My toolbox consists of many tools to support me in my daily work. I got everything from small Python and Ruby scripts to fully fledged tools like Nessus and alike. One of the tools I value the most and the most crucial tool to kick-start the penetration testing process is Nmap. Nmap is an open sourced network mapper for network exploration and security auditing.

Nmap comes with no GUI – it runs from the command line. There are some GUI’s available out there – I’ve tried some of them but I prefer to run Nmap from the command line. Either directly or through the Metasploit console. Running Nmap through Metasploit is useful when doing a full penetration test. You can record the findings directory into Metasploit and use that as a basis for later explorations.

Nmap is available for the most platforms and can downloaded from here.

Typical uses of Nmap

Typically when talking to people they make a remark that Nmap is a tool for hackers. Rest assured, it’s not. It’s more like a Swiss army knife. It is used by security consultants, testers, network admins and many more due to its flexibility. Anyhow – here’s a small list of typical uses

  • Network inventory
  • Asset management
  • Maintenance
  • Finding open ports available on the network
  • Finding services on the network
  • Host discovery
  • Finding and exploiting vulnerabilities in a network

My typical usages

I use Nmap in two ways. First, I use it to document all open TCP and UDP ports on a network. Secondly, I use it to decide the operating system on remote targets.

Listing all open ports

When doing vulnerability scans I produce and handover a report containing a list of all open TCP and UDP ports on the entire port range for a set of targets. Below is an example on how I instruct Nmap to scan both TCP and UDP for the entire port range:

$ nmap -p 0-65535 -sS -sU -oX scanreport.xml -iL hostsfile.txt

The -p switch enables me to define which ports I want to scan. In this example we use the entire port range including the 0 port. The 0 port is kind of special since you must manually specify it – Nmap doesn’t scan it right out of the box.
The -sS and -sU switch instructs Nmap to use TCP SYN Scan and regular UDP scan.

In order to save the scanning results we set the -oX switch pointing to a XML file. This makes Nmap route it’s output to a XML file which I’ll parse with a simple Ruby script into a HTML table for my final report.

Often I need to scan many IP addresses. Defining them one by one on the command lines takes too long and may be riddled with errors. Nmap has a nifty function. You can define all the IP’s in a textfile and simply make Nmap read from this file. That’s what the -iL is for.

Fingerprinting operating systems

Often I find myself in the situation not knowing what the remote operating system is. Sometimes it can be tricky to figure out this vital information, especially if the server guys has done their job well.

$ nmap -O target_address

The -O switch enables OS detection.


If this peaked your interests, why not check out these resources