Nmap Port Scanning & Vulnerability Assessment

Introduction

Nmap (Network Mapper) is a powerful open-source tool used for network discovery, port scanning, and vulnerability assessment. This document provides a detailed walkthrough of using Nmap to scan a target IP or network range, including the commands used and the findings obtained.

---

Nmap Scanning Process

1. Target Identification

Before scanning, determine the target:

• Single IP: 192.168.1.1

• Subnet: 192.168.1.0/24

• Domain: example.com

2. Basic Ping Scan (Check Live Hosts)

Command:

nmap -sn 192.168.1.0/24

Finds live hosts in the target network without scanning ports.

3. Comprehensive Port Scan

Command:

nmap -p- 192.168.1.1

• Scans all 65,535 ports on the target.

• Useful for finding non-standard open ports.

4. Service & Version Detection

Command:

nmap -sV -p 22,80,443 192.168.1.1

• Detects services and software versions running on specific ports.

5. OS Detection

Command:

nmap -O 192.168.1.1

• Attempts to determine the operating system of the target.

6. Detecting Vulnerabilities (Nmap Scripting Engine - NSE)

Command:

nmap --script=vuln 192.168.1.1

• Runs vulnerability scans using built-in NSE scripts.

• Identifies known vulnerabilities in exposed services.

7. Stealth Scan (Avoid Detection)

Command:

nmap -sS -T2 192.168.1.1

• Performs a SYN scan, which is less likely to trigger firewalls/IDS alerts.

8. Aggressive Scan (Detailed Information)

Command:

nmap -A 192.168.1.1

• Combines OS detection, service version detection, and traceroute.

• More intrusive but provides maximum information.

9. Scanning for Specific Vulnerabilities

🔍 Detect Heartbleed Vulnerability

nmap --script=ssl-heartbleed -p 443 192.168.1.1

🔍 Detect SMB Vulnerabilities (EternalBlue, etc.)

nmap --script=smb-vuln-ms17-010 -p 445 192.168.1.1

---

Findings & Analysis

Example Scan Results:

PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          OpenSSH 8.2p1 (protocol 2.0)
80/tcp   open   http         Apache httpd 2.4.46
445/tcp  open   microsoft-ds Windows SMB Server 2016

VULNERABILITIES:
- SMBv1 is enabled (CVE-2017-0144 - EternalBlue)
- OpenSSH outdated (possible CVE-2021-41617 exploit)

Risk Analysis

• SMBv1 Enabled ➝ Risk of EternalBlue (WannaCry) exploits.

• Outdated OpenSSH ➝ Potential for remote code execution vulnerabilities.

• Apache Server Exposed ➝ Check for misconfigurations & known CVEs.

---

Mitigation Recommendations

Secure Open Ports

• Close unused ports.

• Restrict access using firewalls (e.g., UFW, iptables).

Update Vulnerable Services

• Upgrade OpenSSH to the latest secure version.

• Disable SMBv1 to prevent EternalBlue exploits.

Enhance Network Security

• Implement intrusion detection/prevention systems (IDS/IPS).

• Enforce strong authentication (e.g., SSH keys, 2FA).

---