π Security Tool Cheatsheet
Alex Morgan — Senior Penetration Tester
{
“title”: “Comprehensive Guide to Nmap for Security Analysts”,
“content”: “
What is Nmap?
Nmap (Network Mapper) is an open-source network scanning tool widely used for discovering hosts and services on a computer network. Security analysts and penetration testers utilize Nmap for various tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Installation
- Linux: Install via package manager. For example, on Ubuntu, use
sudo apt install nmap. - Windows: Download the installer from Nmap’s official website.
- macOS: Use Homebrew:
brew install nmap.
Basic Syntax
The basic syntax for Nmap is:
nmap [Options] [Target]
Discovery
Use Nmap to identify live hosts and services.
Ping Scan
Quickly check which hosts are up:
nmap -sn 192.168.1.0/24
-sn: This option tells Nmap to skip port scanning and only perform host discovery.
Service Version Detection
Discover versions of services running on the host:
nmap -sV 192.168.1.1
-sV: Enables service version detection with attempts to determine the version of the service.
Scanning
Perform detailed scans for open ports and possible vulnerabilities.
TCP Connect Scan
Perform a full TCP connect scan to identify open ports:
nmap -sT 192.168.1.1
-sT: This flag instructs Nmap to use TCP connect scan.
Stealth SYN Scan
Identify open ports stealthily without completing the TCP handshake:
nmap -sS 192.168.1.1
-sS: The SYN scan is less detectable by intrusion detection systems.
Exploitation
Nmap can help identify vulnerabilities through scripts.
Vulnerability Scanning with Nmap Scripting Engine (NSE)
Use built-in scripts to check for vulnerabilities:
nmap --script=vuln 192.168.1.1
–script=vuln: This command runs various vulnerability checks provided by Nmapβs scripting engine.
Analysis
Analyze results for actionable insights.
XML Output
Export scan results in XML format for further analysis:
nmap -oX scan_results.xml 192.168.1.1
-oX: Specifies the output file format as XML.
Grepable Output
Output results in a grep-friendly format for quick parsing:
nmap -oG scan_results.gnmap 192.168.1.1
-oG: Generates a grepable output file.
Evasion
Bypass intrusion detection systems or firewalls using specific flags.
Fragmentation
Send fragmented packets to evade detection:
nmap -f 192.168.1.1
-f: Tells Nmap to fragment packets.
Reporting
Generate comprehensive reports on findings.
HTML Output
Create a user-friendly HTML report from a scan:
nmap -oH report.html 192.168.1.1
-oH: This option creates an HTML output file.
Quick Reference Table
| Flag | Description |
|---|---|
| -sn | No port scan, host discovery only |
| -sV | Service version detection |
| -sT | TCP connect scan |
| -sS | Stealth/SYN scan |
| –script=vuln | Run vulnerability scripts |
| -oX | Output to XML file |
| -oG | Output to grepable format |
| -f | Fragment packets |
| -oH | Output to HTML file |
Pro Tips
- Use
nmap -sS -p-to scan all ports (1-65535). - Combine multiple scans by using
-sP -sVfor ping and service detection simultaneously. - Utilize the Nmap Scripting Engine to customize scripts for specific scenarios and improve results.
Real-World Examples
Scenario 1: You need to identify live hosts in a subnet:
nmap -sn 10.0.0.0/24
Scenario 2: You want to find vulnerabilities on a target:
nmap --script=vuln -p 80,443 192.168.1.1
Scenario 3: Export results for later analysis: