With a lifetime of IT experience, I have never come across a tool both as prevalent and useful as Nmap. I have been a network engineer, ethical hacker, consultant, and trainer. I’ve also been on enterprise blue, red, and purple teams. In all of those roles, and even outside of my professional life, I’ve found uses for Nmap. This Swiss Army Knife for remote information gathering can be used for identifying vulnerabilities, inventorying, pivoting, exploiting, and even basic troubleshooting.

You likely already know the basics; it’s a tool that can scan remote endpoints and provide details on if a host is live and what open ports and services exist on the host. However, that’s just scratching the surface. In this blog, I’ll explore some unique and more advanced ways to use Nmap that will make you fall even more in love with the tool.

Let’s Mix Things Up

First let’s talk about your scanning methodology. If you’re currently using Nmap without any options at all, you’re probably missing out on some features right out of the box that are extremely useful.

Timing and Performance:

  • -T<0-5> is a pretty well known option, but it’s often overlooked. Many IDS/IPS and other security tools can alert on or even prevent scans that are too aggressive. In this case a –T2 or even a –T1 can do wonders to bypass tools used to prevent scanning. The scans will take a much longer time, but that is the point. If you don’t need a fast scan, then I would run a –T1 scan overnight for the results. On the other side of things, if you control the devices being scanned and they aren’t near capacity, I almost always use –T4 to get my results back much sooner than even the regular scan (default is –T3).
  • You can even take this further with the min-rate <packets/second> and max-rate <packet/second> commands which allow you to granularly define scan speed to either optimize scanning time or avoid detection.
  • Another command that I like to use to speed up my scans is --max-retries <tries>. The default is three, but timeouts take a very long time to wait for. Therefore, if you know you are scanning a reliable network, you can very much speed up your scanning times using only 2 or even 1 retries.
  • Example:
nmap -T2 --min-rate 10 <target>

More Evasion Techniques:

Firewalls and IDS may still give you trouble even with a slow scan. This is where even more options come into play.

  • -f (for fragmentation) will break the packets used for scanning into fragments which may bypass some rudimentary filters. Also, using the more advanced --mtu <value> option allows you to define how fragmented the packets are.
  • -D <decoy1, decoy2, etc.> is one of my favorite options to use with Nmap. It will add additional scanning packets that appear to come from decoy hosts that you define. You can even use randomization with this option. On the defensive side, this can make it very frustrating to pin down where the scan is actually coming from. Furthermore, you can use the more advanced option of --spoof-mac to spoof a MAC on a local network.
  • --source-port can be used to define what port your scans are coming from. This can be useful if you are trying to punch through a firewall that is allowing specific ports in.
  • Example:
nmap -f -D 172.16.5.22, 172.16.8.97 <target>

Output Options:

You’d be surprised how many people I’ve seen copy and pasting from the console or redirecting Nmap output to a file when there’s actually some built in ways to manage your output:

  • -oG (grepable output) is a massively underutilized option in my experience. It places all relevant information on a single line and makes it a breeze to parse results with grep, awk, or sed. This is especially useful as you can pipe the Nmap command directly into the tool that you are using to parse.
  • -oN allows you to save the file to text which is great for reference or documentation.
  • -oX allows you to save the file to an XML format which can also be useful for reference or documentation, but is also a great tool to integrate Nmap into APIs, programs, or automation flows.
  • -oA will provide the grepable output, the text output and the XML output all at the same time for a single scan.
  • Example:
nmap -oG output.gnmap <target> | grep open

Service and OS Discovery

Many are surprised to hear that the service column on the standard Nmap results is just a guess based on the port number. However, Nmap also offers the ability to identify both services and operating systems of remote systems using options. It does this using a combination of banner grabbing and fingerprinting responses to its requests and applying some logic.

Operating System Detection:

  • -O is frequently overlooked but is used when you want Nmap to attempt to identify the operating system of the remote system.
  • More granular options exist with --osscan-guess & --osscan-limit. Sometimes, when using just -O, Nmap will not be able to determine the operating system. In this case, guess will provide different options for what it thinks the operating system might be, along with a probability. The limit option allows the operating system detection to be bypassed if the endpoint doesn’t have at least one both closed and open port.
  • Example:
nmap -O --osscan-guess <target>

Service Detection:

  • -sV will go beyond guessing the service based on simply the port number and will attempt to connect with the service and analyze the response. It can provide the type of service and, to a lesser extent, the version when available.
  • Similar to a lot of the other commands we’ve explored, there’s also more granular options. Most of these are centered around how intensive (and how time-consuming) a scan will be. The least intensive and quickest is accomplished with ---version-light and the most with --version-all. These are essentially on a sliding scale from 0-9 that can be defined with the --version-intensity <intensity> options.
  • Example:
nmap -sV --version-intensity 5 <target>

Using Built-in Scripts

Many people are surprised by the fact that not only can you use custom scripts for Nmap, but it also already comes with a library of scripts that are ready to be used around many different categories. This is where a lot of the magic happens.

Nmap has a built-in script engine, named the NSE. It runs off the Lua scripting language and all that’s required to add your own script is to place a Lua script in the scripts directory. This topic is probably worthy of several blog posts on its own, but I will pull out some of the more popular use cases here.

Vulnerability Scanning

  • There is a default vulnerability detection script simply called vulners.nse that will attempt to look for known vulnerabilities based on detected service versions.
  • Several protocols will have their own individual scripts and even scripts for individual vulnerability checks. Luckily, you can also use wildcards when defining which scripts to call (example for SMB below).
  • In the examples below you can also see the format for using scripts that come with Nmap.
  • Examples:
nmap --script vulners <target>
nmap --script smb-vuln-* <target>

Enumeration

Several protocols also have their own enumeration scripts which can be used to gather a lot of data with just Nmap.

  • HTTP has http-enum.nse, http-headers.nse, and http-title.nse which can all be used to gather information from a web server.
  • ssl-enum-ciphers.nse can check for weak SSL/TLS ciphers.
  • dns-brute.nse can be used to brute force subdomains.
  • firewalk.nse will attempt to determine firewall rules from the outside. I’ve used this one personally to look for ways of bypassing a network firewall when performing recon.
  • default-passwords.nse will do probably what you’ve already guess, and check for known default passwords.

Miscellaneous Scripting Info

Scripts are community driven and should not be used as a full replacement for vulnerability management or reconnaissance but as a tool in your toolbox for additional data. For example, the default password script is only as good as the preprogrammed passwords known to your version of Nmap.

A couple final notes on scripts:

  • Some scripts take arguments which can be added using the --script-args option, the following example will use the http-enum script and only enumerate admin directories.
  • Example:
nmap --script http-enum --script-args http-enum.dir=/admin <target>
  • Keeping your scripts up to date is also very simple. The command --script-updatedb is your friend prior to running any scans!

Final Thoughts

Nmap is more than just a tool; it’s a fundamental skill for any IT professional. Its flexibility, power, and active community make it an indispensable asset. I hope this blog has inspired you to delve deeper into its capabilities. Experiment, explore, and discover even more hidden gems as I’ve only gotten into some of the good stuff here. Spoiler alert: there may be more to come on Nmap.