Scan Vulnerabilities in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, you will learn the fundamentals of network scanning using Nmap (Network Mapper), a powerful open-source tool for network discovery and security auditing. You will start with basic port scans, advance to service and version detection, and then explore the Nmap Scripting Engine (NSE) to perform vulnerability checks. Finally, you will learn how to analyze and save your scan results in various formats for reporting. This lab provides a step-by-step, hands-on introduction to Nmap's core features for effective network security assessment.

Perform a Basic Network Scan

In this step, you will get acquainted with Nmap by performing a basic scan. A basic scan is used to discover which ports are open on a target machine. An open port indicates that a service (like a web server or SSH) is running and listening for connections.

The lab environment has been pre-configured with several services running on localhost (your own virtual machine) for you to practice on. The nmap tool is already installed.

First, verify that Nmap is installed and check its version. Open the terminal and run the following command:

nmap --version

You should see output confirming the Nmap version, similar to this:

Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.9.1
Compiled without:
Available nsock engines: epoll poll select

Now, perform your first scan against localhost. This command tells Nmap to check for the most common open ports on your local machine.

nmap localhost

Examine the output. Nmap will list the ports it found to be open, along with the state and the common service associated with that port. The output will look something like this, showing the services prepared for this lab:

Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000092s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

This initial scan gives you a map of the running services, which is the first step in any network security assessment.

Detect Service Versions

In this step, you will use Nmap to perform service and version detection. Knowing which ports are open is useful, but knowing the exact software and version running on those ports is much more powerful for a security analyst. Outdated software is a primary source of vulnerabilities.

We will use the -sV flag, which instructs Nmap to probe open ports to determine detailed service and version information.

Run a version detection scan against localhost. To make the scan more efficient, target the specific ports used in this example rather than scanning all ports.

nmap -sV -p 22,8080 localhost

Pro Tip: Targeting specific ports dramatically reduces scan time. A full port range scan with -sV can take several minutes, while this targeted approach typically completes in seconds.

Compare the output with the basic scan from Step 1. You will now see an additional column, VERSION, which provides details about the software running on each port.

The output will be more detailed, similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds

This information is critical. For example, if the scan revealed an old version of nginx with a known critical vulnerability, you would know exactly where to focus your remediation efforts.

Use the Nmap Scripting Engine (NSE)

In this step, you will use the Nmap Scripting Engine (NSE), one of Nmap's most powerful features. It allows you to automate a wide variety of networking tasks using a library of scripts. These scripts can be used for more advanced discovery, vulnerability detection, and even exploitation.

You will use the -sC flag, which runs a set of default scripts that are considered safe and useful for discovery. Because the FTP service in this lab runs on the nonstandard port 2121, combine -sC with service detection (-sV) so Nmap can identify the service before choosing the matching scripts.

Run an Nmap scan with service detection and the default scripts enabled against localhost. Target ports 2121 and 8080 so the scan stays quick while still showing script output from the FTP and web services.

nmap -sV -sC -p 2121,8080 localhost

Review the output. You will see additional information indented under each port. This is the output from the NSE scripts. For example, the ftp-anon script can report that anonymous FTP login is allowed on port 2121, the http-title script might grab the title of the web page on port 8080, and SSL scripts might report on certificate details.

The output will be even more verbose:

Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000099s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
2121/tcp open  ftp     vsftpd 3.0.5
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Logged in as ftp
|_End of status
8080/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Unix

Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds

As you can see, the default scripts discovered that anonymous FTP login is allowed on port 2121 and retrieved the title of the web page on port 8080. This is valuable intelligence gathered automatically.

Run a Vulnerability Scan

In this step, you will use NSE scripts to hunt for vulnerabilities. The NSE includes a category of scripts specifically designed to check for known security flaws. You can run all scripts in the vuln category to perform a broad vulnerability scan.

It is best practice to always save the output of long or important scans to a file. We will use the -oN flag to save the output in Nmap's normal format.

First, combine what you've learned. Run a scan that includes service detection (-sV) and executes all vulnerability scripts (--script vuln). Save the output to a file named vuln_scan.txt.

nmap -sV --script vuln -oN vuln_scan.txt localhost

This scan may take a few minutes as it is running many scripts against each open port.

Once the scan is complete, a file named vuln_scan.txt will be created in your current directory (/home/labex/project). You can view its contents using the cat command:

cat vuln_scan.txt

The output file is long, so it's more efficient to search for keywords. Use grep to look for lines that indicate a vulnerability. The term "VULNERABLE" is a strong indicator.

grep "VULNERABLE" vuln_scan.txt

You should see output showing any vulnerabilities found. In this lab environment, you'll likely see a vulnerability related to Apache's byterange filter:

|   VULNERABLE:
|     State: VULNERABLE

To see the full vulnerability details, you can search for the specific CVE or look at the complete scan output. For example, you might find an Apache DoS vulnerability (CVE-2011-3192) on port 8080. Note that you may also see some script errors (like clamav-exec: ERROR) which are normal and can be ignored - these occur when certain vulnerability scripts cannot execute properly in the lab environment.

This step demonstrates how to actively probe for weaknesses, moving from simple discovery to a targeted security audit.

Save and Format Scan Findings

In this step, you will learn how to save your results in multiple formats and create a user-friendly HTML report. Properly documenting and reporting your findings is a critical skill for any security professional. Nmap supports several output formats suitable for different purposes.

First, create a dedicated directory to keep your reports organized.

mkdir -p ~/project/reports

Now, run the scan again, but this time save the output in two formats simultaneously: normal text (-oN) and XML (-oX). XML is a structured format that is ideal for processing with other tools.

nmap -sV -p 8080 --script vuln -oN ~/project/reports/scan_report.txt -oX ~/project/reports/scan_report.xml localhost

The XML format is not very human-readable. Nmap provides a utility called xsltproc to convert the XML file into a clean HTML report. Run the following command to generate scan_report.html.

xsltproc ~/project/reports/scan_report.xml -o ~/project/reports/scan_report.html

Verify that all your report files have been created in the ~/project/reports directory. Use the ls -l command to list the files and their details.

ls -l ~/project/reports

You should see your three report files:

total 40
-rw-rw-r-- 1 labex labex 14276 Aug 28 15:12 scan_report.html
-rw-rw-r-- 1 labex labex  5686 Aug 28 15:11 scan_report.txt
-rw-rw-r-- 1 labex labex 14924 Aug 28 15:11 scan_report.xml

You now have a plain text file for quick review, an XML file for machine processing, and an HTML file for easy sharing and presentation.

Summary

In this lab, you have gained practical experience with Nmap, a fundamental tool in cybersecurity. You started by performing basic port scans to identify open services on a network host. You then progressed to more advanced techniques, including service version detection (-sV) to identify specific software and its version. You also explored the power of the Nmap Scripting Engine (NSE) by running default scripts (-sC) and a full vulnerability scan (--script vuln). Finally, you learned the professional practice of saving scan results in multiple formats (-oN, -oX) and converting them into a readable HTML report for analysis and documentation. These skills form a solid foundation for using Nmap in real-world network security assessments.