Network Enumeration with Nmap

cybermad0 April 06, 2025

                                                Nmap Network Mapper  (Nmap)


In cyber security platform enumeration is the most crucial and top priority topic. if one can do the best effort in it can do well in the next step. today we learn the network mapper nmap. this tools is written in c , c++, python, Lua. Nmap is most used tools . this tools is used in many fields like:-
  • Audit the security aspects of networks
  • Simulate penetration tests
  • Check firewall and IDS settings and configurations
  • Types of possible connections
  • Network mapping
  • Response analysis
  • Identify open ports
  • Vulnerability assessment as well.

Nmap Architecture

Nmap offers many different types of scans that can be used to obtain various results about our targets. Basically, Nmap can be divided into the following scanning techniques:

  • Host discovery
  • Port scanning
  • Service enumeration and detection
  • OS detection
  • Scriptable interaction with the target service (Nmap Scripting Engine)
lets start to scan. first we discover host .

Host Discovery:

It's good to say that you can scan together one and more ip addresses even your ip file.

scan a network in range.
 nmap 192.168.0.1/24 -sn .....>> -sn use for ping or host discovery .

Scan IP list:
nmap -sn -iL IP.txt .....>>> iL list of ip where is you file keep just call it here.

Multiple IP Scan:
nmap -sn 192.168.0.1 192.168.0.2 192.168.0.5 192.168.0.9 

single IP: 
nmap -sn 192.168.0.2

If we scan a disable port than we could use -PE means performing ping scan by using icmp against target.

nmap 192.168.0.2 -sn -PE --packet-trace ..>> packet trace used to see the request and the responsed.

you can also see that why the scan result shows such kind of result like open closed filtered etc. for this we could used reason.
nmap 192.168.0.2 -sn -reason

Host & Port Scanning:
before we scan we need to know the status of the port .

  • Open: It's means port connections is establish that is scanned.
  • Closed: It's means that our scanned port is not alive .
  • Filtered: It's means the port that is scanned it doesn't replay with response that it is open or close.
  • Unfiltered: It's means the port may accessible but not give any response it is open or close.
  • Open|Filter: It's means firewalls or packets filter protect this port.
  • Close|Filter: It's means it is impossible to determine that the port is closed or not nor protected by firwalls.

Generally nmap scan first 1000 port by default. you can modify it . like you can used --top-port=100, -p 20,22,23,25, -p 20-1000.

nmap 192.168.0.2 -p20-3000 

Result output of the Scan :
there are 4 kind of result formatting.
  • -oA: It's provide you all kind of format that is available to it's.
  • -oN: It's provides you the normal file format and filename will be .nmap
  • -oG: It's provides you the grepable file and file extention will be .gnmap
  • -oX: It's will provide you the xml format file with xml extention.
If you save result as a xml file you can convert it with html through xsltproc tools.
command: xsltproc result file name -o(output) name.html


Nmap Scripting Engine:
nmap scripting is a great part of Nmap. There are 14 categories.

1.Auth(Authentication Credentials): Scripts in this category try to discover or authenticate credentials for services. The script attempts username-password combinations to access the FTP SSH, HTTP, SMB, databases, and many others. 
EX: sudo nmap --script ftp-brute -p 21 10.129.24.228, sudo nmap --script SSH-brute -p 21 10.129.24.228

2. broadcast (Host Discovery via Broadcasting): Used for discovering devices on a network by broadcasting requests. 
EX: sudo nmap --script broadcast-dhcp-discover.

3. brut (Brute-Force Login Attempts): Scripts for brute-forcing service logins by testing multiple credentials. Tests username/password combinations against SSH FTP, MYSQL, TELNET, SMTP ETC.
EX:  sudo nmap --script ssh-brute -p 22 10.129.24.228

4. Default Scanning Scripts: Default scripts include general-purpose Checks for SSL certificates, HTTP titles, and other default scans. 
EX: sudo nmap -sC -p 80 10.129.24.228.

5. discovery (Service Identification): Scripts that reveal services or devices accessible on the target. Identifies DNS servers and services running on the target, Information gathered, Network Recourse Detect.
EXsudo nmap --script dns-service-discovery 10.129.24.228

6. dos  (Denial-of-Service Testing): Used to check for vulnerabilities that could lead to Denial of Service. Simulates the traffic to assess stability.
EX: sudo nmap --script dos-udp -p 19 10.129.24.228.

7. exploit (Exploitation of Vulnerabilities): Scripts that attempt to exploit known vulnerabilities in services. Tests the all service for vulnerability.
EX: sudo nmap --script smb-vuln-ms17-010 -p 445 10.129.24.228.

8. external (External Service Interaction): Scripts that leverage external resources for further processing. this script does IP Geolocations', Reputation Checks, Certificate Validations, Checking External DNS. 
EX: sudo nmap --script ip-geolocation-maxmind 10.129.24.228.

9. fuzzer (Field Vulnerability Testing): Identifies vulnerabilities by sending unexpected or randomized inputs. It's used for DNS Fuzzer, HTTP Fuzzer, SNMP Fuzzer.
EX: sudo nmap --script dns-fuzz 10.129.24.228.

10. intrusive  (Aggressive Scans): Scripts that may impact the target system negatively.  this script used for HTTP SQL Injection, FTP Brute-Force, SMB Exploitation,  SNMP Brute-Force, Vulnerability Checks.
EX: sudo nmap --script http-sql-injection -p 80 10.129.24.228.

11. malware  (Malware Detection): Detects malware infections or suspicious activity on the target system. Scans for signs of malware-hosted content.
EX: sudo nmap --script http-malware-host -p 80 10.129.24.228.

12. safe (Non-Intrusive Scans): Scripts designed not to harm or disrupt the target. It's used for Service Enumeration, Banner Grabbing, DNS Host Discovery, HTTP Title Extraction, SSL Certificate Information.
EX: sudo nmap --script ssl-cert -p 443 10.129.24.228.

13. vuln (Vulnerability Identification): Scans for specific vulnerabilities in services. like RDP Vulnerabilities, FTP Vulnerabilities, CVE Vulnerability Checks, HTTP Shellshock, Heartbleed (SSL), EternalBlue (SMB),
EX:  sudo nmap --script http-vuln-cve2017-5638 -p 80 10.129.24.228.

14. version (Service Version Detection): Attempts to identify the version of services running on the target. it detect SSH Service Version Detection, MySQL Service Version Detection, FTP Service Detection.
Ex: sudo nmap --script ftp-syst -p 21 192.168.0.2.


            Firewall and IDS/IPS Evasion

Nmap provide us a large number of various way to bypass firewall rules. Actually firewall is pre build created rules that is used for detect suspicious activity and block these. this is a software base component . so when the rules match with the work than it start to work. otherwise no action does.

IDS/IPS it is also a software base component. IDS intrusions detect system and IPS is intrusions Prevention system. IDS scan for find out the malicious activity and after finding evil IPS take the defensive action. 

                  Determine Firewalls and Their Rules

previous we see that the port some times shows filtered. there are many reason. their may be firewall , packed dropped or rejected. for this reason you could see such kind of text .
  • Net Unreachable
  • Net Prohibited
  • Host Unreachable
  • Host Prohibited
  • Port Unreachable
  • Proto Unreachable
                                       Bypassing 

some time the firewall could block our real ip in this case what we could do? there is an another nice features of Nmap that is decoy . it is very useful for by passing from block .
decoy create random ip and send traffic as a result firewall couldn't detect the ip.
 Decoy flag: nmap 192.1688.0.2 -sS -sA -D RAN:10,4,6,11, ....as you like.

Or, you can use different source ip with vpn :sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0.

by using we can use TCP port 53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through. TCP port 53, it is very likely that IDS/IPS filters might also be configured much weaker than others.
nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53.

     

              Performance Nmap


Scanning performance plays a significant role when we need to scan an extensive network or are dealing with low network bandwidth. We can use various options to tell Nmap how fast (-T <0-5>), with which frequency (--min-parallelism <number>), which timeouts (--max-rtt-timeout <time>) the test packets should have, how many packets should be sent simultaneously (--min-rate <number>), and with the number of retries (--max-retries <number>) for the scanned ports the targets should be scanned. 

EX: 

sudo nmap 10.129.2.0/24 -F

sudo nmap 10.129.2.0/24 -F --max-retries 0

sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

sudo nmap 10.129.2.0/24 -F --min-rate 300

sudo nmap 10.129.2.0/24 -T1-5

0 Comments

Thanks For your comment