1

Lab on Network Mapper (Nmap)

Objective:

To learn and practice basic to advanced Nmap commands for network discovery, port scanning, service
detection, and security auditing.

Prerequisites:

 Basic knowledge of networking concepts.

 Access to a terminal or command line interface.

 Nmap installed on your system. (Download from Nmap.org)

Theory:

Nmap, short for "Network Mapper," is a powerful and versatile open-source tool used for network
discovery and security auditing. Developed by Gordon Lyon (also known as Fyodor), Nmap is widely
utilized by network administrators, security professionals, and hackers to explore and manage network
environments. It helps in discovering hosts and services on a computer network by sending packets and
analyzing the responses.

Key Features of Nmap

1. Host Discovery: Identifies live hosts on a network. Nmap can detect hosts even when they do
not respond to standard pings by using various methods such as ARP requests, TCP/UDP pings,
and more.

2. Port Scanning: Determines which ports are open, closed, or filtered on a host. Nmap supports
several scan techniques including:

 TCP Connect Scan (-sT): Completes the TCP handshake, making it easier to detect.

 SYN Scan (-sS): Often called "half-open" scanning because it doesn't complete the TCP
handshake, making it stealthier.

 UDP Scan (-sU): Scans for open UDP ports, which can be trickier because UDP is
connectionless.

 FIN Scan (-sF), NULL Scan (-sN), and Xmas Scan (-sX): These scan techniques send
unusual flag combinations to elicit responses from firewalls and intrusion detection
systems.

3. Service and Version Detection: Identifies the software running on open ports and attempts to
determine the version. This is done by sending specific probes and analyzing the responses.

4. OS Detection: Estimates the operating system and device type based on TCP/IP stack
fingerprinting.

CSCL BIM 6th NIST COLLEGE

 2

5. Scriptable Interaction with the Target: Nmap includes the Nmap Scripting Engine (NSE) which
allows users to write and share scripts for automated and advanced network tasks. These scripts
can be used for:

 Vulnerability Detection: Identifying known vulnerabilities.

 Security Audits: Performing a variety of network security checks.

 Network Inventory: Collecting detailed information about network assets.

6. Network Mapping: Visualizes the network topology and how devices are connected.

Common Nmap Commands

 Basic Scan: nmap <target>

 Scan Specific Ports: nmap -p 22,80,443 <target>

 Scan a Range of IPs: nmap <start-IP>-<end-IP>

 Service Version Detection: nmap -sV <target>

 OS Detection: nmap -O <target>

 Aggressive Scan: nmap -A <target>

 Script Scan: nmap --script <script-name> <target>

Practical Uses

 Network Inventory: Helps in identifying all devices connected to the network and their
respective services.

 Security Audits: Assesses network security by detecting vulnerabilities and misconfigurations.

 Compliance Testing: Ensures that network configurations comply with security policies and
regulations.

 Penetration Testing: Employed by ethical hackers to find and exploit weaknesses in a network.

Exercise 1: Simple Host Discovery

1. Open your terminal.

2. Use Nmap to perform a basic ping scan to discover live hosts on a local network (assuming your
network range is 192.168.1.0/24).
nmap -sn 192.168.1.0/24

3. Record the IP addresses of live hosts

CSCL BIM 6th NIST COLLEGE

 3

Exercise 2: Simple Port Scan

1. Scan a specific host to find open ports

nmap 192.168.1.1

2. Note the open ports and their corresponding services.

Advanced Scanning Techniques

Exercise 3: TCP SYN Scan

1. Perform a TCP SYN scan on a target IP (e.g., scanme.nmap.org)

nmap -sS scanme.nmap.org

2. Identify the open ports and record the findings

Exercise 4: UDP Scan

1. Perform a UDP scan on a target IP.

nmap -sU scanme.nmap.org

2. Note the open UDP ports and compare with the TCP results.

Service and Version Detection

Exercise 5: Service Version Detection

1. Perform a service version detection scan on a specific host.

nmap -sU scanme.nmap.org

2. List the detected services and their versions.

Exercise 6: Aggressive Scan

1. Conduct an aggressive scan which includes OS detection, version detection, script scanning, and
traceroute.
nmap -sU scanme.nmap.org

2. Document the results, focusing on OS detection and detailed service information

CSCL BIM 6th NIST COLLEGE

 4

OS and Device Detection

Exercise 7: OS Detection

1. Perform an OS detection scan on a local host

nmap -O 192.168.1.1

2. Record the Os details and their accuracy.

Nmap Scripting Engine (NSE)

Exercise 8: Using Predefined Scripts

1. Use the NSE to detect vulnerabilities on a target

nmap --script vuln scanme.nmap.org

2. List the vulnerabilities found.

Exercise 9: Safe Script Scan

1. Perform a scan with safe scripts

nmap --script safe scanme.nmap.org

2. Document the findings from the safe scripts

Performance Tuning
Exercise 10: Timing Templates

1. Scan a target using different timing templates (T0-T5)

nmap -T4 scanme.nmap.org

2. Compare the scan durations and results.

CSCL BIM 6th NIST COLLEGE

 5

Exercise 11: Parallel Scans

1. Perform a parallel scan to speed up the scanning process

nmap -T4 -sP 192.168.1.0/24

2. Record the time taken and note any differences from a default scan.

Output Options
Exercise 12: Save Output to File

1. Perform a scan and save the output to a file in three different formats: normal, XML, and
grepable.

nmap -oN normal_output.txt -oX xml_output.xml -oG grepable_output.txt scanme.nmap.org

2. Review the saved outputs

CSCL BIM 6th NIST COLLEGE