--- name: recon-nmap description: > Network reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls. version: 0.1.0 maintainer: sirappsec@gmail.com category: offsec tags: [reconnaissance, nmap, port-scanning, service-enumeration, network-security, osint] frameworks: [MITRE-ATT&CK, OWASP, PTES] dependencies: packages: [nmap] tools: [python3, masscan] references: - https://nmap.org/book/ - https://nmap.org/nsedoc/ - https://attack.mitre.org/techniques/T1046/ --- # Nmap Network Reconnaissance ## Overview Nmap (Network Mapper) is the industry-standard tool for network discovery, security auditing, and vulnerability assessment. This skill provides structured workflows for authorized reconnaissance operations including port scanning, service enumeration, OS fingerprinting, and vulnerability detection using Nmap Scripting Engine (NSE). **IMPORTANT**: Network scanning may be disruptive and must only be conducted with proper authorization. Always ensure written permission before scanning networks or systems you do not own. ## Quick Start Basic host discovery and port scanning: ```bash # Quick scan of common ports nmap -F # Scan top 1000 ports with service detection nmap -sV # Comprehensive scan with OS detection and default scripts nmap -A ``` ## Core Workflow ### Network Reconnaissance Workflow Progress: [ ] 1. Verify authorization and scope [ ] 2. Perform host discovery and asset enumeration [ ] 3. Conduct port scanning on live hosts [ ] 4. Enumerate services and versions [ ] 5. Perform OS fingerprinting and detection [ ] 6. Run NSE scripts for vulnerability detection [ ] 7. Document findings and generate reports [ ] 8. Validate results and identify false positives Work through each step systematically. Check off completed items. ### 1. Authorization Verification **CRITICAL**: Before any scanning activities: - Confirm written authorization from network owner - Review scope document for in-scope IP ranges and domains - Verify scanning windows and rate-limiting requirements - Document emergency contact for accidental disruption - Confirm blacklisted hosts (production databases, critical infrastructure) ### 2. Host Discovery Identify live hosts in target network: ```bash # Ping sweep (ICMP echo) nmap -sn /24 # ARP scan (local network only, faster and more reliable) nmap -sn -PR /24 # TCP SYN ping (when ICMP blocked) nmap -sn -PS22,80,443 /24 # UDP ping (for hosts blocking TCP) nmap -sn -PU53,161 /24 # Disable ping, assume all hosts alive nmap -Pn /24 ``` **Host discovery techniques**: - **ICMP Echo (-PE)**: Standard ping, often blocked - **TCP SYN (-PS)**: Half-open connection to specified ports - **TCP ACK (-PA)**: Sends ACK packets, useful for stateful firewalls - **UDP (-PU)**: Sends UDP packets to specified ports - **ARP (-PR)**: Layer 2 discovery, only works on local network Output live hosts to file for subsequent scanning: ```bash nmap -sn /24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt ``` ### 3. Port Scanning Scan discovered hosts for open ports: ```bash # Fast scan (top 100 ports) nmap -F -iL live_hosts.txt # Top 1000 ports (default) nmap -iL live_hosts.txt # Scan all 65535 ports nmap -p- -iL live_hosts.txt # Scan specific ports nmap -p 22,80,443,3389,8080 -iL live_hosts.txt # Scan port ranges nmap -p 1-1024,3000-9000 -iL live_hosts.txt ``` **Scan techniques**: - **TCP SYN Scan (-sS)**: Default, stealthy half-open scan (requires root) ```bash sudo nmap -sS ``` - **TCP Connect Scan (-sT)**: Full TCP connection (no root required) ```bash nmap -sT ``` - **UDP Scan (-sU)**: Scan UDP ports (slow but critical) ```bash sudo nmap -sU -p 53,161,500 ``` - **Version Detection (-sV)**: Probe services for version information ```bash nmap -sV ``` - **Aggressive Scan (-A)**: Enable OS detection, version detection, script scanning, traceroute ```bash sudo nmap -A ``` **Timing and performance**: ```bash # Paranoid (0) - Extremely slow, IDS evasion nmap -T0 # Sneaky (1) - Very slow, IDS evasion nmap -T1 # Polite (2) - Slows down to use less bandwidth nmap -T2 # Normal (3) - Default timing nmap -T3 # Aggressive (4) - Faster, assumes reliable network nmap -T4 # Insane (5) - Very fast, may miss results nmap -T5 ``` **Rate limiting for safety**: ```bash # Limit to 100 packets/second nmap --max-rate 100 # Minimum 10 packets/second nmap --min-rate 10 # Scan with delays to avoid detection nmap --scan-delay 1s ``` ### 4. Service Enumeration Identify services and extract version information: ```bash # Service version detection nmap -sV # Aggressive version detection (more probes) nmap -sV --version-intensity 5 # Light version detection (fewer probes, faster) nmap -sV --version-intensity 0 # Specific service enumeration nmap -sV -p 80,443 --script=http-headers,http-title ``` **Service-specific enumeration**: ```bash # SMB enumeration nmap -p 445 --script=smb-os-discovery,smb-security-mode # SSH enumeration nmap -p 22 --script=ssh-hostkey,ssh-auth-methods # DNS enumeration nmap -p 53 --script=dns-nsid,dns-recursion # HTTP/HTTPS enumeration nmap -p 80,443 --script=http-methods,http-robots.txt,http-title # Database enumeration nmap -p 3306 --script=mysql-info nmap -p 5432 --script=pgsql-brute nmap -p 1433 --script=ms-sql-info ``` ### 5. Operating System Detection Identify target operating systems: ```bash # OS detection sudo nmap -O # Aggressive OS detection with version scanning sudo nmap -A # Limit OS detection to promising targets sudo nmap -O --osscan-limit # Guess OS aggressively sudo nmap -O --osscan-guess ``` **OS fingerprinting indicators**: - TCP/IP stack characteristics - Open port patterns - Service banners and versions - TTL values and TCP window sizes ### 6. NSE Script Scanning Nmap Scripting Engine for advanced reconnaissance and vulnerability detection: ```bash # Run default NSE scripts nmap -sC # Run all scripts in category nmap --script=vuln nmap --script=exploit nmap --script=discovery # Run specific script nmap --script=http-sql-injection # Multiple scripts nmap --script=smb-vuln-ms17-010,smb-vuln-cve-2017-7494 # Script with arguments nmap --script=http-brute --script-args http-brute.path=/admin ``` **NSE script categories**: - **auth**: Authentication testing - **broadcast**: Network broadcast/multicast discovery - **brute**: Brute-force password auditing - **default**: Default safe scripts (-sC) - **discovery**: Network and service discovery - **dos**: Denial of service testing (use with caution) - **exploit**: Exploitation attempts (authorized only) - **external**: External resource queries (WHOIS, etc.) - **fuzzer**: Fuzzing attacks - **intrusive**: Intrusive scanning (may crash services) - **malware**: Malware detection - **safe**: Safe scripts unlikely to crash services - **version**: Version detection enhancement - **vuln**: Vulnerability detection **Common vulnerability detection scripts**: ```bash # Check for EternalBlue (MS17-010) nmap -p 445 --script=smb-vuln-ms17-010 # Heartbleed detection nmap -p 443 --script=ssl-heartbleed # Shellshock detection nmap --script=http-shellshock --script-args uri=/cgi-bin/test.sh # Check for weak SSL/TLS nmap -p 443 --script=ssl-enum-ciphers # SQL injection testing nmap -p 80 --script=http-sql-injection # Check for anonymous FTP nmap -p 21 --script=ftp-anon ``` ### 7. Output and Reporting Generate reports in multiple formats: ```bash # Normal output to screen and file nmap -oN scan_results.txt # XML output (for parsing/import) nmap -oX scan_results.xml # Grepable output (for easy parsing) nmap -oG scan_results.gnmap # All formats nmap -oA scan_results # Script kiddie output (for fun) nmap -oS scan_results.skid ``` Convert and process results: ```bash # Convert XML to HTML report xsltproc /usr/share/nmap/nmap.xsl scan_results.xml -o report.html # Parse XML with Python python3 -c "import xml.etree.ElementTree as ET; tree = ET.parse('scan_results.xml'); root = tree.getroot(); [print(host.find('address').get('addr')) for host in root.findall('host')]" # Extract open ports from grepable output grep 'Ports:' scan_results.gnmap | awk '{print $2, $5}' ``` ### 8. Firewall and IDS Evasion Techniques to evade detection (authorized testing only): ```bash # Fragment packets sudo nmap -f # Use decoys sudo nmap -D RND:10 sudo nmap -D decoy1,decoy2,ME,decoy3 # Spoof source IP (requires raw packet privileges) sudo nmap -S -e # Randomize target order nmap --randomize-hosts -iL targets.txt # Use proxy nmap --proxies http://proxy:8080 # Idle scan (zombie host required) sudo nmap -sI ``` ## Security Considerations ### Authorization & Legal Compliance - **Written Permission**: Obtain explicit authorization before scanning any network - **Scope Definition**: Only scan explicitly authorized IP ranges and ports - **Disruption Risk**: Some scans (DOS, exploit scripts) can crash services - **Privacy**: Service enumeration may expose sensitive information - **Log Traces**: Scanning activities are typically logged by firewalls and IDS ### Operational Security - **Rate Limiting**: Use `--max-rate` to avoid overwhelming targets - **Timing**: Schedule scans during approved maintenance windows - **Bandwidth**: Consider network impact, especially for large scans - **Noise**: Aggressive scans are easily detected by security monitoring - **False Positives**: Validate findings before reporting vulnerabilities ### Audit Logging Document all reconnaissance activities: - Scan start and end timestamps - Source IP address and scanner hostname - Target IP ranges and ports scanned - Nmap command-line arguments used - Number of hosts discovered and ports found - Vulnerabilities identified via NSE scripts - Any service disruptions or anomalies ### Compliance - **PTES**: Reconnaissance phase of Penetration Testing Execution Standard - **OWASP**: ASVS verification requirements for network security - **MITRE ATT&CK**: T1046 (Network Service Scanning) - **PCI-DSS 11.2**: External and internal vulnerability scanning - **ISO 27001**: A.12.6 Technical vulnerability management ## Common Patterns ### Pattern 1: External Perimeter Assessment ```bash # Phase 1: Identify live hosts nmap -sn -PE -PS80,443 -PA3389 /24 -oG - | awk '/Up$/{print $2}' > external_hosts.txt # Phase 2: Scan common external services nmap -Pn -sV -p 21,22,25,53,80,110,143,443,587,993,995,3389,8080,8443 -iL external_hosts.txt -oA external_scan # Phase 3: Vulnerability detection nmap -Pn -sV --script=vuln -p 21,22,25,80,443,3389,8080,8443 -iL external_hosts.txt -oA external_vulns # Phase 4: SSL/TLS security audit nmap -Pn -p 443,8443 --script=ssl-enum-ciphers,ssl-cert -iL external_hosts.txt -oA ssl_audit ``` ### Pattern 2: Internal Network Mapping ```bash # Phase 1: Fast host discovery nmap -sn -PR /24 -oG - | awk '/Up$/{print $2}' > internal_hosts.txt # Phase 2: Comprehensive port scan nmap -sV -p- -T4 -iL internal_hosts.txt -oA internal_full_scan # Phase 3: OS fingerprinting sudo nmap -O -iL internal_hosts.txt -oA internal_os_detection # Phase 4: Service enumeration nmap -sV --script=default,discovery -iL internal_hosts.txt -oA internal_services ``` ### Pattern 3: Web Application Discovery ```bash # Identify web servers nmap -p 80,443,8000,8080,8443 --open -oG - /24 | grep 'open' | awk '{print $2}' > web_servers.txt # Enumerate web technologies nmap -sV -p 80,443,8080,8443 --script=http-enum,http-headers,http-methods,http-title,http-server-header -iL web_servers.txt -oA web_enum # Check for common web vulnerabilities nmap -p 80,443 --script=http-sql-injection,http-csrf,http-vuln-cve2017-5638 -iL web_servers.txt -oA web_vulns ``` ### Pattern 4: SMB/CIFS Security Audit ```bash # Enumerate SMB hosts nmap -p 445 --open /24 -oG - | grep 'open' | awk '{print $2}' > smb_hosts.txt # SMB version and configuration nmap -p 445 --script=smb-protocols,smb-security-mode,smb-os-discovery -iL smb_hosts.txt -oA smb_enum # Check for SMB vulnerabilities nmap -p 445 --script=smb-vuln* -iL smb_hosts.txt -oA smb_vulns # Enumerate shares (authentication may be required) nmap -p 445 --script=smb-enum-shares,smb-enum-users -iL smb_hosts.txt -oA smb_shares ``` ### Pattern 5: Database Server Discovery ```bash # Scan for common database ports nmap -sV -p 1433,1521,3306,5432,5984,6379,9200,27017 /24 -oA database_scan # MySQL enumeration nmap -p 3306 --script=mysql-info,mysql-databases,mysql-variables # PostgreSQL enumeration nmap -p 5432 --script=pgsql-brute # MongoDB enumeration nmap -p 27017 --script=mongodb-info,mongodb-databases # Redis enumeration nmap -p 6379 --script=redis-info ``` ## Integration Points ### CI/CD Integration Automated security scanning in pipelines: ```bash #!/bin/bash # ci_network_scan.sh - Continuous network security validation TARGET_NETWORK="$1" OUTPUT_DIR="scan_results/$(date +%Y%m%d_%H%M%S)" mkdir -p "$OUTPUT_DIR" # Quick security scan nmap -Pn -sV --script=vuln -p 21,22,25,80,443,3389,8080 \ "$TARGET_NETWORK" -oA "$OUTPUT_DIR/security_scan" # Parse results for critical findings if grep -i "VULNERABLE" "$OUTPUT_DIR/security_scan.nmap"; then echo "CRITICAL: Vulnerabilities detected!" exit 1 fi echo "Security scan completed successfully" exit 0 ``` ### Security Tools Integration - **Metasploit Integration**: Import Nmap XML with `db_import` - **Vulnerability Scanners**: Feed Nmap results to Nessus, OpenVAS, Qualys - **SIEM Integration**: Parse Nmap output for security monitoring - **Asset Management**: Update CMDB with discovered hosts and services - **Shodan/Censys**: Validate external exposure findings ### MITRE ATT&CK Mapping Map Nmap reconnaissance to ATT&CK framework: - **Reconnaissance**: T1595 (Active Scanning) - T1595.001 (Scanning IP Blocks) - T1595.002 (Vulnerability Scanning) - **Discovery**: T1046 (Network Service Scanning) - **Discovery**: T1040 (Network Sniffing) - **Credential Access**: T1110 (Brute Force) - when using NSE brute scripts ## Troubleshooting ### Issue: No Results Despite Hosts Being Online **Causes**: - ICMP blocked by firewall - Host-based firewall dropping probes - Network ACLs filtering traffic **Solutions**: ```bash # Skip ping, assume all hosts up nmap -Pn # Try TCP ping instead of ICMP nmap -PS80,443 -PA3389 # Try multiple discovery techniques nmap -PE -PS22,80,443 -PA3389 -PU53,161 ``` ### Issue: Scan Too Slow **Solutions**: ```bash # Increase timing template nmap -T4 # Scan fewer ports nmap -F # Top 100 ports nmap --top-ports 1000 # Parallelize by splitting targets nmap -T4 192.168.1.1-50 & nmap -T4 192.168.1.51-100 & nmap -T4 192.168.1.101-150 & wait # Use masscan for very fast port scanning masscan -p 1-65535 --rate 10000 /24 ``` ### Issue: False Positives in Vulnerability Scripts **Solutions**: - Manually verify findings with specific exploit tools - Check service version against CVE databases - Use `--version-intensity 9` for more accurate version detection - Run vulnerability-specific NSE scripts instead of broad categories - Cross-reference with authenticated vulnerability scanners ### Issue: Getting Blocked by Firewall/IDS **Solutions**: ```bash # Slow down scan nmap -T1 --scan-delay 1s # Fragment packets sudo nmap -f # Randomize scan order nmap --randomize-hosts -iL targets.txt # Use source port 53 (often allowed) nmap -g 53 # Split into smaller scans over time nmap -p 1-1000 # Wait several hours nmap -p 1001-2000 ``` ## Defensive Considerations Organizations can detect Nmap scanning by: - **Network IDS**: Signature detection of scan patterns (vertical/horizontal sweeps) - **Firewall Logs**: Multiple connection attempts from single source - **Port Scan Detection**: Monitoring for SYN packets without completion - **Honeypots**: Triggering alerts when accessing decoy services - **Traffic Analysis**: Unusual packet patterns (fragmentation, timing anomalies) Enhance defensive posture: - Deploy network intrusion detection systems (Snort, Suricata) - Enable firewall logging and monitor for scan patterns - Use port knocking or service hiding for sensitive services - Implement rate limiting on border firewalls - Deploy honeypots to detect and track reconnaissance ## References - [Nmap Network Scanning Official Guide](https://nmap.org/book/) - [NSE Script Documentation](https://nmap.org/nsedoc/) - [MITRE ATT&CK: Network Service Scanning](https://attack.mitre.org/techniques/T1046/) - [PTES Technical Guidelines](http://www.pentest-standard.org/index.php/Intelligence_Gathering) - [OWASP Testing Guide: Information Gathering](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/)