| name | recon-nmap |
| description | Network reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls.
|
| version | 0.1.0 |
| maintainer | sirappsec@gmail.com |
| category | offsec |
| tags | ["reconnaissance","nmap","port-scanning","service-enumeration","network-security","osint"] |
| frameworks | ["MITRE-ATT&CK","OWASP","PTES"] |
| dependencies | {"packages":["nmap"],"tools":["python3","masscan"]} |
| references | ["https://nmap.org/book/","https://nmap.org/nsedoc/","https://attack.mitre.org/techniques/T1046/"] |
Nmap Network Reconnaissance
Overview
Nmap (Network Mapper) is the industry-standard tool for network discovery, security auditing, and vulnerability assessment. This skill provides structured workflows for authorized reconnaissance operations including port scanning, service enumeration, OS fingerprinting, and vulnerability detection using Nmap Scripting Engine (NSE).
IMPORTANT: Network scanning may be disruptive and must only be conducted with proper authorization. Always ensure written permission before scanning networks or systems you do not own.
Quick Start
Basic host discovery and port scanning:
nmap -F <target-ip>
nmap -sV <target-ip>
nmap -A <target-ip>
Core Workflow
Network Reconnaissance Workflow
Progress:
[ ] 1. Verify authorization and scope
[ ] 2. Perform host discovery and asset enumeration
[ ] 3. Conduct port scanning on live hosts
[ ] 4. Enumerate services and versions
[ ] 5. Perform OS fingerprinting and detection
[ ] 6. Run NSE scripts for vulnerability detection
[ ] 7. Document findings and generate reports
[ ] 8. Validate results and identify false positives
Work through each step systematically. Check off completed items.
1. Authorization Verification
CRITICAL: Before any scanning activities:
- Confirm written authorization from network owner
- Review scope document for in-scope IP ranges and domains
- Verify scanning windows and rate-limiting requirements
- Document emergency contact for accidental disruption
- Confirm blacklisted hosts (production databases, critical infrastructure)
2. Host Discovery
Identify live hosts in target network:
nmap -sn <target-network>/24
nmap -sn -PR <target-network>/24
nmap -sn -PS22,80,443 <target-network>/24
nmap -sn -PU53,161 <target-network>/24
nmap -Pn <target-network>/24
Host discovery techniques:
- ICMP Echo (-PE): Standard ping, often blocked
- TCP SYN (-PS): Half-open connection to specified ports
- TCP ACK (-PA): Sends ACK packets, useful for stateful firewalls
- UDP (-PU): Sends UDP packets to specified ports
- ARP (-PR): Layer 2 discovery, only works on local network
Output live hosts to file for subsequent scanning:
nmap -sn <target-network>/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt
3. Port Scanning
Scan discovered hosts for open ports:
nmap -F -iL live_hosts.txt
nmap -iL live_hosts.txt
nmap -p- -iL live_hosts.txt
nmap -p 22,80,443,3389,8080 -iL live_hosts.txt
nmap -p 1-1024,3000-9000 -iL live_hosts.txt
Scan techniques:
-
TCP SYN Scan (-sS): Default, stealthy half-open scan (requires root)
sudo nmap -sS <target-ip>
-
TCP Connect Scan (-sT): Full TCP connection (no root required)
nmap -sT <target-ip>
-
UDP Scan (-sU): Scan UDP ports (slow but critical)
sudo nmap -sU -p 53,161,500 <target-ip>
-
Version Detection (-sV): Probe services for version information
nmap -sV <target-ip>
-
Aggressive Scan (-A): Enable OS detection, version detection, script scanning, traceroute
sudo nmap -A <target-ip>
Timing and performance:
nmap -T0 <target-ip>
nmap -T1 <target-ip>
nmap -T2 <target-ip>
nmap -T3 <target-ip>
nmap -T4 <target-ip>
nmap -T5 <target-ip>
Rate limiting for safety:
nmap --max-rate 100 <target-ip>
nmap --min-rate 10 <target-ip>
nmap --scan-delay 1s <target-ip>
4. Service Enumeration
Identify services and extract version information:
nmap -sV <target-ip>
nmap -sV --version-intensity 5 <target-ip>
nmap -sV --version-intensity 0 <target-ip>
nmap -sV -p 80,443 --script=http-headers,http-title <target-ip>
Service-specific enumeration:
nmap -p 445 --script=smb-os-discovery,smb-security-mode <target-ip>
nmap -p 22 --script=ssh-hostkey,ssh-auth-methods <target-ip>
nmap -p 53 --script=dns-nsid,dns-recursion <target-ip>
nmap -p 80,443 --script=http-methods,http-robots.txt,http-title <target-ip>
nmap -p 3306 --script=mysql-info <target-ip>
nmap -p 5432 --script=pgsql-brute <target-ip>
nmap -p 1433 --script=ms-sql-info <target-ip>
5. Operating System Detection
Identify target operating systems:
sudo nmap -O <target-ip>
sudo nmap -A <target-ip>
sudo nmap -O --osscan-limit <target-ip>
sudo nmap -O --osscan-guess <target-ip>
OS fingerprinting indicators:
- TCP/IP stack characteristics
- Open port patterns
- Service banners and versions
- TTL values and TCP window sizes
6. NSE Script Scanning
Nmap Scripting Engine for advanced reconnaissance and vulnerability detection:
nmap -sC <target-ip>
nmap --script=vuln <target-ip>
nmap --script=exploit <target-ip>
nmap --script=discovery <target-ip>
nmap --script=http-sql-injection <target-ip>
nmap --script=smb-vuln-ms17-010,smb-vuln-cve-2017-7494 <target-ip>
nmap --script=http-brute --script-args http-brute.path=/admin <target-ip>
NSE script categories:
- auth: Authentication testing
- broadcast: Network broadcast/multicast discovery
- brute: Brute-force password auditing
- default: Default safe scripts (-sC)
- discovery: Network and service discovery
- dos: Denial of service testing (use with caution)
- exploit: Exploitation attempts (authorized only)
- external: External resource queries (WHOIS, etc.)
- fuzzer: Fuzzing attacks
- intrusive: Intrusive scanning (may crash services)
- malware: Malware detection
- safe: Safe scripts unlikely to crash services
- version: Version detection enhancement
- vuln: Vulnerability detection
Common vulnerability detection scripts:
nmap -p 445 --script=smb-vuln-ms17-010 <target-ip>
nmap -p 443 --script=ssl-heartbleed <target-ip>
nmap --script=http-shellshock --script-args uri=/cgi-bin/test.sh <target-ip>
nmap -p 443 --script=ssl-enum-ciphers <target-ip>
nmap -p 80 --script=http-sql-injection <target-ip>
nmap -p 21 --script=ftp-anon <target-ip>
7. Output and Reporting
Generate reports in multiple formats:
nmap <target-ip> -oN scan_results.txt
nmap <target-ip> -oX scan_results.xml
nmap <target-ip> -oG scan_results.gnmap
nmap <target-ip> -oA scan_results
nmap <target-ip> -oS scan_results.skid
Convert and process results:
xsltproc /usr/share/nmap/nmap.xsl scan_results.xml -o report.html
python3 -c "import xml.etree.ElementTree as ET; tree = ET.parse('scan_results.xml'); root = tree.getroot(); [print(host.find('address').get('addr')) for host in root.findall('host')]"
grep 'Ports:' scan_results.gnmap | awk '{print $2, $5}'
8. Firewall and IDS Evasion
Techniques to evade detection (authorized testing only):
sudo nmap -f <target-ip>
sudo nmap -D RND:10 <target-ip>
sudo nmap -D decoy1,decoy2,ME,decoy3 <target-ip>
sudo nmap -S <spoofed-ip> -e <interface> <target-ip>
nmap --randomize-hosts -iL targets.txt
nmap --proxies http://proxy:8080 <target-ip>
sudo nmap -sI <zombie-host> <target-ip>
Security Considerations
Authorization & Legal Compliance
- Written Permission: Obtain explicit authorization before scanning any network
- Scope Definition: Only scan explicitly authorized IP ranges and ports
- Disruption Risk: Some scans (DOS, exploit scripts) can crash services
- Privacy: Service enumeration may expose sensitive information
- Log Traces: Scanning activities are typically logged by firewalls and IDS
Operational Security
- Rate Limiting: Use
--max-rate to avoid overwhelming targets
- Timing: Schedule scans during approved maintenance windows
- Bandwidth: Consider network impact, especially for large scans
- Noise: Aggressive scans are easily detected by security monitoring
- False Positives: Validate findings before reporting vulnerabilities
Audit Logging
Document all reconnaissance activities:
- Scan start and end timestamps
- Source IP address and scanner hostname
- Target IP ranges and ports scanned
- Nmap command-line arguments used
- Number of hosts discovered and ports found
- Vulnerabilities identified via NSE scripts
- Any service disruptions or anomalies
Compliance
- PTES: Reconnaissance phase of Penetration Testing Execution Standard
- OWASP: ASVS verification requirements for network security
- MITRE ATT&CK: T1046 (Network Service Scanning)
- PCI-DSS 11.2: External and internal vulnerability scanning
- ISO 27001: A.12.6 Technical vulnerability management
Common Patterns
Pattern 1: External Perimeter Assessment
nmap -sn -PE -PS80,443 -PA3389 <external-network>/24 -oG - | awk '/Up$/{print $2}' > external_hosts.txt
nmap -Pn -sV -p 21,22,25,53,80,110,143,443,587,993,995,3389,8080,8443 -iL external_hosts.txt -oA external_scan
nmap -Pn -sV --script=vuln -p 21,22,25,80,443,3389,8080,8443 -iL external_hosts.txt -oA external_vulns
nmap -Pn -p 443,8443 --script=ssl-enum-ciphers,ssl-cert -iL external_hosts.txt -oA ssl_audit
Pattern 2: Internal Network Mapping
nmap -sn -PR <internal-network>/24 -oG - | awk '/Up$/{print $2}' > internal_hosts.txt
nmap -sV -p- -T4 -iL internal_hosts.txt -oA internal_full_scan
sudo nmap -O -iL internal_hosts.txt -oA internal_os_detection
nmap -sV --script=default,discovery -iL internal_hosts.txt -oA internal_services
Pattern 3: Web Application Discovery
nmap -p 80,443,8000,8080,8443 --open -oG - <target-network>/24 | grep 'open' | awk '{print $2}' > web_servers.txt
nmap -sV -p 80,443,8080,8443 --script=http-enum,http-headers,http-methods,http-title,http-server-header -iL web_servers.txt -oA web_enum
nmap -p 80,443 --script=http-sql-injection,http-csrf,http-vuln-cve2017-5638 -iL web_servers.txt -oA web_vulns
Pattern 4: SMB/CIFS Security Audit
nmap -p 445 --open <target-network>/24 -oG - | grep 'open' | awk '{print $2}' > smb_hosts.txt
nmap -p 445 --script=smb-protocols,smb-security-mode,smb-os-discovery -iL smb_hosts.txt -oA smb_enum
nmap -p 445 --script=smb-vuln* -iL smb_hosts.txt -oA smb_vulns
nmap -p 445 --script=smb-enum-shares,smb-enum-users -iL smb_hosts.txt -oA smb_shares
Pattern 5: Database Server Discovery
nmap -sV -p 1433,1521,3306,5432,5984,6379,9200,27017 <target-network>/24 -oA database_scan
nmap -p 3306 --script=mysql-info,mysql-databases,mysql-variables <target-ip>
nmap -p 5432 --script=pgsql-brute <target-ip>
nmap -p 27017 --script=mongodb-info,mongodb-databases <target-ip>
nmap -p 6379 --script=redis-info <target-ip>
Integration Points
CI/CD Integration
Automated security scanning in pipelines:
#!/bin/bash
TARGET_NETWORK="$1"
OUTPUT_DIR="scan_results/$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
nmap -Pn -sV --script=vuln -p 21,22,25,80,443,3389,8080 \
"$TARGET_NETWORK" -oA "$OUTPUT_DIR/security_scan"
if grep -i "VULNERABLE" "$OUTPUT_DIR/security_scan.nmap"; then
echo "CRITICAL: Vulnerabilities detected!"
exit 1
fi
echo "Security scan completed successfully"
exit 0
Security Tools Integration
- Metasploit Integration: Import Nmap XML with
db_import
- Vulnerability Scanners: Feed Nmap results to Nessus, OpenVAS, Qualys
- SIEM Integration: Parse Nmap output for security monitoring
- Asset Management: Update CMDB with discovered hosts and services
- Shodan/Censys: Validate external exposure findings
MITRE ATT&CK Mapping
Map Nmap reconnaissance to ATT&CK framework:
- Reconnaissance: T1595 (Active Scanning)
- T1595.001 (Scanning IP Blocks)
- T1595.002 (Vulnerability Scanning)
- Discovery: T1046 (Network Service Scanning)
- Discovery: T1040 (Network Sniffing)
- Credential Access: T1110 (Brute Force) - when using NSE brute scripts
Troubleshooting
Issue: No Results Despite Hosts Being Online
Causes:
- ICMP blocked by firewall
- Host-based firewall dropping probes
- Network ACLs filtering traffic
Solutions:
nmap -Pn <target-ip>
nmap -PS80,443 -PA3389 <target-ip>
nmap -PE -PS22,80,443 -PA3389 -PU53,161 <target-ip>
Issue: Scan Too Slow
Solutions:
nmap -T4 <target-ip>
nmap -F <target-ip>
nmap --top-ports 1000 <target-ip>
nmap -T4 192.168.1.1-50 &
nmap -T4 192.168.1.51-100 &
nmap -T4 192.168.1.101-150 &
wait
masscan -p 1-65535 --rate 10000 <target-network>/24
Issue: False Positives in Vulnerability Scripts
Solutions:
- Manually verify findings with specific exploit tools
- Check service version against CVE databases
- Use
--version-intensity 9 for more accurate version detection
- Run vulnerability-specific NSE scripts instead of broad categories
- Cross-reference with authenticated vulnerability scanners
Issue: Getting Blocked by Firewall/IDS
Solutions:
nmap -T1 --scan-delay 1s <target-ip>
sudo nmap -f <target-ip>
nmap --randomize-hosts -iL targets.txt
nmap -g 53 <target-ip>
nmap -p 1-1000 <target-ip>
nmap -p 1001-2000 <target-ip>
Defensive Considerations
Organizations can detect Nmap scanning by:
- Network IDS: Signature detection of scan patterns (vertical/horizontal sweeps)
- Firewall Logs: Multiple connection attempts from single source
- Port Scan Detection: Monitoring for SYN packets without completion
- Honeypots: Triggering alerts when accessing decoy services
- Traffic Analysis: Unusual packet patterns (fragmentation, timing anomalies)
Enhance defensive posture:
- Deploy network intrusion detection systems (Snort, Suricata)
- Enable firewall logging and monitor for scan patterns
- Use port knocking or service hiding for sensitive services
- Implement rate limiting on border firewalls
- Deploy honeypots to detect and track reconnaissance
References