Unleash the Power of Nmap Vulnerability Scanning

Vulnerability exploitation remains rampant, with headline breaches like Log4Shell and ProxyShell allowing massive data extraction in 2021. Early vulnerability detection is critical, and Nmap offers an easy way to find weaknesses.

Content Navigation show

This 2,800+ word guide will make you a power user, unlocking Nmap‘s versatility for finding vulnerabilities across networks and applications.

Why Vulnerability Management Matters

Before diving into using Nmap, understanding today‘s threat landscape emphasizes why identifying vulnerabilities proactively is so important:

  • Attacks are risingAccenture reports cyber attacks now happening on average every 39 seconds, up 31% versus 2020. State sponsored groups, organized crime rings and hackers are getting more sophisticated and aggressive.

  • Unpatched software drives exploits – Attackers have an arsenal of intrusion tools, but most breaches involve simple exploitation of well-known unpatched vulnerabilities in servers, network devices and workstations. Diligent patching, upgrades and inventory management is essential.

  • Internet exposure increases risks – As organizations embrace cloud and work from anywhere, the attack surface grows. 83% of enterprises saw increased cybersecurity risks from remote working over the past year. More devices and services means more targets.

Nmap empowers red/blue teams, network admins and security leaders to hunt for vulnerabilities, misconfigurations and unmanaged assets – allowing smart remediation before criminals exploit them.

Installing and Configuring Nmap Like a Pro

Nmap runs on Linux, Windows and macOS for flexibility across environments. For servers and stable scanning platforms, choose Linux.

On Debian/Ubuntu systems:

sudo apt update
sudo apt install nmap nmap-common nmap-scripts -y

For RHEL/CentOS installations:

sudo yum check-update
sudo yum install epel-release
sudo yum install nmap-ncat nmap-scripts -y

Compiling the latest Nmap 7.92 source code enables next-gen features, but requires prerequisite libraries like OpenSSL and Lua. 

./configure 
make
sudo make install

Troubleshoot missing dependencies with ./configure --with-ndiff to list what‘s required on your system.

Always verify installs:

nmap -V
# Nmap version 7.92 ( https://nmap.org )

And check privileges:

nmap -d # verifies OS detection and raw packet access

Enable Nmap functionality in host firewalls, proxies or antivirus tools blocking traffic, or results may be impacted.

With Nmap ready, let‘s dive into reconnaissance.

Nmap Scanning Techniques Crash Course

Nmap offers over 30 scan types and specialized scripts facilitating recon. Learning them all thoroughly takes practice, but high level knowledge unlocks Nmap‘s capabilities:

Fundamentals

  • Target host/subnet identification
  • Port specification – common services or ranges
  • Privileged user and raw socket access

Discovery Scans

  • ICMP & ARP pings to locate live hosts

Port Scans

  • TCP Connect (-sT) – Basic half open scan
  • TCP SYN scan (-sS) – Stealthy half open scan
  • UDP (-sU), SCTP INIT scan (-sY)

Version Detection

  • SNMP, SMB probes for devices/services
  • Banner grabbing on open ports

See the Nmap reference guide for basic syntax and commands.

Now let‘s level up and tackle vulnerabilities.

Finding Vulnerabilities with Nmap Scripts

While Nmap provides comprehensive port scanning, specialized Nmap Scripting Engine (NSE) scripts enable identifying vulnerabilities:

Nmap NSE Categories

Scripts leverage banner grabbing, service fingerprinting and attacks against running services.

Key techniques include:

Vulnerability Scanning – Feed service, app, and version details into databases like CVE and OSVDB to correlate vulnerabilities.

Fuzzing – Manipulate protocol handshakes and application inputs to trigger crashes indicating bugs.

Exploitation – Exploit suspected vulnerabilities through attacks like SQL injection, shellshock, path traversals, etc.

This sections will break down finding vulnerabilities with vulners, vulscan and individual scripts.

vulners – Comprehensive CVE Scanning

The vulners NSE script checks vulnerabilities by:

  • Detecting services via Nmap service/version scan (-sV)
  • Matching identified services against CVE database

Installation

cd /usr/share/nmap/scripts
git clone https://github.com/vulnersCom/nmap-vulners

Usage

Here‘s the basic command:

nmap -sV --script vulners <target>

But we can enable additional options like CVSS scoring thresholds:

nmap -sV --script vulners --script-args mincvss=7.0 <target>

A snippet of output looks like:

Nmap Vulners Sample

Customizable reports make sharing easy.

vulscan – Flexible CVE Database Scans

vulscan takes a similar approach, but with modified databases:

  • cve.csv
  • exploitdb.csv
  • osvdb.csv
  • scipvuldb.csv

Installation

cd /usr/share/nmap/scripts  
git clone https://github.com/scipag/vulscan  
ln -s `pwd`/vulscan /usr/share/nmap/scripts/vulscan

Usage

nmap -sV --script vulscan <target>

Single database scans are more efficient:

nmap -sV --script vulscan --script-args vulscandb=cve.csv <target>

Manual Vulnerability Scripts

Prefer manual control over vulnerabilities scanned?

NSE offers over 550+ scripts spanning:

  • Vulnerability 🠒 tick over 140
  • Safe 🠒 nearly 100
  • Intrusive 🠒 over 80
  • Exploit 🠒 around 50
  • Auth 🠒 above 40

Browse the full list of scripts or categories on Nmap‘s site.

Examples

  • Vuln Scanshttp-vuln-cve2015-1635, smb-vuln-cve2009-3103, ssl-dh-params
  • Fuzzersftp-fuzz, llmnr-resolve*,ssl-enum-*`
  • Exploitshttp-iis-webdav-vuln, http-phpmyadmin-dir-traversal, qconn-exec

Syntax remains consistent: 

nmap -sV --script [script name] <target>

Strategies for Effective Vulnerability Management

Now that you understand Nmap scripts for detecting vulnerabilities, applying scans in a methodical program is key for success.

Inventory – Before scanning anything, inventory networks, servers, devices, software, etc. Missing systems may allow gaps.

Prioritize – With limited time and resources, rank assets by data sensitivity, connectivity and lifecycle. Newly deployed systems first.

Scan – Establish recurring scans with Nmap and other tools mapping to priorities; monthly, quarterly or annually.

Remediate – Quickly address scan findings, re-scanning to validate fixes. Apply patches, upgrade software, harden configurations.

Report – Measure improvements with trends on vulnerabilities, exposed services, EOL systems. Communicate wins!

Adhering vulnerability management best practices pays dividends in risk reduction.

Real World Nmap Scanning – Tactics & Results

While everyone‘s environment differs, here are some Nmap scan examples in various industries revealing insecure configurations:

Healthcare Network

nmap -v -sV -p 20,21,22,80,443,3389,5900,8080 --script vuln 10.2.x.x/24

Findings:

  • Windows Server 2003 IIS 6.0 (EOL/vulnerable)
  • TFTP server enabled on clinical workstation
  • Multiple SMBv1 vulnerabilities

E-Commerce Application 

nmap -p 80,443 --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-phpself-xss,http-rfi-spider,http-tplink-c2-bypass,http-vuln* mystore.com

Findings:

  • HTTP PUT enabled
  • Apache Struts RCE vulnerability
  • Access to .git folder exposing code

Tune scans to your goals across networks, web apps, cloud environments and more.

Securing Networks from Nmap Reconnaissance

Understanding reconnaissance tools extends to defending environments against malicious actors leveraging them.

Detecting and preventing Nmap scanning involves:

Traffic Analysis – Network traffic spikes, unusual packets with odd flag combos may indicate scanning. Tune sniffing tools to alert on symptoms.

Honeypots – These decoy networks/services tempt attackers, detecting scans through activity without risking production.

IDS Signatures – Signature and protocol anomaly rules identify Nmap scanning patterns like idle zombie scans or FIN/Xmas tree scans.

Network Segregation – Segmenting networks limits lateral movement and recon scanning from compromises. VPCs, VLANs and internal firewall filtering help prevent unfettered access.

Vulnerability Management – Simply reducing detectable vulnerabilities and unpatched software provides less incentive and attack surface. Starve attackers!

Defense in depth combining the above increases resilience.

Extending Nmap Knowledge

This guide outlined utilizing Nmap for vulnerability scanning, but there‘s always more to learn!

Awesome-Nmap – This curated list of resources spans books, courses, GitHub projects, scripts and more.

Nmap Network Scanning – This definitive guide by Gordon Lyon dives deeper across over 400 pages.

Nmap‘s Ncrack – Try cracking passwords by leveraging Nmap‘s speed, parallelism and I/O handling!

I‘m always posting the latest network security analyses on my newsletter – come join 300+ subscribers benefiting from practical, entertaining insights monthly.

Nmap delivers versatility spanning simple port scanning to detecting the most subtle vulnerabilities and misconfigurations – give it a try supercharging your cybersecurity toolkit!

Tags: