Module 1 · Nmap — Network Discovery and Port Scanning 🔒

Nmap is the first tool every security practitioner reaches for. Pen-tester? You’re using nmap. Defender auditing your attack surface? Nmap. Discovered a new subnet you need to profile? Nmap. This module takes you from “I’ve typed nmap once” to “I can scan intelligently, interpret results, and avoid triggering every IDS in the building.”

What nmap actually does

Nmap (Network Mapper) is a network discovery and security auditing tool. At its core it answers three questions:

• What hosts are alive on this network?
• What services are those hosts exposing?
• What versions / OS are they running?

Everything else (scripting, traceroute, OS fingerprinting, vulnerability checks) builds on these three.

Your first scan

# Discover live hosts on your LAN (no port scan)
nmap -sn 192.168.1.0/24

# Scan top 1000 TCP ports on a host
nmap 192.168.1.10

# Full TCP port range + service detection + default scripts
nmap -sV -sC -p- 192.168.1.10

# Fast scan (only top 100 ports)
nmap -F 192.168.1.10

# UDP scan (slower, but catches services like DNS/SNMP/NTP)
nmap -sU -p 53,123,161 192.168.1.10

Essential scan types

Port specification

# Specific ports
nmap -p 22,80,443 target

# Port range
nmap -p 1-1000 target

# All ports (1-65535)
nmap -p- target

# Top N ports
nmap --top-ports 100 target

# UDP + TCP on same run
nmap -sS -sU -p T:80,443,U:53,161 target

Full port range -p- is essential on any serious audit. Services rarely live only on the top 1000 ports; pentests regularly find management UIs on 8443, 9200, 6379, 11211, 27017.

NSE — Nmap Scripting Engine

NSE scripts extend nmap into light vulnerability detection, brute-forcing, and information gathering. Scripts live in categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.

# Run all default scripts (safe)
nmap -sC target

# Run vulnerability scripts
nmap --script vuln target

# Run a specific script
nmap --script http-enum -p 80,443 target

# Brute-force SSH credentials (intrusive!)
nmap --script ssh-brute -p 22 target

# Enumerate SMB shares + users
nmap --script smb-enum-shares,smb-enum-users -p 445 target

# Check for TLS vulnerabilities
nmap --script ssl-enum-ciphers,ssl-poodle,ssl-heartbleed -p 443 target

Timing and stealth

Nmap’s -T flags set timing templates from paranoid to insane:

• -T0 Paranoid — 5 min between probes. For evading IDS
• -T1 Sneaky — 15 sec
• -T2 Polite — 0.4 sec
• -T3 Normal — default
• -T4 Aggressive — faster, common on reliable LANs
• -T5 Insane — fastest, accuracy suffers

For evasion: also use --data-length, --randomize-hosts, --spoof-mac, -D (decoys), -f (fragment packets). These are detectable but slow down automated signatures.

Output formats

# Save in all formats: text, XML, grepable
nmap -sV -oA scan-results target

# Pipe to parser
nmap -sV -oX - target | xsltproc nmap.xsl - > report.html

Always save XML output — it’s parseable by reporting tools, BloodHound-style ingestion, and other downstream analysis.

Common pentest patterns

• Initial reconnaissance: nmap -sV -sC -p- -T4 -oA init target-range
• UDP discovery: nmap -sU --top-ports 50 -T4 target
• Vulnerability pass: nmap --script vuln -p 80,443,8080,8443 target
• SMB/AD enumeration: nmap --script smb-os-discovery,smb-enum-shares,smb-enum-users -p 445 target
• Web discovery: nmap --script http-title,http-headers,http-robots.txt,http-enum -p 80,443 target

Quick reference summary

• Nmap does host discovery, port scanning, service/version detection, OS fingerprinting, scripting
• Default scan: top 1000 TCP ports with -sV -sC; full audit requires -p-
• Time your scans: -T4 for LANs, -T2/T1 when IDS is in play
• Always include UDP (-sU) on critical hosts — DNS/SNMP/NTP often miss in pure TCP scans
• NSE scripts: -sC for defaults, --script vuln for known CVEs
• Output: -oA saves all formats; XML is most useful downstream
• Legal: only scan networks you own or have written authorisation for