Project 7 Network Port Scanning with Nmap and

Masscan
Project Overview:

Network port scanning is a critical technique in cybersecurity used to discover open ports,
services, and potential vulnerabilities on target networks. This project will delve into the
methodologies and tools necessary to perform network port scanning using two widely-used
utilities: Nmap and Masscan. By conducting port scans on target networks, the project aims
to provide insights into network topology, identify active hosts, and assess the overall
security posture.

Project Objectives:

1. Understanding Network Port Scanning: Participants will grasp the fundamentals of

network port scanning, its significance in cybersecurity, and the various techniques
employed (e.g., TCP SYN scan, TCP connect scan, UDP scan).
2. Installation and Configuration: Detailed instructions will be provided on installing and
configuring Nmap and Masscan across different operating systems (Linux, Windows,
macOS). Participants will learn about customization options and settings to tailor port
scanning behavior.
3. Exploring Nmap Features: The project will cover Nmap's extensive feature set, including
host discovery, service version detection, OS detection, and the scripting engine.
Participants will become familiar with Nmap's command-line options and syntax for
conducting effective port scans.
4. Understanding Masscan: An introduction to Masscan will be provided, highlighting its
high-speed port scanning capabilities. A comparison with Nmap regarding speed,
efficiency, and use cases will be outlined.
5. Performing Port Scans: Step-by-step demonstrations will guide participants through the
process of conducting port scans using both Nmap and Masscan. Various scan types and
techniques (e.g., SYN scan, UDP scan, banner grabbing) will be explored, along with tips
for optimizing scan performance.
6. Analyzing Scan Results: Participants will learn to interpret scan results generated by
Nmap and Masscan, identifying open ports, services, and potential vulnerabilities.
Techniques for prioritizing and categorizing findings based on severity and impact will be
discussed.
7. Reporting and Documentation: Guidance will be provided on documenting and reporting
scan findings effectively. A template for creating comprehensive scan reports, including
executive summaries, methodologies, findings, and recommendations, will be shared.
8. Best Practices and Considerations: Participants will understand best practices for
conducting ethical and responsible port scanning activities. Legal and ethical
considerations, such as obtaining proper authorization and consent before scanning, will
be emphasized.

Project Deliverables:
 Comprehensive documentation and tutorials on network port scanning with Nmap and
Masscan.
Sample scan reports and analysis of scan results.
Recommendations for further research and exploration in the realm of network security
and port scanning.

Let's delve into the details of the tools used in this project:
Nmap and Masscan

1. Nmap (Network Mapper):

Overview:

Nmap is a versatile and powerful open-source tool used for network exploration and security
auditing. It is designed to discover hosts and services on a computer network, thus creating a
map of the network topology. Nmap is widely regarded as one of the most comprehensive
network scanning tools available and is favored by both cybersecurity professionals and
enthusiasts alike.

Features:

Host Discovery: Nmap can identify active hosts on a network using various techniques
such as ICMP echo requests, TCP SYN scans, and ARP requests.
Port Scanning: Nmap can scan for open ports on target hosts, including TCP, UDP, and
SCTP ports. It offers multiple scan types, including SYN scan, connect scan, and ACK
scan, allowing users to choose the most suitable method based on their requirements.
Service Version Detection: Nmap can determine the version of services running on open
ports, helping users identify potential vulnerabilities and misconfigurations.
OS Detection: Nmap can infer the operating system of a target host based on various
network behaviors and characteristics.
Scripting Engine: Nmap features a powerful scripting engine that allows users to write
custom scripts (Nmap scripts or NSE scripts) to automate tasks, perform additional
checks, or gather more information during scans.

Usage:

Nmap is primarily command-line driven, with a wide range of options and parameters
available to customize scan behavior. Users can specify target hosts, scan types, port ranges,
and scan timing options using Nmap's command-line interface. Additionally, Nmap's output
can be saved in various formats, including plain text, XML, and grepable formats, for further
analysis and reporting.
2. Masscan:

Overview:

Masscan is a high-speed network scanner designed for large-scale network reconnaissance.

Unlike Nmap, which is feature-rich but relatively slow, Masscan prioritizes speed and
efficiency, making it ideal for scanning large networks or conducting time-sensitive
assessments. Masscan is optimized for performance and can scan the entire IPv4 address
space in minutes.

Features:

High-Speed Scanning: Masscan is optimized for speed and can send and receive packets
at rates exceeding 10 million packets per second, enabling rapid network reconnaissance.
Asynchronous Scanning: Masscan is asynchronous, allowing it to send and receive
packets independently of each other. This asynchronous behavior contributes to its high-
speed scanning capabilities.
Flexible Port Specification: Masscan supports flexible port specification, allowing users to
specify single ports, port ranges, or even entire port ranges using wildcard notation.
Customizable Output: Masscan provides options to customize the output format and
verbosity level, allowing users to tailor the output to their specific needs.
Raw Packet Manipulation: Masscan allows users to manipulate and craft raw packets at a
low level, giving them fine-grained control over the scanning process.

Usage:

Masscan is primarily command-line driven and follows a similar syntax to Nmap. Users can
specify target IP ranges, port ranges, and scan options using Masscan's command-line
interface. Additionally, Masscan's output can be redirected to files or piped to other tools for
further analysis and processing.

Comparison:

While both Nmap and Masscan are used for network reconnaissance and port scanning, they
differ in their approach and capabilities. Nmap is feature-rich and offers comprehensive
scanning options, including service version detection and OS detection, but it may be slower
compared to Masscan, especially for large-scale scans. On the other hand, Masscan
prioritizes speed and efficiency and is ideal for quickly scanning large networks but may lack
some of the advanced features offered by Nmap.

Details of Nmap (Network Mapper):

1. Overview:
Nmap, short for Network Mapper, is a powerful open-source tool used for network
exploration and security auditing. It is designed to discover hosts and services on a computer
network, thus creating a map of the network topology. Nmap is widely regarded as one of the
most comprehensive network scanning tools available and is favored by both cybersecurity
professionals and enthusiasts alike.

2. Features:

Host Discovery: Nmap can identify active hosts on a network using various techniques
such as ICMP echo requests, TCP SYN scans, and ARP requests. It can determine which
hosts are alive and responsive on the network.
Port Scanning: Nmap can scan for open ports on target hosts, including TCP, UDP, and
SCTP ports. It offers multiple scan types, including SYN scan (stealth scan), connect scan,
and ACK scan, allowing users to choose the most suitable method based on their
requirements.
Service Version Detection: Nmap can determine the version of services running on open
ports, helping users identify potential vulnerabilities and misconfigurations. It sends
probes to open ports to elicit responses that reveal information about the running
services and their versions.
OS Detection: Nmap can infer the operating system of a target host based on various
network behaviors and characteristics. It analyzes responses from the target host to
identify patterns and fingerprints indicative of specific operating systems.
Scripting Engine: Nmap features a powerful scripting engine known as the Nmap
Scripting Engine (NSE). NSE allows users to write custom scripts (Nmap scripts or NSE
scripts) to automate tasks, perform additional checks, or gather more information during
scans. These scripts can be used to perform advanced tasks such as vulnerability
detection, brute-force attacks, and service enumeration.
Output Formats: Nmap provides options to save scan results in various formats,
including plain text, XML, and grepable formats. This flexibility allows users to tailor the
output to their specific needs and integrate scan results into other tools and workflows.

3. Usage:

Nmap is primarily command-line driven, with a wide range of options and parameters
available to customize scan behavior. Users can specify target hosts, scan types, port ranges,
and scan timing options using Nmap's command-line interface. Here's a basic syntax example:

nmap [scan type] [options] [target specification]

Scan Types: Nmap supports various scan types, including TCP SYN scan (-sS), connect
scan (-sT), UDP scan (-sU), and comprehensive scan (-sC).
Options: Users can specify additional options to customize scan behavior, such as timing
options (-T), output formats (-o), verbosity level (-v), and script selection (-sC).
Target Specification: Users can specify target hosts using IP addresses, hostnames, IP
ranges, or CIDR notation.
4. Output and Analysis:

After completing a scan, Nmap provides detailed output containing information about the
scanned hosts, open ports, and detected services. Users can analyze this output to identify
potential vulnerabilities, misconfigurations, and security issues on the target network.
Nmap's output includes information such as IP addresses, port states (open, closed, filtered),
service versions, and operating system fingerprints.

5. Examples of Use Cases:

Network Discovery: Nmap can be used to discover hosts and services on a network,
providing insights into the network topology and infrastructure.
Vulnerability Assessment: Nmap can identify potential vulnerabilities and
misconfigurations by scanning for open ports, outdated services, and known
vulnerabilities.
Penetration Testing: Nmap is commonly used by penetration testers to assess the
security posture of target networks, identify entry points, and plan attack vectors.
Network Monitoring: Nmap can be used for proactive network monitoring, detecting
changes in the network environment and identifying unauthorized devices or services

1. Basic Scanning Commands:

nmap [target]: This is the most basic Nmap command, where you specify the target(s)
you want to scan. For example, nmap 192.168.1.1 would scan the host with the IP address
192.168.1.1.
nmap [target range]: You can specify a range of IP addresses to scan. For example, nmap
192.168.1.1-100 would scan all hosts with IP addresses ranging from 192.168.1.1 to
192.168.1.100.
nmap [hostname]: Instead of specifying IP addresses, you can use hostnames for
scanning. For example, nmap example.com would scan the host with the hostname
example.com.

2. Scan Types:

-sS (TCP SYN scan): This is the default scan type in Nmap. It sends TCP SYN packets to
the target ports and analyzes the responses to determine if the ports are open, closed, or
filtered.
-sT (TCP connect scan): This scan type establishes a full TCP connection with the target
ports, making it less stealthy but more reliable than TCP SYN scan.
-sU (UDP scan): This scan type is used to scan UDP ports on target hosts. It sends UDP
packets to the target ports and analyzes the responses.

3. Scan Techniques:

-sA (ACK scan): This scan type sends TCP ACK packets to the target ports and analyzes
the responses. It is used to determine if the ports are filtered by firewalls.
 -sV (Service version detection): This option enables service version detection, allowing
Nmap to identify the versions of services running on open ports.
-O (OS detection): This option enables operating system detection, allowing Nmap to
infer the operating system running on the target host based on various network
behaviors.

4. Output Options:

-oN [filename]: This option saves the scan results to a specified file in normal format.
-oX [filename]: This option saves the scan results to a specified file in XML format.
-oG [filename]: This option saves the scan results to a specified file in grepable format.

5. Timing Options:

-T [timing level]: This option specifies the timing level of the scan. The timing levels range
from 0 (paranoid) to 5 (insane), with higher levels increasing the aggressiveness of the
scan.

6. Scripting Engine:

--script [script name]: This option enables the execution of Nmap scripts during the scan.
Nmap includes a wide range of scripts for performing various tasks such as vulnerability
detection, brute-force attacks, and service enumeration.

7. Miscellaneous Options:

-p [port range]: This option specifies the port range to scan. For example, -p 1-1000
would scan ports 1 to 1000.
-v (Verbose output): This option enables verbose output, providing more detailed
information about the scan progress and results.
-A (Aggressive scan): This option enables aggressive scanning options, including service
version detection, OS detection, and script scanning

50 Nmap commands:
1. Basic TCP SYN scan: nmap target
2. TCP SYN scan with verbose output: nmap -v target
3. TCP connect scan: nmap -sT target
4. UDP scan: nmap -sU target
5. TCP SYN scan with OS detection: nmap -O target
6. TCP SYN scan with service version detection: nmap -sV target
7. Aggressive scan: nmap -A target
8. Scan specific port: nmap -p <port> target
9. Scan multiple ports: nmap -p <ports> target
10. Scan port range: nmap -p <start-port>-<end-port> target
11. Scan all ports: nmap -p- target
12. Fast scan: nmap -F target
 13. Stealth scan: nmap -sS target
14. ACK scan: nmap -sA target
15. SYN scan with IP protocol scan: nmap -sO target
16. TCP null scan: nmap -sN target
17. TCP FIN scan: nmap -sF target
18. Xmas scan: nmap -sX target
19. Idle scan: nmap -sI zombie-host target
20. Scan with IPv6: nmap -6 target
21. Scan multiple targets: nmap target1 target2
22. Scan targets from a file: nmap -iL target-list.txt
23. Scan targets from a CIDR range: nmap 192.168.1.0/24
24. Scan a subnet with CIDR notation: nmap 192.168.1.0/24
25. Perform a ping scan: nmap -sn target
26. Scan only live hosts: nmap -Pn target
27. Disable DNS resolution: nmap -n target
28. Scan specific network interface: nmap -e <interface> target
29. Verbose output with packet tracing: nmap -vv target
30. Output scan results to a file: nmap -oN scan-results.txt target
31. Output results in XML format: nmap -oX scan-results.xml target
32. Output results in grepable format: nmap -oG scan-results.gnmap target
33. Save scan results with timestamp: nmap -oX "scan-%T.xml" target
34. Save scan results with all formats: nmap -oA scan-results target
35. Save scan results with all formats and timestamp: nmap -oA "scan-%T" target
36. Perform a TCP SYN ping: nmap -PS target
37. Perform a TCP ACK ping: nmap -PA target
38. Perform a UDP ping: nmap -PU target
39. Perform an ICMP ping: nmap -PE target
40. Perform a TCP SYN ping with verbose output: nmap -PS -v target
41. Perform a TCP SYN ping with service version detection: nmap -PS -sV target
42. Perform a TCP SYN ping with OS detection: nmap -PS -O target
43. Perform a TCP SYN ping with traceroute: nmap -PS --traceroute target
44. Perform a TCP SYN ping with script scanning: nmap -PS --script=default target
45. Scan using a specific source IP address: nmap --source-ip <source-ip> target
46. Scan using a specific source port: nmap --source-port <source-port> target
47. Scan using a specific MAC address: nmap --spoof-mac <mac-address> target
48. Perform a script scan: nmap --script <script> target
49. Perform a script scan with script arguments: nmap --script <script> --script-args <args>
target
50. Scan with maximum verbosity: nmap -vvvvv target

Now, let's discuss how to create an Nmap report:

After conducting a scan using Nmap, you can generate a report to document the scan results
and findings. Here's how you can create an Nmap report:

1. Choose the desired output format for your report. Nmap supports various output
formats, including plain text, XML, and grepable formats.
 2. Use the appropriate command-line option to specify the output format. For example, -oN
for plain text, -oX for XML, and -oG for grepable format.
3. Run the Nmap scan with the chosen output format and target(s). For example:

nmap -oN scan-results.txt target

1. This command will save the scan results to a file named scan-results.txt in plain text
format.
2. Once the scan is complete, open the generated report file using a text editor or viewer to
review the results.
3. Analyze the scan results to identify open ports, detected services, operating systems,
and any potential vulnerabilities or security issues.
4. Organize the information in the report into sections, including an executive summary,
methodology, findings, recommendations, and any additional notes or observations.
5. Add any necessary context, explanations, or interpretations to clarify the findings and
their implications.
6. Format the report to make it clear, concise, and visually appealing, using headings, bullet
points, tables, and other formatting elements as needed.
7. Include any relevant screenshots, diagrams, or visual aids to enhance the presentation
of the information.
8. Proofread the report to ensure accuracy, clarity, and coherence, and make any necessary
revisions or corrections.
9. Once the report is finalized, distribute it to the appropriate stakeholders, such as team
members, clients, or management, as needed.