Nmap Port Scanning & Vulnerability Assessment

Introduction

Nmap (Network Mapper) is a powerful open-source tool used for network discovery, port scanning, and vulnerability assessment. This document provides a detailed walkthrough of using Nmap to scan a target IP or network range, including the commands used and the findings obtained.

Nmap Scanning Process

1. Target Identification

Before scanning, determine the target:

Single IP: 192.168.1.1
Subnet: 192.168.1.0/24
Domain: example.com

2. Basic Ping Scan (Check Live Hosts)

Command:

nmap -sn 192.168.1.0/24

Finds live hosts in the target network without scanning ports.

3. Comprehensive Port Scan

Command:

nmap -p- 192.168.1.1

Scans all 65,535 ports on the target.
Useful for finding non-standard open ports.

4. Service & Version Detection

Command:

nmap -sV -p 22,80,443 192.168.1.1

Detects services and software versions running on specific ports.

5. OS Detection

Command:

nmap -O 192.168.1.1

Attempts to determine the operating system of the target.

6. Detecting Vulnerabilities (Nmap Scripting Engine - NSE)

Command:

nmap --script=vuln 192.168.1.1

Runs vulnerability scans using built-in NSE scripts.
Identifies known vulnerabilities in exposed services.

7. Stealth Scan (Avoid Detection)

Command:

nmap -sS -T2 192.168.1.1

Performs a SYN scan, which is less likely to trigger firewalls/IDS alerts.

8. Aggressive Scan (Detailed Information)

Command:

nmap -A 192.168.1.1

Combines OS detection, service version detection, and traceroute.
More intrusive but provides maximum information.

9. Scanning for Specific Vulnerabilities

🔍 Detect Heartbleed Vulnerability

nmap --script=ssl-heartbleed -p 443 192.168.1.1

🔍 Detect SMB Vulnerabilities (EternalBlue, etc.)

nmap --script=smb-vuln-ms17-010 -p 445 192.168.1.1

Findings & Analysis

Example Scan Results:

PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          OpenSSH 8.2p1 (protocol 2.0)
80/tcp   open   http         Apache httpd 2.4.46
445/tcp  open   microsoft-ds Windows SMB Server 2016

VULNERABILITIES:
- SMBv1 is enabled (CVE-2017-0144 - EternalBlue)
- OpenSSH outdated (possible CVE-2021-41617 exploit)

Risk Analysis

SMBv1 Enabled ➝ Risk of EternalBlue (WannaCry) exploits.
Outdated OpenSSH ➝ Potential for remote code execution vulnerabilities.
Apache Server Exposed ➝ Check for misconfigurations & known CVEs.

Mitigation Recommendations

Secure Open Ports

Close unused ports.
Restrict access using firewalls (e.g., UFW, iptables).

Update Vulnerable Services

Upgrade OpenSSH to the latest secure version.
Disable SMBv1 to prevent EternalBlue exploits.

Enhance Network Security

Implement intrusion detection/prevention systems (IDS/IPS).
Enforce strong authentication (e.g., SSH keys, 2FA).

PreviousGoogle Hacking (Google Dorking)NextProof-of-Concept Exploit: EternalBlue (MS17-010)

Nmap Port Scanning & Vulnerability Assessment

Introduction

Nmap Scanning Process

1. Target Identification

Before scanning, determine the target:

Single IP: 192.168.1.1
Subnet: 192.168.1.0/24
Domain: example.com

2. Basic Ping Scan (Check Live Hosts)

Command:

nmap -sn 192.168.1.0/24

Finds live hosts in the target network without scanning ports.

3. Comprehensive Port Scan

Command:

nmap -p- 192.168.1.1

Scans all 65,535 ports on the target.
Useful for finding non-standard open ports.

4. Service & Version Detection

Command:

nmap -sV -p 22,80,443 192.168.1.1

Detects services and software versions running on specific ports.

5. OS Detection

Command:

nmap -O 192.168.1.1

Attempts to determine the operating system of the target.

6. Detecting Vulnerabilities (Nmap Scripting Engine - NSE)

Command:

nmap --script=vuln 192.168.1.1

Runs vulnerability scans using built-in NSE scripts.
Identifies known vulnerabilities in exposed services.

7. Stealth Scan (Avoid Detection)

Command:

nmap -sS -T2 192.168.1.1

Performs a SYN scan, which is less likely to trigger firewalls/IDS alerts.

8. Aggressive Scan (Detailed Information)

Command:

nmap -A 192.168.1.1

Combines OS detection, service version detection, and traceroute.
More intrusive but provides maximum information.

9. Scanning for Specific Vulnerabilities

🔍 Detect Heartbleed Vulnerability

nmap --script=ssl-heartbleed -p 443 192.168.1.1

🔍 Detect SMB Vulnerabilities (EternalBlue, etc.)

nmap --script=smb-vuln-ms17-010 -p 445 192.168.1.1

Findings & Analysis

Example Scan Results:

PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          OpenSSH 8.2p1 (protocol 2.0)
80/tcp   open   http         Apache httpd 2.4.46
445/tcp  open   microsoft-ds Windows SMB Server 2016

VULNERABILITIES:
- SMBv1 is enabled (CVE-2017-0144 - EternalBlue)
- OpenSSH outdated (possible CVE-2021-41617 exploit)

Risk Analysis

SMBv1 Enabled ➝ Risk of EternalBlue (WannaCry) exploits.
Outdated OpenSSH ➝ Potential for remote code execution vulnerabilities.
Apache Server Exposed ➝ Check for misconfigurations & known CVEs.

Mitigation Recommendations

Secure Open Ports

Close unused ports.
Restrict access using firewalls (e.g., UFW, iptables).

Update Vulnerable Services

Upgrade OpenSSH to the latest secure version.
Disable SMBv1 to prevent EternalBlue exploits.

Enhance Network Security

Implement intrusion detection/prevention systems (IDS/IPS).
Enforce strong authentication (e.g., SSH keys, 2FA).

PreviousGoogle Hacking (Google Dorking)NextProof-of-Concept Exploit: EternalBlue (MS17-010)