Nmap Mastery - Basic to Pro (Hack like Pro)

 

Nmap: From Basic to Pro – Scan Like a Pro

Introduction

Nmap (Network Mapper) is the most powerful open-source network scanning tool, used by penetration testers, hackers, and cybersecurity professionals for host discovery, port scanning, vulnerability detection, and network mapping.

This guide will take you from basic scanning techniques to advanced stealthy reconnaissance, mimicking the methods of nation-state hackers and red teams.

---

Table of Contents

1. Basic Scanning Techniques

2. Advanced Port Scanning

3. Service & OS Detection

4. Stealth & Evasion Techniques

5. Vulnerability Scanning

6. Scripting & Automation

7. Real-World Attack Scenarios

8. Defensive Countermeasures

---

1. Basic Scanning Techniques

1.1 Simple Ping Scan (Host Discovery)

bash

nmap -sn 192.168.1.0/24

• -sn: Disables port scanning (only pings hosts).

• Use case: Quickly find live hosts in a network.

1.2 Basic Port Scan

bash

nmap 192.168.1.100

• Scans top 1,000 ports (TCP SYN scan by default).

• Use case: Quick recon on a single target.

1.3 Scan Specific Ports

bash

nmap -p 80,443,22 192.168.1.100

• -p: Specifies ports (comma-separated or ranges 1-100).

• Use case: Check for common web/SSH services.

1.4 Aggressive Scan (Fast & Verbose)

bash

nmap -A 192.168.1.100

• -A: Enables OS detection, version detection, script scanning, and traceroute.

• Use case: Gather maximum info in one scan.

---

2. Advanced Port Scanning

2.1 TCP SYN Scan (Stealthy)

bash

nmap -sS 192.168.1.100

• -sS: Half-open scan (never completes TCP handshake).

• Use case: Avoid detection by basic firewalls.

2.2 UDP Scan (Slow but Critical)

bash

nmap -sU -p 53,161 192.168.1.100

• -sU: Scans UDP ports (DNS, SNMP, DHCP).

• Use case: Find DNS servers, IoT devices.

2.3 Comprehensive Scan (All Ports + Services)

bash

nmap -p- -sV -T4 192.168.1.100

• -p-: Scan all 65,535 ports.

• -sV: Probe service versions.

• -T4: Aggressive timing (faster results).

2.4 Firewall Evasion (Fragmented Packets)

bash

nmap -f 192.168.1.100

• -f: Splits packets into small fragments.

• Use case: Bypass IDS/IPS.

---

3. Service & OS Detection

3.1 Detect OS Fingerprint

bash

nmap -O 192.168.1.100

• -O: Guesses the target OS.

• Use case: Identify Windows vs. Linux targets.

3.2 Detect Service Versions

bash

nmap -sV 192.168.1.100

• -sV: Probes services (e.g., Apache 2.4.41).

• Use case: Find outdated software for exploits.

3.3 Grab HTTP Headers (Web Servers)

bash

nmap --script http-headers -p 80,443 192.168.1.100

• --script http-headers: Extracts server info (X-Powered-By, etc.).

---

4. Stealth & Evasion Techniques

4.1 Idle Scan (Zombie Scan)

bash

nmap -sI zombie_ip:port target_ip

• -sI: Uses an idle host to mask your IP.

• Use case: Stay anonymous while scanning.

4.2 Randomize Hosts & Delays

bash

nmap --randomize-hosts --scan-delay 5s 192.168.1.0/24

• --randomize-hosts: Avoids sequential scanning.

• --scan-delay: Adds delays to evade rate-based detection.

4.3 Decoy Scan (Fake IPs)

bash

nmap -D RND:5 192.168.1.100

• -D RND:5: Generates 5 random decoy IPs.

• Use case: Confuse SOC analysts.

---

5. Vulnerability Scanning

5.1 NSE (Nmap Scripting Engine)

bash

nmap --script vuln 192.168.1.100

• --script vuln: Runs vulnerability checks (e.g., CVE-2021-4034).

5.2 SMB Vulnerabilities Check

bash

nmap --script smb-vuln* -p 445 192.168.1.100

• Checks for EternalBlue, MS17-010, etc.

5.3 Heartbleed Detection

bash

nmap -p 443 --script ssl-heartbleed 192.168.1.100

---

6. Scripting & Automation

6.1 Save Scan Results

bash

nmap -oN scan.txt -oX scan.xml 192.168.1.100

• -oN: Normal text output.

• -oX: XML format (for tools like Metasploit).

6.2 Scan Multiple Targets from File

bash

nmap -iL targets.txt

• -iL: Input list of IPs/hosts.

6.3 Automate with Bash

bash

for ip in $(cat ips.txt); do nmap -p 22,80,443 $ip; done

---

7. Real-World Attack Scenarios

Scenario 1: External Recon (Black-Box Testing)

bash

nmap -Pn -sS -p- -T4 --min-rate 1000 -oN full_scan.txt target.com

• -Pn: Skip ping (assume host is up).

• --min-rate 1000: Speed up scan (aggressive).

Scenario 2: Internal Pivoting

bash

nmap -sn 10.1.1.0/24          # Find live hosts  
nmap -A -p 22,80,443 10.1.1.5 # Probe services  

---

8. Defensive Countermeasures

How Blue Teams Detect Nmap

• SYN scans (Unusual half-open connections).

• Rate-based detection (Too many probes in short time).

• Nmap’s default probes (Unique TCP flags).

How to Evade Detection

✅ Use -T2 (slower scan) to avoid triggering alarms.
✅ Fragment packets (-f) to bypass IDS.
✅ Use decoys (-D) to hide your IP.

---

Conclusion

You’ve now mastered Nmap from basic scans to nation-state-level reconnaissance.

Next Steps:

• Practice on HackTheBox & TryHackMe.

• Learn Metasploit integration (db_nmap).

• Explore custom NSE scripts for advanced attacks.

Discalimer: This Content is Only Education Purpose 

🚀 Happy Scanning! 🚀