1 labex labex 5686 Aug 28 15:11 scan_report.txt -rw-rw-r-- 1 labex labex 14924 Aug 28 15:11 scan_report.xml
You now have a plain text file for quick review, an XML file for machine processing, and an HTML file for easy sharing and presentation.
Summary
In this lab, you have gained practical experience with Nmap, a fundamental tool in cybersecurity. You started by performing basic port scans to identify open services on a network host. You then progressed to more advanced techniques, including service version detection (-sV) to identify specific software and its version. You also explored the power of the Nmap Scripting Engine (NSE) by running default scripts (-sC) and a full vulnerability scan (--script vuln). Finally, you learned the professional practice of saving scan results in multiple formats (-oN, -oX) and converting them into a readable HTML report for analysis and documentation. These skills form a solid foundation for using Nmap in real-world network security assessments.
