OFFSITE.DARK
← Tools
  • recon
  • scanning

Market

Nmap

Overview

Nmap (Network Mapper) sends crafted packets to targets and interprets responses to map hosts, open ports, service versions, and—when permitted—operating system fingerprints. It supports dozens of scan techniques from bare ICMP echo discovery through full TCP connect and half-open SYN scans.

The Nmap Scripting Engine (NSE) extends probes with Lua scripts organized by category: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln. Scripts run in parallel with port scanning and can chain findings (e.g., smb-vuln-* after smb-os-discovery).

Output formats include normal (-oN), XML (-oX for import into Nessus/Greenbone), grepable (-oG), and the structured -oA bundle. Timing templates (-T0 through -T4, plus -T5 paranoid/aggressive) control parallelism and delay; -T3 is the default balance for lab networks.

Common OPSEC failures: running -A (OS + version + script + traceroute) against production without scope, leaving connection logs on stateful firewalls from full connect scans (-sT), and running intrusive NSE scripts (category intrusive/vuln) without understanding side effects like account lockout or service crashes.

Primary use cases

  • Host discovery on a /24 before deeper assessment (-sn, -PE, -PS443)
  • Port enumeration with service/version fingerprinting (-sS -sV -p-)
  • Script-driven vuln checks against known CVEs (–script vuln, smb-vuln-ms17-010)
  • UDP service mapping for DNS, SNMP, TFTP (-sU --top-ports 100)
  • Baseline asset inventory and change detection via scheduled -oX diffs

Key commands

SYN scan + version + default scripts

nmap -sS -sV -sC -p- -T4 --open -oA scan_target target.example.com

Fast top ports, no ping

nmap -Pn -sS --top-ports 1000 -oG - target.example.com

Targeted NSE vuln category

nmap -sV --script 'vuln and safe' -p 445,3389 10.0.0.0/24

UDP discovery

nmap -sU -sV --top-ports 20 -T4 target.example.com

Notable modules / features

  • Scan types: -sS SYN, -sT connect, -sU UDP, -sA ACK (firewall mapping), -sN/-sF/-sX null/fin/Xmas
  • OS detection (-O) uses TCP/IP stack quirks; requires at least one open and one closed port
  • NSE: 600+ scripts; --script-help, --script-args, script dependencies via requires/dependencies fields
  • Zenmap GUI, ndiff for XML diffing, nping for raw packet generation

Detection / defense notes

  • SYN scans appear as half-open connections; log RST responses and rate-limit per source
  • Version detection sends probe payloads; IDS signatures often trigger on Nmap probe patterns
  • Restrict ICMP and unsolicited SYN to edge; segment internal scanning visibility
  • Honeypot/open-port noise can poison OS fingerprint confidence scores

Related tools

  • WiresharkPacket dissector. Live capture and PCAP analysis with display filters and protocol decoders.
  • niktoWeb server scanner. Tests for outdated software, dangerous files, and misconfigs.
  • NucleiTemplate scanner. YAML checks for CVEs, misconfigs, and exposed services at scale.
→ official site