In this lab, you will learn how to use Nmap for network vulnerability scanning. You'll install Nmap, utilize the Nmap Scripting Engine (NSE) for advanced scans, and analyze the results to identify security weaknesses.
Through practical exercises, you'll perform basic and script-enhanced scans while learning to interpret and save your findings. This lab provides hands-on experience with Nmap's core features for effective network security assessment.
In this step, you will install Nmap (Network Mapper), a powerful open-source tool for network discovery and security auditing. Nmap is widely used for scanning networks to identify hosts, services, and vulnerabilities. Think of it like a digital mapmaker that helps security professionals understand what devices are connected to a network and what services they're running.
The LabEx VM environment already has the necessary dependencies installed, so we can focus on installing Nmap itself. Follow these steps carefully:
First, we need to update the package list to ensure we get the latest version of Nmap. This is like checking for the most recent map updates before starting a journey:
sudo apt updateNow install Nmap using this command. The -y flag automatically confirms the installation, saving us time:
sudo apt install -y nmapAfter installation, let's verify that Nmap is correctly installed by checking its version. This confirms we have the tool ready to use:
nmap --versionYou should see output similar to:
Nmap version 7.92 ( https://nmap.org )For a more practical verification, we'll run a simple scan against localhost (your own machine). This helps you understand how Nmap works before scanning other systems:
nmap localhostThis command will display basic information about open ports on your system, showing you what services are running locally. It's like checking which doors and windows are open in your own house before inspecting others.
In this step, we'll explore the powerful Nmap Scripting Engine (NSE), which acts like a toolbox that extends Nmap's basic scanning capabilities. Think of NSE as adding specialized tools to your network scanner - it contains hundreds of pre-written scripts that can detect vulnerabilities, gather detailed service information, and perform advanced network discovery tasks.
Before we begin, it's important to understand that these scripts are already installed with Nmap on your system. Let's start by exploring what scripts are available:
First, we'll list all installed NSE scripts. This command shows you the complete collection of scripts in your Nmap installation:
ls /usr/share/nmap/scripts/Each script has documentation explaining what it does. Let's examine the http-title script as an example - this script retrieves the title of web pages. The following command shows its purpose and usage:
nmap --script-help http-titleNow let's perform our first actual scan using NSE. This command scans your local machine (localhost) with two important options:
-sC: Runs the default set of NSE scripts (safe and useful for most scans)-sV: Attempts to determine service versions (crucial for identifying outdated software)nmap -sC -sV localhostTo target a specific script, we'll scan scanme.nmap.org (a test site provided by Nmap) using just the http-title script. This demonstrates how to focus on particular information:
nmap --script http-title scanme.nmap.orgFinally, you can combine multiple scripts for more comprehensive scanning. This example runs both the http-title and http-headers scripts against scanme.nmap.org:
nmap --script "http-title and http-headers" scanme.nmap.orgRemember that different scripts serve different purposes - some gather information while others test for vulnerabilities. Always check a script's documentation before using it on production systems.
In this step, you'll learn how to use Nmap's scripting engine to detect security vulnerabilities. Vulnerability scanning helps identify weaknesses in systems before attackers can exploit them. We'll use scanme.nmap.org as our target - this is a safe, intentionally vulnerable server maintained by Nmap developers for testing purposes.
First, let's explore available vulnerability scripts. Nmap comes with hundreds of pre-installed scripts in the /usr/share/nmap/scripts/ directory. The grep command helps filter only vulnerability-related scripts:
ls /usr/share/nmap/scripts/ | grep vulnNow we'll run a basic vulnerability scan. The -sV flag enables service version detection, while --script vuln loads all vulnerability detection scripts. This gives us a broad overview of potential issues:
nmap -sV --script vuln scanme.nmap.orgFor more targeted scanning, we can focus on specific vulnerability categories. This example checks only for HTTP-related vulnerabilities (common in web servers). The asterisk (*) acts as a wildcard to include all http-vuln scripts:
nmap -sV --script http-vuln-* scanme.nmap.orgA comprehensive scan checks all vulnerabilities while avoiding intrusive tests (marked as "safe"). This takes longer but provides thorough results without risking system stability:
nmap -sV --script "vuln and safe" scanme.nmap.orgIt's good practice to save scan results for documentation and further analysis. The -oN flag saves output in normal format to a text file. We'll use these results in later steps:
nmap -sV --script vuln -oN vuln_scan_results.txt scanme.nmap.orgThe scan results will display important security information including:
In this step, we'll carefully examine the vulnerability scan results generated by Nmap in the previous step. As a beginner, it's important to understand that scanning is just the first part - properly interpreting the results is where real security analysis begins. The vuln_scan_results.txt file contains all the raw data we need to identify potential security weaknesses.
First, let's view the complete scan results. This gives us the full picture of what Nmap discovered:
cat vuln_scan_results.txtSince manually reading the entire file can be overwhelming, we'll search for specific vulnerability indicators. The word "VULNERABLE" in Nmap output typically marks confirmed security issues:
grep -i "vulnerable" vuln_scan_results.txtNext, we'll look for standardized vulnerability references. CVEs (Common Vulnerabilities and Exposures) are unique identifiers for known security flaws:
grep -i "CVE-" vuln_scan_results.txtPort status is crucial in vulnerability assessment. Open ports often represent potential entry points for attackers:
grep -E "open|filtered|closed" vuln_scan_results.txtTo get a quick overview of our findings, we'll count how many vulnerabilities Nmap detected. This helps prioritize our analysis:
echo "Total vulnerabilities found: $(grep -c -i "vulnerable" vuln_scan_results.txt)"When you find an interesting CVE, researching it is essential. This example shows how to fetch details about a specific vulnerability (replace the CVE ID as needed):
curl -s https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 | grep -A10 "Description"When analyzing Nmap output, pay special attention to these critical elements:
In this final step, you'll learn how to properly document and save your vulnerability scan results. Saving reports is crucial for security analysis, documentation, and sharing findings with team members. Nmap provides multiple output formats to suit different needs.
First, let's create a dedicated directory to keep all your scan reports organized. This helps maintain a clean workspace and makes it easier to find your results later:
mkdir -p ~/project/reportsNow we'll run the vulnerability scan again while saving the results in two standard formats. The -oN flag saves normal text output, while -oX creates an XML file that can be processed by other tools:
nmap -sV --script vuln -oN ~/project/reports/scan_results.txt scanme.nmap.org
nmap -sV --script vuln -oX ~/project/reports/scan_results.xml scanme.nmap.orgXML files aren't easy to read directly, so we'll convert it to a more visual HTML report using xsltproc. This creates a nicely formatted webpage of your scan results:
xsltproc ~/project/reports/scan_results.xml -o ~/project/reports/scan_results.htmlFor quick reference, we'll extract just the critical vulnerability findings using grep. This creates a condensed summary showing only lines containing vulnerability indicators:
grep -iE "vulnerable|CVE-" ~/project/reports/scan_results.txt > ~/project/reports/summary.txtLet's verify all our report files were created successfully. The -lh flags show file sizes in human-readable format:
ls -lh ~/project/reports/(Optional) If you need to share these reports with others, you can compress them into a single archive file:
tar -czvf ~/project/reports.tar.gz ~/project/reports/Key output formats explained:
.txt: Simple text format that's easy to read in any text editor.xml: Structured data format that can be processed by other security tools.html: Visual report that's ideal for presentations and documentationIn this lab, you have learned how to conduct vulnerability scanning with Nmap, from installation on Linux systems to performing basic scans and verifying functionality. The exercises introduced key features like the Nmap Scripting Engine (NSE), demonstrating how to run default and custom scripts for comprehensive network analysis.
You practiced essential scanning techniques including service version detection (-sV) and script execution (-sC), while learning to interpret and save scan results. These skills provide a solid foundation for network security assessments using Nmap's powerful scanning capabilities.