Nmap - Tips About How to Use It Efficiently

Security engineers and professional penetration testers use numerous tools to assess the security posture of their targets. Either executing a port scan for host discovery, listing an IP address TCP / UDP open ports, probing a firewall rule, or OS detection. For example, Black Arch Linux, a pen testing oriented Arch Linux distribution, is coming with more than 2000 tools preinstalled. But despite all of these tools, many network administrators still use Nmap to scan networks via a Linux command line as a network mapper, port scanner, operating system detection tool, or for quick attempts to determine if systems can be easily hacked. This is not another Gordon's "Fyodor" Lyon Nmap tutorial about how to scan network hosts, but how it can be used efficiently.

Syn Cubes Community - October 31, 2022
Nmap - Tips About How to Use It Efficiently

It is Nmap a vulnerability scanner?

The initial scope of the Nmap project was to offer an open-source tool for network exploration and security auditing, to help network engineers accomplish their tasks. However, the tool evolved since Nmap 4.50 version. The new versions of Nmap, from 7.90 and above, can be used for a variety of purposes, including web application penetration testing. So, yes, today Nmap could be considered a vulnerability scanner.

Nmap top benefits

As we outlined previously, Nmap, users can run scripts at the same time and with the same speed and efficiency as they would with other programs. Nmap comes with a large and growing set of scripts, or users can write their own to meet their specific needs.

  • Adaptable—The way it can be used to scan for vulnerable web applications is by using scripts that send requests to scoped URLs and look for unusual responses.
  • Modular—Nmap's NSE (Nmap Scripting Engine) is one of the most powerful and flexible features. It allows users to write and share simple NSE scripts to automate a wide variety of probing tasks. Currently, scripts are distributed in categories like auth, broadcast, default, discovery, DoS, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
  • Accurate—In today's era where open-source and automated tools are available, it might seem unnecessary to use a tool such as Nmap for testing modern web applications. Yet, you should keep in mind that any tool is as good and accurate as its developer's knowledge level. Penetration testers who have been doing the job for a while know how web applications work and tweak and write custom NSE scripts. This helps them to focus on getting average results while enumerate the low-hanging issues rapidly.
  • Versatile—Although Nmap does not have a feature to save scans in HTML. Yet, it is possible to convert Nmap scan / Zenmap XML output to HTML or PDF automatically. We call this one of the “less known” features that outmatches many other options out there.

    CLI :: xsltproc [nmap_scan_results_xml_format] -o [output_file.html]

Nmap Scan - HTML Report Example
Nmap Scan - HTML Report Example

Challenges of using Nmap

There are several challenges that come with Nmap as a security scanner:

  • Most of the current IDS, IPS, or firewalls technologies have Nmap scanning signature patterns.
  • Like any other tool, one challenge is that Nmap can generate false positives, which means that it may require extra effort to confirm the result.
  • The Nmap Scripting Engine is hard to learn and could be a no-go option for someone who wants to write new NSE vulnerability checks quickly to find and exploit rare bugs.
  • There is a limited usage case information available with some default NSE scripts.
  • Official Nmap download package is coming with a generous library of 604 entries that is a bliss for a common user, but also a course because it could be confusion what scripts can be used and under what circumstances. To query and display more details about any of those or a class of them, Nmap has the nmap --script-help "[script_name]" switch. Alternatively, you could use a python script like this to produce a similar output.
    Nmap Script Search - Python Concept v1.0
    Nmap Script Search - Python Concept v1.0

Common tips for using Nmap

Before using this tool, it is strongly advised to:

  • Read the official Nmap book.
  • Choose the right options. Nmap has a lot of options, and not all of them are necessary for every scan.
  • Get familiar and use available scripts to fingerprint running technologies, such as the server software and installed frameworks.
  • Use the nmap-users mailing list for help with understanding Nmap as a tool.
  • Use the nmap-dev mailing list for help with customizing Nmap.

Top 10 Nmap NSE scripts for AppSec to remember

# NSE Script Name Usage
1. http-open-redirect nmap -sV --script http-open-redirect [target]
2. http-backup-finder nmap -sV --script http-backup-finder [target]
3. http-enum nmap -sV --script http-enum [target]
4. http-grep nmap -sV --script http-grep [target]
5. vulscan nmap -sV --script vulscan [target]
6. xss testing nmap -sV --script http-unsafe-output-escaping [target]
7. shodan-api nmap --script shodan-api --script-args 'shodan-api.target=[Target_IP],shodan-api.apikey=Shodan_API_KEY'
8. nmap-censys nmap -sn -Pn -n --script censys-api [target_domain]
9. nmap-log4shell nmap --script log4shell.nse --script-args log4shell.callback-server=[callback_server_ip]:[port] -p [port_number] [target]
10. http-git nmap -sV --script http-git [target]

Alternatives to Nmap

There are various tools available that can be used as alternatives to Nmap. Some of these tools are discussed below:

  • Zgrab2 :: ZGrab is a network scanner that quickly scans a large area of the internet. It works with ZMap to identify hosts that are open (responding to L4 requests) and then performs more detailed scans (L7 handshakes) on those hosts. Unlike the other tools, ZGrab also outputs transcripts of all messages exchanged in network handshakes, which can be used for offline analysis.
  • Hping3 :: Hping3 is a low level network tool used for sending custom ICMP/UDP/TCP packets and measuring the response time. It can be used for troubleshooting, network security and very verbose packet analysis.

    Hping3 can be used for port scanning by specifying the target host and port number. For example, the following command will scan port 80 on host example.com:

    hping3 -c 10 -s 80 -p 22 --scan 1-100 [target]

  • Firewalk :: Firewalk is another unique open source tool for network auditing. It can be used to determine the viability of a given network security configuration. Firewalk works by sending out TCP or UDP packets with a TTL (time to live) value of one, and then monitoring the responses it receives. If a router responds with an ICMP error message, it means that the router is configured to block traffic from the source IP address. If no ICMP error message is received, it means that the router is configured to allow traffic from the source IP address. [Note] Firewalk can be used in conjunction with Nmap via a firewalk NSE script.
  • Scapy :: Scapy is a packet crafting tool that allows users to create, manipulate, and send custom packets. It can be used for a variety of tasks such as network discovery, scanning, and fuzzing. Scapy is written in Python and makes use of the Scapy library.


Nmap is a powerful network security tool that can be used for a variety of tasks, including network mapping, port scanning, and vulnerability assessment. It is an essential tool for any network administrator or security professional arsenal. One of Nmap biggest advantage is that it can be extended and used with many other tools.

How Syn Cubes team can help?

The rapid and ongoing evolution of the cyber threat landscape makes it difficult for organizations to accurately determine their security posture. Additionally, new technologies can make it very challenging for security teams to identify network vulnerabilities. White hacking attempts of your security posture have become a necessity in the digital age, so you need to partner with a knowledgeable vendor that helps you stay protected.

Syn Cubes' Penetration Testing as a Service approach is an excellent alternative for organizations looking to assess their cybersecurity risk from a highly skilled threat actor perspective.

Aknowledgements | References | Resources

Be the adversary - attack first