Nmap Port Scanning & Vulnerability Assessment

Introduction

Nmap (Network Mapper) is a powerful open-source tool used for network discovery, port scanning, and vulnerability assessment. This document provides a detailed walkthrough of using Nmap to scan a target IP or network range, including the commands used and the findings obtained.

Nmap Scanning Process

1. Target Identification

Before scanning, determine the target:

  • Single IP: 192.168.1.1

  • Subnet: 192.168.1.0/24

  • Domain: example.com

2. Basic Ping Scan (Check Live Hosts)

Command:

nmap -sn 192.168.1.0/24

Finds live hosts in the target network without scanning ports.

3. Comprehensive Port Scan

Command:

nmap -p- 192.168.1.1

  • Scans all 65,535 ports on the target.

  • Useful for finding non-standard open ports.

4. Service & Version Detection

Command:

nmap -sV -p 22,80,443 192.168.1.1

  • Detects services and software versions running on specific ports.

5. OS Detection

Command:

nmap -O 192.168.1.1

  • Attempts to determine the operating system of the target.

6. Detecting Vulnerabilities (Nmap Scripting Engine - NSE)

Command:

nmap --script=vuln 192.168.1.1

  • Runs vulnerability scans using built-in NSE scripts.

  • Identifies known vulnerabilities in exposed services.

7. Stealth Scan (Avoid Detection)

Command:

nmap -sS -T2 192.168.1.1

  • Performs a SYN scan, which is less likely to trigger firewalls/IDS alerts.

8. Aggressive Scan (Detailed Information)

Command:

nmap -A 192.168.1.1

  • Combines OS detection, service version detection, and traceroute.

  • More intrusive but provides maximum information.

9. Scanning for Specific Vulnerabilities

🔍 Detect Heartbleed Vulnerability

nmap --script=ssl-heartbleed -p 443 192.168.1.1

🔍 Detect SMB Vulnerabilities (EternalBlue, etc.)

nmap --script=smb-vuln-ms17-010 -p 445 192.168.1.1

Findings & Analysis

Example Scan Results:

PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          OpenSSH 8.2p1 (protocol 2.0)
80/tcp   open   http         Apache httpd 2.4.46
445/tcp  open   microsoft-ds Windows SMB Server 2016

VULNERABILITIES:
- SMBv1 is enabled (CVE-2017-0144 - EternalBlue)
- OpenSSH outdated (possible CVE-2021-41617 exploit)

Risk Analysis

  • SMBv1 Enabled ➝ Risk of EternalBlue (WannaCry) exploits.

  • Outdated OpenSSH ➝ Potential for remote code execution vulnerabilities.

  • Apache Server Exposed ➝ Check for misconfigurations & known CVEs.

Mitigation Recommendations

Secure Open Ports

  • Close unused ports.

  • Restrict access using firewalls (e.g., UFW, iptables).

Update Vulnerable Services

  • Upgrade OpenSSH to the latest secure version.

  • Disable SMBv1 to prevent EternalBlue exploits.

Enhance Network Security

  • Implement intrusion detection/prevention systems (IDS/IPS).

  • Enforce strong authentication (e.g., SSH keys, 2FA).

PreviousGoogle Hacking (Google Dorking)NextProof-of-Concept Exploit: EternalBlue (MS17-010)