Nmap Guide Part-2

byCyber Pulse
0
Advanced Nmap — Complete Course (Part 2) | CyberAsh

Advanced Nmap — Complete Course (Part 2)

A professional, module-based course: from advanced NSE scripting to automation, mass scanning, integration and a final capstone. Includes labs, quizzes and project ideas.

Advanced Nmap Course
Course Outline (quick links)
  1. Module 1 — Advanced Scanning Techniques
  2. Module 2 — NSE Deep Dive & Writing Scripts
  3. Module 3 — Timing, Performance & Scaling
  4. Module 4 — Stealth & Evasion (Ethical)
  5. Module 5 — Mass Scanning & Workflows (masscan + Nmap)
  6. Module 6 — Automation, Parsing & Reporting
  7. Module 7 — Integration (Metasploit, Burp, Wireshark)
  8. Module 8 — Capstone Project, Assessments & Resources

Module 1 — Advanced Scanning Techniques

Objective

Go beyond simple port discovery: learn scan types, when to use them, and how to interpret results reliably.

Lesson 1.1 — Scan types explained

Understand differences and trade-offs:

  • -sS (SYN) — fast, stealthier than full connects; best for privileged users.
  • -sT (Connect) — works without raw sockets, more noisy.
  • -sU (UDP) — slower, requires retries; many services only respond sporadically.
  • -sN/-sF/-sX (NULL/FIN/XMAS) — firewall/stack probing; can reveal filters.
  • -sA (ACK) — useful for firewall rule mapping.
Practice: run each scan type on a VM and compare returned states (open/closed/filtered).

Lesson 1.2 — Combining scans effectively

Use targeted mixed scans for accuracy:

sudo nmap -sS -sV -p22,80,443 --version-intensity 2 target.ip

Explanation: -sS for speed, -sV to identify services, reduced intensity to avoid long probes.

Lab 1 — Port-probing comparison

  1. Spin up 2 VMs (Ubuntu + Windows Server) in an isolated host-only network.
  2. Run: nmap -sS 192.168.56.101 and record results.
  3. Run: nmap -sT 192.168.56.101 and compare differences.
  4. Document which probes triggered firewall logs (use local IDS or syslog).

Module 2 — NSE Deep Dive & Writing Scripts (Lua)

Objective

Master NSE architecture, available libraries and write robust scripts for discovery and vulnerability checks.

Lesson 2.1 — NSE anatomy

Every NSE script contains metadata, portrule/hostrule, and an action(). Scripts use built-in Lua modules like http, shortport, stdnse, and nmap.

Lesson 2.2 — Writing a durable script (best practices)

  • Use explicit timeouts and stdnse.sleep() where needed.
  • Respect script categories: safe, intrusive, vuln.
  • Make arguments configurable via --script-args.
  • Log structured output (return tables or formatted strings).

Lesson 2.3 — Example: full-featured NSE (explain)

Below is a more complete pattern (explanations inline):

-- example.nse (pattern) description = [[ Checks HTTP server and follows redirects, reports title and server header. ]] author = "CyberAsh" license = "Same as Nmap" categories = {"discovery","safe"} local http = require "http" local stdnse = require "stdnse" local shortport = require "shortport" portrule = shortport.port_or_service({80,443}, "http") action = function(host, port) local result = {} local resp = http.get(host, port, "/") if not resp then return nil end result.server = resp.header.server or "unknown" result.title = resp:match("(.-)") or "no-title" return stdnse.format_output(true, result) end

Tip: save as /usr/share/nmap/scripts/example.nse, run nmap --script-help example to check header parsing.

Lab 2 — Write & test an NSE

  1. Create a simple web app (Flask or Node) on port 8080; include a custom header X-MyApp: v1.
  2. Write an NSE that reads that header and reports it.
  3. Run: sudo nmap --script=myapp-header -p8080 192.168.56.102
  4. Iterate: add error handling and a --script-args option to change path (e.g., path=/health).

Module 3 — Timing, Performance & Scaling

Objective

Learn how Nmap timing templates affect scanning, how to tune parameters, and scale scans safely.

Lesson 3.1 — Timing templates explained

From -T0 (paranoid) to -T5 (insane). Understand probe intervals, retries, and parallelism adjustments.

Lesson 3.2 — Tuning parameters

  • --min-rate / --max-rate — force Pkts/sec limits.
  • --scan-delay — add ms between probes for stealth.
  • --host-timeout — skip slow hosts automatically.
# Example: aggressive but controlled nmap -sS -T4 --min-rate 500 -p1-1000 10.0.0.0/24 -oA scaled_scan

Lab 3 — Measure & tune

  1. Set up a small network with 50 VMs (or simulate with containers).
  2. Run default scans (-T3), record elapsed time and system load.
  3. Increment to -T4 and enable --min-rate 500, observe host/target behavior.
  4. Document trade-offs between speed and accuracy (missed ports, false positives).

Module 4 — Stealth & Evasion (Ethical)

Objective

Practice stealth techniques to understand how attackers may avoid detection — always in authorized labs.

Lesson 4.1 — Evasion tools & flags

  • --decoy — mix extra source IPs
  • --spoof-mac — change MAC (local only)
  • -f — fragment packets
  • --data-length — add filler
nmap -sS -T1 --decoy 10.0.0.5,10.0.0.6 -p22,80 target

Lab 4 — IDS detection test

  1. Deploy Suricata or Snort in your lab network.
  2. Run a noisy scan (-T4 -sS) and capture alerts.
  3. Run a stealthy scan (-T1 -f --decoy), compare which alerts still fire.
  4. Write a short report: which techniques evaded signature rules and which triggered anomaly detection?

Module 5 — Mass Scanning & Workflows (masscan + Nmap)

Objective

Design workflows that combine fast discovery (masscan) with Nmap for detailed enumeration.

Lesson 5.1 — masscan fundamentals

masscan discovers open ports extremely fast; it outputs IP:port lists to feed Nmap. Use responsibly.

Workflow Example

# 1) masscan discovery sudo masscan 10.0.0.0/8 -p80 --rate=10000 -oG masscan.gnmap # 2) extract hosts & port pairs grep "Host:" masscan.gnmap | awk '{print $2":80"}' > targets.txt # 3) Nmap enrichment nmap -sV -p80 -iL targets.txt -oA mass_enriched

Lab 5 — Large-scale mock scan

  1. Use a /16 lab subnet (or simulate) and run masscan with low rate to avoid routers overload.
  2. Enrich results with Nmap, run --script=http-enum on discovered webservers.
  3. Produce a CSV report of IP, open ports, service and script findings.

Module 6 — Automation, Parsing & Reporting

Objective

Automate repeatable scans, parse XML outputs and generate human-friendly reports.

Lesson 6.1 — Bash automation pattern

# loop over hosts while read ip; do echo "[*] scanning ${ip}" nmap -sV -oX results/${ip}.xml ${ip} done < hosts.txt

Lesson 6.2 — Python parsing (brief)

Use Python with libxml2 or xml.etree.ElementTree to parse -oX files and build CSV/JSON reports. (Example code can be provided on request.)

Lab 6 — Build a report pipeline

  1. Run scans, produce XML outputs using -oX.
  2. Write a short Python script that reads XML and outputs CSV: ip, port, service, script output.
  3. Visualize top-10 services found using any spreadsheet tool.

Module 7 — Integration: Metasploit, Burp, Wireshark

Objective

Integrate Nmap outputs with exploitation and analysis tools to form full pentest workflows.

Lesson 7.1 — Import Nmap to Metasploit

Metasploit accepts XML imports. Use this to pivot quickly to exploit modules after enumeration.

# in msfconsole db_import scan_results.xml hosts services

Lesson 7.2 — Use Nmap with Burp/Wireshark

  • Use Nmap to find web instances, then target them with Burp Suite for app-level testing.
  • Capture Nmap traffic with Wireshark to study signatures and IDS detection (learning exercise).

Lab 7 — Full workflow

  1. Enumerate target with Nmap, save XML.
  2. Import into Metasploit and check for known vulnerabilities.
  3. Run targeted Burp scans on web ports found and compare script outputs from Nmap with Burp findings.

Module 8 — Capstone Project, Assessments & Resources

Capstone Project (end-to-end)

Design and complete a project that demonstrates mastery:

  1. Build a lab of at least 4 VMs (Linux web, Windows app, DB, and IDS).
  2. Perform discovery with Nmap + masscan, enrich with NSE scripts.
  3. Parse and produce a professional report (CSV + HTML) with findings and remediation notes.
  4. Deliver a short walkthrough video explaining steps and results.

Assessments (self-graded)

  • Quiz A: Explain differences between SYN and Connect scans and appropriate use cases.
  • Quiz B: List 5 NSE libraries and their purpose.
  • Practical: Submit NSE script + test logs for review.

Cheatsheet — Common commands

nmap -sS target
SYN scan
nmap -sU -p 53 target
UDP DNS
nmap -sV -p 1-1000 target
Service detection
nmap -O target
OS detection
nmap --script vuln target
Run vuln scripts
nmap -oA report target
Save all outputs

Recommended resources

Tags:

Post a Comment

Previous Post Next Post