Skip to content

Footprinting and Reconnaissance Advanced Nmap

  • by

Network Scanning: Advanced Nmap Commands and Scripts

As we move beyond basic Nmap scans, we unlock more powerful capabilities for network reconnaissance and vulnerability assessment. Advanced Nmap commands and scripts provide deeper insights into networks, allowing ethical hackers and penetration testers to fine-tune their scanning techniques. This guide covers advanced Nmap functionalities, including custom scans, NSE (Nmap Scripting Engine), and evasion techniques.

Advanced Nmap Scanning Techniques

1. Scanning with Different Timing Options

Nmap provides different timing templates (-T0 to -T5) to control scan speed and stealth.

nmap -T4 example.com
  • -T0 (Paranoid Mode): Very slow, avoids detection.
  • -T4 (Aggressive Mode): Faster scans for quick results.

2. Scanning Multiple Targets

To scan multiple hosts at once:

nmap 192.168.1.1,192.168.1.2,192.168.1.3

Or scan a range:

nmap 192.168.1.0/24

3. Performing a UDP Scan

Most scans default to TCP, but UDP services may also be vulnerable.

nmap -sU -p 53,161,162 example.com
  • Common UDP ports: 53 (DNS), 161 (SNMP), 162 (SNMP Trap)

4. Scanning with Custom Port Ranges

Instead of scanning all ports, specify a range for efficiency:

nmap -p 20-100 example.com

5. Aggressive Scan with Service and OS Detection

Combines various scanning techniques:

nmap -A example.com
  • OS detection (-O)
  • Version detection (-sV)
  • Script scanning (-sC)
  • Traceroute (--traceroute)

Using Nmap Scripting Engine (NSE)

Nmap includes a powerful scripting engine (NSE) to automate vulnerability detection and information gathering.

1. Listing Available Scripts

ls /usr/share/nmap/scripts

2. Scanning with Default Scripts

nmap -sC example.com

Runs commonly used scripts, including service detection and security checks.

3. Checking for Known Vulnerabilities

nmap --script vuln example.com

Detects security weaknesses such as:

  • Heartbleed (ssl-heartbleed)
  • MS17-010 (EternalBlue exploit)

4. Performing an Advanced Recon Scan

nmap --script=http-title,whois-ip,ssl-cert example.com
  • http-title: Retrieves website titles.
  • whois-ip: Performs WHOIS lookups.
  • ssl-cert: Retrieves SSL certificate details.

5. Brute-Force Login Testing

To test for weak credentials on an SSH server:

nmap --script ssh-brute -p 22 example.com

Evading Detection with Nmap

1. Spoofing Source IP Address

Use decoys to avoid detection:

nmap -D RND:10 example.com
  • Generates 10 random decoy IPs to mask the real scan.

2. Fragmenting Packets to Bypass Firewalls

nmap -f example.com
  • Splits packets to avoid detection by IDS/IPS.

3. Using NULL, FIN, and Xmas Scans

These scan types evade firewalls by sending unexpected TCP flags:

nmap -sN example.com   # NULL scan
nmap -sF example.com   # FIN scan
nmap -sX example.com   # Xmas scan

Automating Nmap Scans

1. Running a Scheduled Scan

Automate scans with a cron job on Linux:

crontab -e

Add the following line to run a scan every day at midnight:

0 0 * * * nmap -A -oN scan_results.txt example.com

2. Exporting Scan Results

Save results for later analysis:

nmap -oN output.txt example.com   # Normal format
nmap -oX output.xml example.com   # XML format

Why Advanced Nmap Scanning Matters for Hackers

  • Detects Stealthy Vulnerabilities: NSE scripts uncover security issues beyond open ports.
  • Enhances Evasion Techniques: Learn to bypass security monitoring.
  • Automates Penetration Testing: Scripts and scheduled scans streamline security assessments.

If you’ve found this article helpful and enjoy learning about ethical hacking techniques, consider supporting my work! Your contribution helps me create more free, high-quality content for the community and keeps the site ad-free. Every bit of support allows me to continue sharing knowledge and exploring the ever-evolving world of cybersecurity. If you’d like to support, you can Buy me a coffee. Thank you for your kindness and generosity!

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *