Nmap Part-3

Advanced Nmap — Part 3: Automation & Real-World Labs

Final part of the Advanced Nmap course — automation, scheduling, reporting, lab design, and expert workflows to go pro.

1 — Automation: Reliable, Repeatable Scanning

Automation increases reliability and saves time. Build small, well-documented scripts that run Nmap with fixed profiles, capture outputs, and push results into a report pipeline.

1.1 Bash automation pattern (robust)

Use a wrapper script that validates inputs, creates timestamped result directories, and rotates logs.

#!/usr/bin/env bash set -euo pipefail TARGET="$1" # e.g. ./scan.sh 10.0.0.12 TS=$(date +%Y%m%d-%H%M) OUTDIR="./results/${TARGET}-${TS}" mkdir -p "$OUTDIR" echo "[*] Running Nmap full scan for $TARGET -> $OUTDIR" nmap -sS -sV -O --script vuln -p- -oA "${OUTDIR}/scan" "$TARGET" echo "[*] Done. Results: ${OUTDIR}"

Explanation:

• Create isolated result folders per-run to avoid data loss.
• Use -oA to capture all formats (normal/xml/grepable) for downstream parsing.
• Keep scripts idempotent and log exit codes for orchestration tools.

1.2 Scheduling with cron & systemd timers

Use cron for simple schedules; prefer systemd` timers for more robust scheduling on modern Linux systems.

# crontab: weekly full scan (example) 0 2 * * 0 /usr/local/bin/scan-weekly.sh >/var/log/nmap/scan-weekly.log 2>&1

Tip: When scheduling, ensure scans won't overlap. Use lockfiles or flock to avoid simultaneous runs.

2 — Parsing Nmap output & generating reports

XML output (-oX) is the canonical machine-readable format. Most integrations and dashboards parse XML to extract hosts, ports, services, and NSE outputs.

2.1 Quick Python parser (example)

# Requires: pip install python-libnmap from libnmap.parser import NmapParser p = NmapParser.parse_fromfile('scan.xml') for host in p.hosts: print(host.address, host.get_open_ports())

2.2 Convert XML to HTML (xsltproc)

nmap -oX scan.xml target.com xsltproc /usr/share/nmap/nmap.xsl scan.xml -o scan.html

Produce CSV for spreadsheets and combine with SDS (script results) to create executive summaries.

nmap -oX scan.xml

xsltproc nmap.xsl scan.xml -o report.html

python parse_nmap.py scan.xml

3 — Automating NSE: Batch & targeted scripts

Group scripts by purpose and run categories (example: discovery, vuln, auth). Batch-run with --script and tune timeouts with --script-timeout.

3.1 Run script categories safely

# discovery + safe scripts only nmap --script "discovery and safe" -p80,443 -oA nse_discovery target.com # vuln scripts (intrusive) — lab use only nmap --script vuln -p 21,22,80,139,445 -oA nse_vuln target-lab

3.2 NSE Automation pattern (bash)

#!/bin/bash # run a set of scripts across a hostlist SCRIPTS="discovery,safe" while read host; do echo "[*] running ${SCRIPTS} on $host" nmap --script "${SCRIPTS}" -p 80,443 -oA results/${host}-nse $host done < hosts.txt

Do not run intrusive NSE categories on production networks or third-party IPs without written consent.

4 — Mass scanning: safe workflows with masscan + Nmap

masscan is extremely fast for discovery. Use it to find candidates, then feed results to Nmap for deep enumeration.

4.1 Practical workflow (recommended)

# 1: discovery (low rate) sudo masscan 10.0.0.0/8 -p80 --rate 10000 -oG masscan.gnmap # 2: extract IPs grep "Host:" masscan.gnmap | awk '{print $2}' | sort -u > hosts.txt # 3: Nmap enrichment (parallelized via xargs) cat hosts.txt | xargs -P10 -I{} nmap -sV -p80 --script http-enum -oN nmap-{} {}

Use small --rate values for internet-scale scans; test in your lab before scaling.

5 — Real-world lab design & capstone

Build a lab that reflects targets you want to test: web apps, internal services, IoT devices, and an IDS. The capstone ties together discovery, enumeration, exploitation, and reporting.

5.1 Lab components

• Attacker VM (Kali) with Nmap, masscan, Metasploit
• Target VMs: Linux web server (Juice Shop), Windows app server, DB server
• Monitoring VM: Suricata/Snort + ELK stack for alerting and log analysis

5.2 Capstone project brief

1. Discover all hosts with masscan → Nmap
2. Run targeted NSE vulns on discovered services
3. Exploit known issues in your lab (Metasploit or manual) and document post-exploitation findings
4. Produce CSV + HTML report and presentation with remediation recommendations

6 — Expert tips, troubleshooting & safety

• If you see many filtered ports, check network filters and run -Pn if ICMP is blocked.
• UDP scans are unreliable by default — increase --max-retries and --host-timeout.
• When NSE scripts hang, use --script-timeout 30s and run -d for debug output.
• Document scope and obtain written authorization before any external scans.

6.1 Command cheats

nmap -sS -sV -O -p- target

nmap --script vuln target

nmap -oX out.xml target

masscan 10.0.0.0/8 -p80 --rate 5000

References & further reading

• Official Nmap Reference Manual
• NSE Scripting Guide
• masscan (GitHub)
• ELK for log analysis (use with IDS)
• Wireshark Deep Dive (CyberAsh)
• Metasploit Framework Guide (CyberAsh)
• How many types of Linux

← Back: Part 2 Complete Course Home →