Network Reconnaissance with Nmap: The Complete Guide

sudo apt update sudo apt install nmap 

sudo yum install nmap # or on newer versions sudo dnf install nmap 

brew install nmap 

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-15 10:30 UTC Nmap scan report for example.com (192.168.1.100) Host is up (0.0052s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 80/tcp open http Apache httpd 2.4.41 443/tcp open ssl/http Apache httpd 2.4.41 8080/tcp filtered http-proxy MAC Address: 00:1B:44:11:3A:B7 (Dell Inc.) 

# Basic ping sweep nmap -sn 192.168.1.0/24 # ICMP echo, timestamp, and netmask requests nmap -PE -PP -PM 192.168.1.0/24 # Disable ping (useful when ICMP is blocked) nmap -Pn 192.168.1.100 

# TCP SYN ping to common ports nmap -PS22,80,443 192.168.1.0/24 # TCP ACK ping nmap -PA22,80,443 192.168.1.0/24 # TCP connect ping nmap -PT22,80,443 192.168.1.0/24 

# UDP ping to common ports nmap -PU53,161,137 192.168.1.0/24 

# ARP ping (works only on local network) nmap -PR 192.168.1.0/24 # List scan (no port scan, just list targets) nmap -sL 192.168.1.0/24 

# Comprehensive host discovery nmap -PE -PP -PS21,22,23,25,53,80,139,443,993,995 \ -PA80,113,443,10042 -PU53,137,161,500 \ --source-port 53 192.168.1.0/24 

# Default scan type (requires root privileges) nmap -sS 192.168.1.100 # Specific ports nmap -sS -p 22,80,443 192.168.1.100 # Port ranges nmap -sS -p 1-1000 192.168.1.100 

# Full TCP connection (doesn't require root) nmap -sT 192.168.1.100 # Faster but noisier than SYN scan nmap -sT -p 1-65535 192.168.1.100 

# Firewall/IDS evasion and mapping nmap -sA 192.168.1.100 # Useful for determining firewall rules nmap -sA -p 80,443 192.168.1.0/24 

# Similar to ACK scan but examines window size nmap -sW 192.168.1.100 

# Sends FIN/ACK packets nmap -sM 192.168.1.100 

# Basic UDP scan nmap -sU 192.168.1.100 # Top UDP ports only nmap -sU --top-ports 100 192.168.1.100 # Combine with TCP scanning nmap -sS -sU 192.168.1.100 

# Stealthier than SYN scan nmap -sF 192.168.1.100 

# No flags set nmap -sN 192.168.1.100 

# FIN, PSH, and URG flags set nmap -sX 192.168.1.100 

# Uses a zombie host to scan target nmap -sI zombie_host:port target_host 

# Specific ports nmap -p 22,80,443,8080 192.168.1.100 # Port ranges nmap -p 1-1000 192.168.1.100 # All ports nmap -p- 192.168.1.100 # Top ports (most common) nmap --top-ports 100 192.168.1.100 # Exclude specific ports nmap -p 1-1000 --exclude-ports 25,135 192.168.1.100 # Protocol-specific ports nmap -p T:80,443,U:53,161 192.168.1.100 

# Enable service detection nmap -sV 192.168.1.100 # Increase intensity (0-9, default is 7) nmap -sV --version-intensity 9 192.168.1.100 # Light service detection (faster) nmap -sV --version-intensity 0 192.168.1.100 

# Version detection with scripts nmap -sC -sV 192.168.1.100 # All aggressive options (OS detection, version detection, script scanning, traceroute) nmap -A 192.168.1.100 # Custom version detection probes nmap -sV --version-all 192.168.1.100 

# HTTP service enumeration nmap -p 80,443 --script http-enum 192.168.1.100 # HTTP headers and server information nmap -p 80 --script http-headers,http-server-header 192.168.1.100 # SSL/TLS information nmap -p 443 --script ssl-enum-ciphers 192.168.1.100 

# SSH algorithm and version enumeration nmap -p 22 --script ssh2-enum-algos 192.168.1.100 # SSH host key information nmap -p 22 --script ssh-hostkey 192.168.1.100 

# SMB enumeration nmap -p 139,445 --script smb-enum-shares,smb-enum-users 192.168.1.100 # NetBIOS information nmap -p 137-139 --script nbstat 192.168.1.100 

# DNS enumeration nmap -p 53 --script dns-zone-transfer 192.168.1.100 # DNS cache snooping nmap -p 53 --script dns-cache-snoop 192.168.1.100 

# Enable OS detection nmap -O 192.168.1.100 # Aggressive OS detection nmap -O --osscan-guess 192.168.1.100 # OS detection with version scanning nmap -O -sV 192.168.1.100 

# Maximum OS detection attempts nmap -O --max-os-tries 5 192.168.1.100 # OS detection against specific ports nmap -O --osscan-limit 192.168.1.100 # Fuzzy OS matching nmap -O --fuzzy 192.168.1.100 

Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop 

# Run default scripts nmap -sC 192.168.1.100 # Run specific script nmap --script http-enum 192.168.1.100 # Run scripts by category nmap --script vuln 192.168.1.100 # Run multiple scripts nmap --script "http-* and not http-brute" 192.168.1.100 

# Script with arguments nmap --script http-enum --script-args http-enum.basepath='/admin/' 192.168.1.100 # Multiple script arguments nmap --script smb-enum-shares --script-args smbusername=admin,smbpassword=password 192.168.1.100 # Script debugging nmap --script http-enum --script-trace 192.168.1.100 

# Comprehensive vulnerability scan nmap --script vuln 192.168.1.100 # Specific vulnerability checks nmap --script ms17-010 192.168.1.100 # SQL injection detection nmap --script http-sql-injection 192.168.1.100 # SSL/TLS vulnerabilities nmap --script ssl-heartbleed,ssl-poodle,ssl-ccs-injection 192.168.1.100 

-- Example NSE script local nmap = require "nmap" local shortport = require "shortport" local http = require "http" description = [[ Example HTTP service detection script. ]] author = "Your Name" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"safe", "discovery"} portrule = shortport.http action = function(host, port) local response = http.get(host, port, "/") if response.status == 200 then return "HTTP service detected" end return nil end 

# Timing templates (0-5, 0 is slowest/stealthiest) nmap -T0 192.168.1.100 # Paranoid nmap -T1 192.168.1.100 # Sneaky nmap -T2 192.168.1.100 # Polite nmap -T3 192.168.1.100 # Normal (default) nmap -T4 192.168.1.100 # Aggressive nmap -T5 192.168.1.100 # Insane # Custom timing nmap --scan-delay 5s 192.168.1.100 nmap --max-scan-delay 10s 192.168.1.100 nmap --min-rate 100 192.168.1.100 nmap --max-rate 1000 192.168.1.100 

# Fragment packets nmap -f 192.168.1.100 # Double fragmentation nmap -ff 192.168.1.100 # Custom MTU (must be multiple of 8) nmap --mtu 16 192.168.1.100 # Decoy scanning nmap -D RND:10 192.168.1.100 nmap -D decoy1,decoy2,ME,decoy3 192.168.1.100 

# Spoof source IP nmap -S spoof_ip 192.168.1.100 # Source port specification nmap --source-port 53 192.168.1.100 nmap -g 80 192.168.1.100 # Randomize source port nmap --randomize-hosts 192.168.1.0/24 

# Send bad checksums nmap --badsum 192.168.1.100 # Custom data in packets nmap --data 0xdeadbeef 192.168.1.100 # Custom packet length nmap --data-length 100 192.168.1.100 # IPv6 scanning for firewall bypass nmap -6 2001:db8::1 # Proxychains integration proxychains nmap -sT 192.168.1.100 

# Traceroute during scanning nmap -sS --traceroute 192.168.1.100 # Reverse DNS resolution nmap -sL 192.168.1.0/24 # DNS resolution control nmap -n 192.168.1.100 # No DNS resolution nmap -R 192.168.1.100 # Force DNS resolution 

# Efficient large network scanning nmap -sS -T4 --min-hostgroup 50 --min-parallelism 50 \ --host-timeout 5m --max-rtt-timeout 2s \ --initial-rtt-timeout 500ms --max-retries 3 \ --top-ports 1000 192.168.0.0/16 # Distributed scanning approach nmap -sS --randomize-hosts -oA scan_batch_1 \ 192.168.1.1-50 nmap -sS --randomize-hosts -oA scan_batch_2 \ 192.168.1.51-100 

nmap -p 80,443,8080,8443 \ --script "http-* and not http-brute and not http-slowloris*" \ --script-args http.useragent="Mozilla/5.0 (compatible)" \ 192.168.1.0/24 

nmap -p 1433,3306,5432,1521,27017 \ --script "mysql-*,ms-sql-*,oracle-*,pgsql-*,mongodb-*" \ 192.168.1.0/24 

nmap -p 25,110,143,993,995 \ --script "smtp-*,pop3-*,imap-*" \ 192.168.1.0/24 

# Normal output (default) nmap -oN scan_results.txt 192.168.1.100 # XML output nmap -oX scan_results.xml 192.168.1.100 # Grepable output nmap -oG scan_results.gnmap 192.168.1.100 # All formats nmap -oA scan_results 192.168.1.100 

# Verbose output nmap -v 192.168.1.100 # Extra verbose nmap -vv 192.168.1.100 # Debugging output nmap -d 192.168.1.100 # Packet trace nmap --packet-trace 192.168.1.100 # Append to existing file nmap --append-output -oN existing_file.txt 192.168.1.100 

# Using xsltproc xsltproc scan_results.xml > scan_results.html # Using Nmap's built-in XSL xsltproc /usr/share/nmap/nmap.xsl scan_results.xml > report.html 

# Extract open ports grep "open" scan_results.gnmap # Find specific services grep -i "ssh\|telnet\|ftp" scan_results.gnmap # Extract live hosts grep "Status: Up" scan_results.gnmap | cut -d' ' -f2 

#!/usr/bin/env python3 import xml.etree.ElementTree as ET import sys def parse_nmap_xml(xml_file): tree = ET.parse(xml_file) root = tree.getroot() results = [] for host in root.findall('host'): # Get host IP  ip = host.find('address').get('addr') # Get hostname if available  hostname = "" hostnames = host.find('hostnames') if hostnames is not None: hostname_elem = hostnames.find('hostname') if hostname_elem is not None: hostname = hostname_elem.get('name') # Get open ports  ports = host.find('ports') if ports is not None: for port in ports.findall('port'): state = port.find('state').get('state') if state == 'open': port_num = port.get('portid') protocol = port.get('protocol') service = port.find('service') service_name = service.get('name') if service is not None else 'unknown' results.append({ 'ip': ip, 'hostname': hostname, 'port': port_num, 'protocol': protocol, 'service': service_name }) return results if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python3 parse_nmap.py <xml_file>") sys.exit(1) results = parse_nmap_xml(sys.argv[1]) print(f"{'IP':<15} {'Hostname':<20} {'Port':<8} {'Protocol':<10} {'Service'}") print("-" * 70) for result in results: print(f"{result['ip']:<15} {result['hostname']:<20} {result['port']:<8} {result['protocol']:<10} {result['service']}") 

# Discover live hosts nmap -sn 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 # ARP scan for local segment nmap -PR 192.168.1.0/24 

# Quick port scan of common services nmap -sS --top-ports 1000 -T4 -oA quick_scan target_list.txt # Comprehensive scan of discovered hosts nmap -sS -sU -p- -A -T4 -oA comprehensive_scan target_list.txt 

# Deep service analysis nmap -sC -sV -p- -A --script "not brute and not dos and not exploit" \ -oA service_enum target_list.txt 

# DNS enumeration nmap -sL target_domain.com # Subdomain discovery nmap --script dns-brute target_domain.com 

# Stealthy external scan nmap -sS -T2 -f --randomize-hosts \ --source-port 53 -oA external_scan \ target_ranges.txt 

# Web service enumeration nmap -p 80,443,8080,8443 \ --script http-enum,http-headers,http-methods,ssl-enum-ciphers \ -oA web_services target_list.txt 

# Comprehensive vulnerability scan nmap -sV --script "vuln and not (dos or exploit or brute)" \ --script-args vulns.showall \ -oA vuln_assessment target_list.txt # Specific vulnerability checks nmap --script ms17-010,eternal-blue,heartbleed,poodle \ -p 445,443 target_list.txt 

# Export Nmap results to Metasploit db_import scan_results.xml # Use Nmap from within Metasploit db_nmap -sS -A 192.168.1.0/24 

# Import Nmap results into Nessus # Export as XML and import through Nessus interface # Use Nmap for host discovery, Nessus for vulnerability assessment nmap -sn 192.168.1.0/24 -oG live_hosts.txt 

#!/bin/bash # automated_recon.sh TARGET=$1 OUTPUT_DIR="recon_$(date +%Y%m%d_%H%M%S)" if [ -z "$TARGET" ]; then echo "Usage: $0 <target>" exit 1 fi mkdir -p "$OUTPUT_DIR" cd "$OUTPUT_DIR" echo "[+] Starting reconnaissance of $TARGET" # Phase 1: Host Discovery echo "[+] Phase 1: Host Discovery" nmap -sn "$TARGET" -oA host_discovery # Extract live hosts grep "Status: Up" host_discovery.gnmap | cut -d' ' -f2 > live_hosts.txt if [ ! -s live_hosts.txt ]; then echo "[-] No live hosts found" exit 1 fi echo "[+] Found $(wc -l < live_hosts.txt) live hosts" # Phase 2: Port Scanning echo "[+] Phase 2: Port Scanning" nmap -sS --top-ports 1000 -T4 -iL live_hosts.txt -oA port_scan # Phase 3: Service Detection echo "[+] Phase 3: Service Detection" nmap -sC -sV -iL live_hosts.txt -oA service_detection # Phase 4: Vulnerability Assessment echo "[+] Phase 4: Vulnerability Assessment" nmap --script vuln -iL live_hosts.txt -oA vulnerability_scan # Generate summary report echo "[+] Generating summary report" { echo "Reconnaissance Summary Report" echo "=============================" echo "Target: $TARGET" echo "Date: $(date)" echo "" echo "Live Hosts: $(wc -l < live_hosts.txt)" echo "" echo "Open Ports Summary:" grep "open" port_scan.gnmap | cut -d' ' -f3 | sort | uniq -c | sort -nr echo "" echo "Services Detected:" grep -oP '\d+/tcp\s+open\s+\K\S+' service_detection.nmap | sort | uniq -c | sort -nr } > summary_report.txt echo "[+] Reconnaissance complete. Results saved in $OUTPUT_DIR/" 

# Optimized scanning for different scenarios # Fast internal network scan nmap -sS -T4 --min-hostgroup 50 --max-rtt-timeout 100ms \ --initial-rtt-timeout 50ms --max-retries 1 \ --top-ports 100 192.168.1.0/24 # Stealth external scan nmap -sS -T1 --scan-delay 5s --max-scan-delay 10s \ --randomize-hosts target_list.txt # Balanced comprehensive scan nmap -sS -T3 --min-hostgroup 10 --max-rtt-timeout 500ms \ --max-retries 2 -p- target_list.txt 

# Memory optimization for large scans ulimit -n 65536 # Increase file descriptor limit # Parallel scanning with GNU parallel parallel -j 4 "nmap -sS -T4 --top-ports 1000 -oA scan_{} {}" \ ::: 192.168.1.0/26 192.168.1.64/26 192.168.1.128/26 192.168.1.192/26 # Distributed scanning nmap --shard 1/4 -sS target_range # Scanner 1 of 4 nmap --shard 2/4 -sS target_range # Scanner 2 of 4 

# Use conservative timing to avoid service disruption nmap -T2 --scan-delay 1s target # Limit concurrent connections nmap --max-parallelism 10 target # Avoid DoS-prone scripts nmap --script "safe and not dos" target 

# Review local logs after scanning tail -f /var/log/nmap.log # Use decoy scans to obscure origin nmap -D RND:5 target 

# Use jump boxes or dedicated scanning systems ssh jump_box "nmap -sS target_network" 

# Encrypt sensitive scan results gpg --cipher-algo AES256 --compress-algo 1 --symmetric scan_results.xml # Use secure file transfer scp scan_results.xml.gpg secure_server:/encrypted_storage/ 

-- Advanced service enumeration script local nmap = require "nmap" local shortport = require "shortport" local http = require "http" local stdnse = require "stdnse" local json = require "json" description = [[ Advanced HTTP service fingerprinting with technology stack detection. ]] author = "Security Researcher" license = "Same as Nmap" categories = {"safe", "discovery", "version"} portrule = shortport.http action = function(host, port) local results = {} -- Basic HTTP request local response = http.get(host, port, "/") if not response or not response.status then return nil end results["status"] = response.status -- Server header analysis if response.header and response.header["server"] then results["server"] = response.header["server"] end -- Technology stack detection local technologies = {} -- Check for common frameworks if response.body then if string.match(response.body, "wp%-content") then table.insert(technologies, "WordPress") end if string.match(response.body, "Powered by Drupal") then table.insert(technologies, "Drupal") end if string.match(response.body, "X%-Powered%-By.*PHP") then table.insert(technologies, "PHP") end end if #technologies > 0 then results["technologies"] = technologies end -- Security headers check local security_headers = {} local headers_to_check = { "x-frame-options", "x-xss-protection", "x-content-type-options", "strict-transport-security", "content-security-policy" } for _, header in ipairs(headers_to_check) do if response.header[header] then security_headers[header] = response.header[header] end end if next(security_headers) then results["security_headers"] = security_headers end return stdnse.format_output(true, results) end 

#!/usr/bin/env python3 import subprocess import json import requests import xml.etree.ElementTree as ET from datetime import datetime class NmapAPI: def __init__(self, api_endpoint=None, api_key=None): self.api_endpoint = api_endpoint self.api_key = api_key def run_scan(self, targets, scan_type="comprehensive", output_format="json"): """Execute Nmap scan and return structured results""" scan_configs = { "quick": "-sS --top-ports 100 -T4", "comprehensive": "-sS -sV -sC -O -A --script 'not brute and not dos'", "stealth": "-sS -T2 -f --source-port 53", "vulnerability": "--script vuln" } nmap_args = scan_configs.get(scan_type, scan_configs["comprehensive"]) # Construct Nmap command  cmd = f"nmap {nmap_args} -oX - {targets}" try: # Execute scan  process = subprocess.Popen( cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True ) stdout, stderr = process.communicate() if process.returncode != 0: raise Exception(f"Nmap execution failed: {stderr}") # Parse XML output  results = self.parse_xml_output(stdout) # Send to API if configured  if self.api_endpoint: self.send_to_api(results) return results except Exception as e: print(f"Scan failed: {e}") return None def parse_xml_output(self, xml_output): """Parse Nmap XML output into structured format""" root = ET.fromstring(xml_output) scan_info = { "scan_time": datetime.now().isoformat(), "scanner_version": root.get("version"), "hosts": [] } for host in root.findall("host"): host_info = { "ip": host.find("address").get("addr"), "status": host.find("status").get("state"), "hostnames": [], "ports": [], "os_matches": [] } # Extract hostnames  hostnames_elem = host.find("hostnames") if hostnames_elem is not None: for hostname in hostnames_elem.findall("hostname"): host_info["hostnames"].append({ "name": hostname.get("name"), "type": hostname.get("type") }) # Extract ports  ports_elem = host.find("ports") if ports_elem is not None: for port in ports_elem.findall("port"): port_info = { "port": int(port.get("portid")), "protocol": port.get("protocol"), "state": port.find("state").get("state") } # Service information  service_elem = port.find("service") if service_elem is not None: port_info["service"] = { "name": service_elem.get("name"), "product": service_elem.get("product"), "version": service_elem.get("version"), "extrainfo": service_elem.get("extrainfo") } # Script results  scripts = [] for script in port.findall("script"): scripts.append({ "id": script.get("id"), "output": script.get("output") }) if scripts: port_info["scripts"] = scripts host_info["ports"].append(port_info) # OS detection  os_elem = host.find("os") if os_elem is not None: for osmatch in os_elem.findall("osmatch"): host_info["os_matches"].append({ "name": osmatch.get("name"), "accuracy": int(osmatch.get("accuracy")) }) scan_info["hosts"].append(host_info) return scan_info def send_to_api(self, results): """Send results to external API""" headers = { "Content-Type": "application/json", "Authorization": f"Bearer {self.api_key}" } try: response = requests.post( f"{self.api_endpoint}/scan-results", headers=headers, json=results, timeout=30 ) response.raise_for_status() print("Results successfully sent to API") except Exception as e: print(f"Failed to send results to API: {e}") def generate_report(self, results, format_type="markdown"): """Generate formatted report from scan results""" if format_type == "markdown": return self._generate_markdown_report(results) elif format_type == "html": return self._generate_html_report(results) else: return json.dumps(results, indent=2) def _generate_markdown_report(self, results): """Generate Markdown report""" report = f"""# Network Scan Report **Scan Time:** {results['scan_time']} **Scanner Version:** {results['scanner_version']} **Total Hosts:** {len(results['hosts'])} ## Summary """ alive_hosts = [h for h in results['hosts'] if h['status'] == 'up'] report += f"- **Live Hosts:** {len(alive_hosts)}\n" total_ports = sum(len(h['ports']) for h in alive_hosts) open_ports = sum(len([p for p in h['ports'] if p['state'] == 'open']) for h in alive_hosts) report += f"- **Total Ports Scanned:** {total_ports}\n" report += f"- **Open Ports Found:** {open_ports}\n\n" # Host details  for host in alive_hosts: report += f"## Host: {host['ip']}\n\n" if host['hostnames']: report += "**Hostnames:**\n" for hostname in host['hostnames']: report += f"- {hostname['name']} ({hostname['type']})\n" report += "\n" if host['os_matches']: report += "**Operating System:**\n" for os_match in host['os_matches'][:3]: # Top 3 matches  report += f"- {os_match['name']} ({os_match['accuracy']}% accuracy)\n" report += "\n" open_ports = [p for p in host['ports'] if p['state'] == 'open'] if open_ports: report += "**Open Ports:**\n\n" report += "| Port | Protocol | Service | Version |\n" report += "|------|----------|---------|----------|\n" for port in open_ports: service_info = "" if 'service' in port and port['service']: service = port['service'] service_info = f"{service.get('name', 'unknown')}" if service.get('product'): service_info += f" ({service['product']}" if service.get('version'): service_info += f" {service['version']}" service_info += ")" report += f"| {port['port']} | {port['protocol']} | {service_info} | |\n" report += "\n" # Script results  scripts_found = False for port in open_ports: if 'scripts' in port: if not scripts_found: report += "**Script Results:**\n\n" scripts_found = True report += f"### Port {port['port']}/{port['protocol']}\n\n" for script in port['scripts']: report += f"**{script['id']}:**\n``` {% endraw %} \n{script['output']}\n {% raw %} ```\n\n" return report def _generate_html_report(self, results): """Generate HTML report""" html_template = """<!DOCTYPE html> <html> <head> <title>Network Scan Report</title> <style> body { font-family: Arial, sans-serif; margin: 20px; } .header { background-color: #f0f0f0; padding: 20px; border-radius: 5px; } .host { border: 1px solid #ddd; margin: 20px 0; padding: 15px; border-radius: 5px; } .port-table { width: 100%; border-collapse: collapse; margin: 10px 0; } .port-table th, .port-table td { border: 1px solid #ddd; padding: 8px; text-align: left; } .port-table th { background-color: #f2f2f2; } .script-output { background-color: #f8f8f8; padding: 10px; border-left: 4px solid #007cba; margin: 10px 0; } </style> </head> <body> <div class="header"> <h1>Network Scan Report</h1> <p><strong>Scan Time:</strong> {scan_time}</p> <p><strong>Scanner Version:</strong> {scanner_version}</p> <p><strong>Total Hosts:</strong> {total_hosts}</p> </div> """.format( scan_time=results['scan_time'], scanner_version=results['scanner_version'], total_hosts=len(results['hosts']) ) alive_hosts = [h for h in results['hosts'] if h['status'] == 'up'] for host in alive_hosts: html_template += f""" <div class="host"> <h2>Host: {host['ip']}</h2> """ if host['hostnames']: html_template += "<h3>Hostnames:</h3><ul>" for hostname in host['hostnames']: html_template += f"<li>{hostname['name']} ({hostname['type']})</li>" html_template += "</ul>" open_ports = [p for p in host['ports'] if p['state'] == 'open'] if open_ports: html_template += """ <h3>Open Ports:</h3> <table class="port-table"> <tr><th>Port</th><th>Protocol</th><th>Service</th><th>Version</th></tr> """ for port in open_ports: service_info = "unknown" version_info = "" if 'service' in port and port['service']: service = port['service'] service_info = service.get('name', 'unknown') if service.get('product'): version_info = service['product'] if service.get('version'): version_info += f" {service['version']}" html_template += f""" <tr> <td>{port['port']}</td> <td>{port['protocol']}</td> <td>{service_info}</td> <td>{version_info}</td> </tr> """ html_template += "</table>" html_template += "</div>" html_template += """ </body> </html> """ return html_template # Usage example if __name__ == "__main__": # Initialize scanner  scanner = NmapAPI( api_endpoint="https://api.example.com", api_key="your-api-key" ) # Run comprehensive scan  results = scanner.run_scan("192.168.1.0/24", scan_type="comprehensive") if results: # Generate reports  markdown_report = scanner.generate_report(results, "markdown") html_report = scanner.generate_report(results, "html") # Save reports  with open("scan_report.md", "w") as f: f.write(markdown_report) with open("scan_report.html", "w") as f: f.write(html_report) print("Scan completed and reports generated") 

#!/bin/bash # continuous_monitoring.sh # Configuration CONFIG_FILE="/etc/nmap-monitor/config.conf" STATE_DIR="/var/lib/nmap-monitor" LOG_FILE="/var/log/nmap-monitor.log" ALERT_WEBHOOK="https://hooks.slack.com/services/YOUR/WEBHOOK/URL" # Load configuration source "$CONFIG_FILE" 2>/dev/null || { echo "Configuration file not found. Creating default configuration..." mkdir -p "$(dirname "$CONFIG_FILE")" cat > "$CONFIG_FILE" << EOF MONITOR_TARGETS="192.168.1.0/24" SCAN_INTERVAL=3600 # 1 hour ALERT_ON_NEW_HOSTS=true ALERT_ON_NEW_PORTS=true ALERT_ON_SERVICE_CHANGES=true NMAP_OPTIONS="-sS --top-ports 1000 -sV" EOF  source "$CONFIG_FILE" } # Create directories mkdir -p "$STATE_DIR" mkdir -p "$(dirname "$LOG_FILE")" # Logging function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # Send alert function send_alert() { local message="$1" local severity="${2:-INFO}" # Log the alert log "ALERT [$severity]: $message" # Send to webhook if configured if [[ -n "$ALERT_WEBHOOK" ]]; then curl -X POST -H 'Content-type: application/json' \ --data "{\"text\":\"🚨 Network Monitor Alert [$severity]: $message\"}" \ "$ALERT_WEBHOOK" 2>/dev/null fi # Send email if configured if [[ -n "$ALERT_EMAIL" ]]; then echo "$message" | mail -s "Network Monitor Alert [$severity]" "$ALERT_EMAIL" fi } # Compare scan results compare_results() { local current_scan="$1" local previous_scan="$2" if [[ ! -f "$previous_scan" ]]; then log "No previous scan found. Saving current scan as baseline." cp "$current_scan" "$previous_scan" return 0 fi # Extract host and port information awk '/Host:/ {host=$2} /open/ {print host":"$1":"$3}' "$current_scan" > "$STATE_DIR/current_hosts_ports.tmp" awk '/Host:/ {host=$2} /open/ {print host":"$1":"$3}' "$previous_scan" > "$STATE_DIR/previous_hosts_ports.tmp" # Check for new hosts if [[ "$ALERT_ON_NEW_HOSTS" == "true" ]]; then awk -F: '{print $1}' "$STATE_DIR/current_hosts_ports.tmp" | sort -u > "$STATE_DIR/current_hosts.tmp" awk -F: '{print $1}' "$STATE_DIR/previous_hosts_ports.tmp" | sort -u > "$STATE_DIR/previous_hosts.tmp" new_hosts=$(comm -23 "$STATE_DIR/current_hosts.tmp" "$STATE_DIR/previous_hosts.tmp") if [[ -n "$new_hosts" ]]; then send_alert "New hosts detected: $new_hosts" "HIGH" fi fi # Check for new ports if [[ "$ALERT_ON_NEW_PORTS" == "true" ]]; then new_ports=$(comm -23 "$STATE_DIR/current_hosts_ports.tmp" "$STATE_DIR/previous_hosts_ports.tmp") if [[ -n "$new_ports" ]]; then send_alert "New open ports detected: $new_ports" "MEDIUM" fi fi # Check for disappeared hosts/ports disappeared=$(comm -13 "$STATE_DIR/current_hosts_ports.tmp" "$STATE_DIR/previous_hosts_ports.tmp") if [[ -n "$disappeared" ]]; then send_alert "Hosts or ports no longer accessible: $disappeared" "LOW" fi # Update baseline cp "$current_scan" "$previous_scan" } # Main monitoring function run_monitor() { log "Starting network monitoring scan" local scan_output="$STATE_DIR/current_scan.nmap" local baseline_scan="$STATE_DIR/baseline_scan.nmap" # Run Nmap scan if nmap $NMAP_OPTIONS $MONITOR_TARGETS > "$scan_output" 2>&1; then log "Scan completed successfully" # Compare with previous results compare_results "$scan_output" "$baseline_scan" else send_alert "Nmap scan failed" "HIGH" log "Scan failed. Check configuration and network connectivity." fi } # Service status monitoring monitor_service_changes() { local current_services="$STATE_DIR/current_services.txt" local baseline_services="$STATE_DIR/baseline_services.txt" # Extract service information grep -E "(open|filtered)" "$STATE_DIR/current_scan.nmap" | \ awk '{print $1":"$3":"$5}' > "$current_services" if [[ -f "$baseline_services" ]] && [[ "$ALERT_ON_SERVICE_CHANGES" == "true" ]]; then service_changes=$(diff "$baseline_services" "$current_services" 2>/dev/null) if [[ -n "$service_changes" ]]; then send_alert "Service changes detected: $service_changes" "MEDIUM" fi fi cp "$current_services" "$baseline_services" } # Performance monitoring monitor_performance() { local scan_start_time=$(date +%s) run_monitor local scan_end_time=$(date +%s) local scan_duration=$((scan_end_time - scan_start_time)) log "Scan completed in ${scan_duration} seconds" # Alert if scan takes too long (indicates potential issues) if [[ $scan_duration -gt 1800 ]]; then # 30 minutes send_alert "Scan taking longer than expected: ${scan_duration} seconds" "MEDIUM" fi } # Main execution case "${1:-monitor}" in "monitor") log "Network monitoring started" monitor_performance monitor_service_changes ;; "daemon") log "Starting continuous monitoring daemon" while true; do monitor_performance monitor_service_changes log "Sleeping for ${SCAN_INTERVAL} seconds" sleep "$SCAN_INTERVAL" done ;; "test-alert") send_alert "Test alert from network monitor" "INFO" ;; "status") if [[ -f "$STATE_DIR/current_scan.nmap" ]]; then echo "Last scan: $(stat -c %y "$STATE_DIR/current_scan.nmap")" echo "Monitored targets: $MONITOR_TARGETS" echo "Scan interval: $SCAN_INTERVAL seconds" else echo "No scans found" fi ;; *) echo "Usage: $0 {monitor|daemon|test-alert|status}" exit 1 ;; esac 

#!/bin/bash # nmap_detection.sh # Analyze firewall logs for scanning patterns analyze_firewall_logs() { local log_file="$1" local time_window="${2:-300}" # 5 minutes echo "Analyzing firewall logs for potential Nmap scans..." # Detect port scanning patterns awk -v window="$time_window" ' BEGIN { print "Potential port scans detected:" print "===============================" } { # Extract timestamp, source IP, and destination port if (match($0, /([0-9]{1,3}\.){3}[0-9]{1,3}/)) { src_ip = substr($0, RSTART, RLENGTH) if (match($0, /DPT=([0-9]+)/)) { dst_port = substr($0, RSTART+4, RLENGTH-4) timestamp = $1 " " $2 " " $3 # Count connections per source IP connections[src_ip]++ ports[src_ip][dst_port] = 1 first_seen[src_ip] = (first_seen[src_ip] ? first_seen[src_ip] : timestamp) } } } END { for (ip in connections) { port_count = 0 for (port in ports[ip]) port_count++ # Flag IPs connecting to many ports if (port_count > 10) { printf "Source: %s - %d connections to %d ports (First seen: %s)\n", ip, connections[ip], port_count, first_seen[ip] } } }' "$log_file" } # Detect SYN scan patterns detect_syn_scans() { local log_file="$1" echo -e "\nSYN scan patterns:" echo "==================" # Look for high frequency of SYN packets grep "SYN" "$log_file" | \ awk '{print $1 " " $2 " " $3, $(NF-1)}' | \ sort | uniq -c | \ awk '$1 > 50 {print "High SYN frequency: " $0}' } # Main analysis if [[ $# -lt 1 ]]; then echo "Usage: $0 <firewall_log_file>" exit 1 fi analyze_firewall_logs "$1" detect_syn_scans "$1" 

#!/usr/bin/env python3 import socket import threading import logging import datetime from collections import defaultdict class PortHoneypot: def __init__(self, ports=None, bind_ip="0.0.0.0"): self.ports = ports or [21, 22, 23, 25, 53, 80, 110, 143, 443, 993, 995] self.bind_ip = bind_ip self.connections = defaultdict(int) self.scan_attempts = defaultdict(list) # Configure logging  logging.basicConfig( level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s', handlers=[ logging.FileHandler('honeypot.log'), logging.StreamHandler() ] ) self.logger = logging.getLogger(__name__) def handle_connection(self, client_socket, client_address, port): """Handle individual connection attempts""" try: self.connections[client_address[0]] += 1 self.scan_attempts[client_address[0]].append({ 'port': port, 'timestamp': datetime.datetime.now(), 'source_port': client_address[1] }) self.logger.warning(f"Connection attempt from {client_address[0]}:{client_address[1]} to port {port}") # Send fake banner based on port  banners = { 21: b"220 FTP Server ready\r\n", 22: b"SSH-2.0-OpenSSH_8.0\r\n", 23: b"Telnet Server Ready\r\n", 25: b"220 SMTP Server Ready\r\n", 80: b"HTTP/1.1 200 OK\r\nServer: Apache/2.4.41\r\n\r\n<html><body>Hello</body></html>", 443: b"HTTP/1.1 400 Bad Request\r\n\r\n" } if port in banners: client_socket.send(banners[port]) # Keep connection open briefly to appear real  client_socket.settimeout(5) try: data = client_socket.recv(1024) if data: self.logger.info(f"Received data from {client_address[0]}: {data[:100]}") except socket.timeout: pass except Exception as e: self.logger.error(f"Error handling connection: {e}") finally: client_socket.close() def start_listener(self, port): """Start listener for specific port""" try: server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server_socket.bind((self.bind_ip, port)) server_socket.listen(5) self.logger.info(f"Honeypot listening on {self.bind_ip}:{port}") while True: client_socket, client_address = server_socket.accept() # Handle connection in separate thread  handler = threading.Thread( target=self.handle_connection, args=(client_socket, client_address, port) ) handler.daemon = True handler.start() except Exception as e: self.logger.error(f"Error on port {port}: {e}") def analyze_patterns(self): """Analyze connection patterns for scanning detection""" current_time = datetime.datetime.now() for ip, attempts in self.scan_attempts.items(): # Check for port scanning patterns  recent_attempts = [ a for a in attempts if (current_time - a['timestamp']).seconds < 300 # Last 5 minutes  ] if len(recent_attempts) > 5: ports_scanned = set(a['port'] for a in recent_attempts) self.logger.critical( f"Potential port scan from {ip}: " f"{len(recent_attempts)} attempts on {len(ports_scanned)} ports" ) # Generate alert  self.generate_alert(ip, recent_attempts) def generate_alert(self, source_ip, attempts): """Generate security alert""" alert_data = { 'source_ip': source_ip, 'attempt_count': len(attempts), 'ports_targeted': list(set(a['port'] for a in attempts)), 'time_span': f"{attempts[0]['timestamp']} to {attempts[-1]['timestamp']}", 'total_connections': self.connections[source_ip] } # Write to alert file  with open('security_alerts.json', 'a') as f: import json f.write(json.dumps(alert_data) + '\n') # Here you could integrate with SIEM, send emails, etc.  self.logger.critical(f"SECURITY ALERT: {alert_data}") def start(self): """Start all honeypot listeners""" threads = [] for port in self.ports: thread = threading.Thread(target=self.start_listener, args=(port,)) thread.daemon = True thread.start() threads.append(thread) # Start pattern analysis thread  def analyze_loop(): while True: import time time.sleep(60) # Analyze every minute  self.analyze_patterns() analysis_thread = threading.Thread(target=analyze_loop) analysis_thread.daemon = True analysis_thread.start() # Keep main thread alive  try: for thread in threads: thread.join() except KeyboardInterrupt: self.logger.info("Honeypot shutting down...") if __name__ == "__main__": honeypot = PortHoneypot() honeypot.start() 

# IPv6-specific reconnaissance techniques nmap -6 2001:db8::/32 # IPv6 neighbor discovery nmap -6 --script ipv6-node-info fe80::/64 # Dual-stack enumeration nmap -4 -6 target_domain.com 

# Kubernetes API discovery nmap -p 6443,8080,10250,10255 --script kubernetes-* target_range # Docker daemon enumeration nmap -p 2375,2376 --script docker-* target_range # Container registry scanning nmap -p 5000 --script registry-* target_range 

# IoT device identification nmap -sU -p 161 --script snmp-info target_range # Industrial control system discovery nmap -p 502,44818,1911,9600 --script modbus-*,s7-* target_range # Embedded device fingerprinting nmap --script http-favicon,http-title,http-server-header target_range 

# API endpoint discovery nmap -p 80,443,8080,8443 --script http-enum,http-methods target_range # GraphQL enumeration nmap -p 80,443 --script graphql-* target_range # REST API security testing nmap -p 80,443 --script http-unsafe-output-escaping,http-sql-injection target_range 

#!/bin/bash # Professional reconnaissance workflow # Phase 1: Intelligence Gathering echo "[+] Phase 1: Intelligence Gathering" amass enum -d target.com -o amass_results.txt subfinder -d target.com -o subfinder_results.txt assetfinder target.com | tee assetfinder_results.txt # Combine and deduplicate results cat amass_results.txt subfinder_results.txt assetfinder_results.txt | \ sort -u > all_subdomains.txt # Phase 2: Host Discovery with Nmap echo "[+] Phase 2: Host Discovery" nmap -sn -iL all_subdomains.txt -oA host_discovery # Extract live hosts grep "Status: Up" host_discovery.gnmap | cut -d' ' -f2 > live_hosts.txt # Phase 3: Port Discovery echo "[+] Phase 3: Port Discovery" nmap -sS --top-ports 1000 -T4 -iL live_hosts.txt -oA port_discovery # Phase 4: Service Enumeration echo "[+] Phase 4: Service Enumeration" nmap -sC -sV -A -iL live_hosts.txt -oA service_enum # Phase 5: Vulnerability Assessment echo "[+] Phase 5: Vulnerability Assessment" nmap --script vuln -iL live_hosts.txt -oA vuln_assessment # Phase 6: Reporting echo "[+] Phase 6: Generating Reports" python3 generate_report.py service_enum.xml vuln_assessment.xml 

-- Cloud service detection script local nmap = require "nmap" local http = require "http" local shortport = require "shortport" local stdnse = require "stdnse" description = [[ Identifies cloud service providers and configurations. ]] author = "Security Researcher" categories = {"safe", "discovery", "cloud"} portrule = function(host, port) return shortport.http(host, port) or shortport.port_or_service({80, 443, 8080, 8443}, {"http", "https"})(host, port) end action = function(host, port) local results = {} -- Check for cloud provider indicators local response = http.get(host, port, "/") if response and response.header then -- AWS indicators if response.header["server"] and string.match(response.header["server"], "AmazonS3") then results["provider"] = "AWS S3" end -- Azure indicators if response.header["server"] and string.match(response.header["server"], "Microsoft-Azure") then results["provider"] = "Microsoft Azure" end -- Google Cloud indicators if response.header["server"] and string.match(response.header["server"], "Google") then results["provider"] = "Google Cloud" end -- Check for metadata endpoints local metadata_paths = { "/latest/meta-data/", -- AWS "/metadata/instance", -- Azure "/computeMetadata/v1/" -- GCP } for _, path in ipairs(metadata_paths) do local meta_response = http.get(host, port, path) if meta_response and meta_response.status == 200 then results["metadata_accessible"] = true break end end end if next(results) then return stdnse.format_output(true, results) end return nil end 

# Reconnaissance Rules of Engagement Template ## Scope Definition - **In-Scope Networks**: [Define specific IP ranges, domains, applications] - **Out-of-Scope Systems**: [Explicitly exclude systems/networks] - **Time Windows**: [Specify approved scanning times] ## Technical Constraints - **Scanning Intensity**: Maximum timing template and rate limits - **Prohibited Techniques**: DoS testing, exploitation attempts, brute forcing - **Detection Acceptance**: Acknowledge scanning will generate security alerts ## Contact Information - **Primary Contact**: [Technical point of contact] - **Emergency Contact**: [24/7 contact for issues] - **Escalation Path**: [Management chain for critical issues] ## Deliverables - **Raw Scan Data**: XML/JSON format scan results - **Executive Summary**: High-level findings and risk assessment - **Technical Report**: Detailed findings with remediation recommendations - **Remediation Tracking**: Follow-up testing and validation 

#!/bin/bash # Lab environment setup script # Create isolated network segments docker network create --driver bridge recon_lab_internal docker network create --driver bridge recon_lab_dmz docker network create --driver bridge recon_lab_external # Deploy vulnerable applications docker run -d --name dvwa --network recon_lab_internal vulnerables/web-dvwa docker run -d --name metasploitable --network recon_lab_internal tleemcjr/metasploitable2 docker run -d --name juice-shop --network recon_lab_dmz bkimminich/juice-shop # Deploy monitoring and logging docker run -d --name elk-stack \ --network recon_lab_internal \ -p 5601:5601 -p 9200:9200 -p 5044:5044 \ sebp/elk # Deploy honeypots docker run -d --name cowrie-honeypot \ --network recon_lab_dmz \ -p 2222:2222 \ cowrie/cowrie # Create scanning targets with various operating systems docker run -d --name ubuntu-target --network recon_lab_internal ubuntu:latest sleep infinity docker run -d --name centos-target --network recon_lab_internal centos:latest sleep infinity docker run -d --name windows-target --network recon_lab_internal mcr.microsoft.com/windows/servercore:ltsc2019 echo "Lab environment deployed. Networks:" docker network ls | grep recon_lab echo "" echo "Running containers:" docker ps --format "table {{.Names}}\t{{.Image}}\t{{.Status}}\t{{.Ports}}"