nmap is a swiss knife

Nmap, the popular port scanning tool, is more than that. Besides port scanning it can do much more:


It can scan for vulnerabilities:

# nmap -Pn --script vuln latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 12:43 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.064s latency).
rDNS record for 35.198.120.103: 103.120.198.35.bc.googleusercontent.com
Not shown: 997 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp open  https
| http-aspnet-debug:
|_  status: DEBUG is enabled
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=latebits.com
|   Found the following possible CSRF vulnerabilities:
|
|     Path: https://latebits.com:443/
|     Form id:
|_    Form action: https://latebits.com/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

Here is a link with more info on vulnerability scanning:
https://securitytrails.com/blog/nmap-vulnerability-scan

It can do whois and ASN lookups:

# nmap --script=whois-ip latebits.com

Host script results:
| whois-ip: Record found at whois.arin.net
| netrange: 35.192.0.0 - 35.207.255.255
| netname: GOOGLE-CLOUD
| orgname: Google LLC
| orgid: GOOGL-2
| country: US stateprov: CA
| orgtechname: Google LLC
|_orgtechemail: arin-contact@google.com

# nmap --script=asn-query latebits.com

Host script results:
| asn-query:
| BGP: 35.198.0.0/16 | Country: US
|   Origin AS: 15169 - GOOGLE, US
|_    Peer AS: 209 6453

It can check the SSL/TLS ciphers and the certificate :

# nmap -sV -p 443 --script ssl-enum-ciphers latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 12:22 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.046s latency).
rDNS record for 35.198.120.103: 103.120.198.35.bc.googleusercontent.com

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

# nmap -sV -p 443 --script ssl-cert latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 13:08 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.046s latency).
rDNS record for 35.198.120.103: 103.120.198.35.bc.googleusercontent.com

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-cert: Subject: commonName=latebits.com
| Subject Alternative Name: DNS:latebits.com
| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-08-07T17:24:28
| Not valid after:  2020-11-05T17:24:28
| MD5:   d96f ba51 7079 7b41 f816 1c40 5cd8 ea79
|_SHA-1: b5c1 35cc 372f 4692 cf7c 4ef5 419b 53e2 9c54 e28b

It can check SSH algorithms:

# nmap --script ssh2-enum-algos -sV -p 22  latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 12:23 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.045s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (4)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|   server_host_key_algorithms: (4)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (2)
|       hmac-sha2-256
|       hmac-sha2-512
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

It can do IP geolocation also:

# nmap --traceroute --script traceroute-geolocation cisco.com

Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-12 10:34 UTC
Nmap scan report for cisco.com (72.163.4.185)
Host is up (0.12s latency).
Other addresses for cisco.com (not scanned): 2001:420:1101:1::185
rDNS record for 72.163.4.185: redirect-ns.cisco.com
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Host script results:
| traceroute-geolocation:
|   HOP  RTT     ADDRESS                                             GEOLOCATION
|   1    109.08  209.85.246.211                                      37.751,-97.822 United States ()
|   2    116.90  209.85.250.54                                       37.751,-97.822 United States ()
|   3    128.81  108.170.228.87                                      37.751,-97.822 United States ()
|   4    116.97  108.170.252.139                                     37.751,-97.822 United States ()
|   5    116.95  eqix-da1.cisco2.com (206.223.118.167)               37.751,-97.822 United States ()
|   6    119.35  72.163.0.98                                         32.947,-96.703 United States (Texas)
|   7    117.75  72.163.0.98                                         32.947,-96.703 United States (Texas)
|   8    118.25  rcdn9-cd2-dmzdcc-gw2-por1.cisco.com (72.163.0.182)  32.947,-96.703 United States (Texas)
|   9    117.86  rcdn9-16b-dcz05n-gw2-por1.cisco.com (72.163.2.102)  32.947,-96.703 United States (Texas)
|_  10   117.86  redirect-ns.cisco.com (72.163.4.185)                32.947,-96.703 United States (Texas)

# nmap --traceroute --script traceroute-geolocation 1.1.1.1

Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-12 10:34 UTC
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.0014s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Host script results:
| traceroute-geolocation:
|   HOP  RTT   ADDRESS                    GEOLOCATION
|   1    1.45  209.85.242.0               37.751,-97.822 United States ()
|   2    1.70  162.158.84.65              50.119,8.684 Germany (Hesse)
|_  3    1.23  one.one.one.one (1.1.1.1)  -33.494,143.210 Australia ()

It has many other scripts, but these are the ones that I’ve used more frequently.

And to make things easier, I’ve automated the process. Here is an example to scan a server (ssh,HTTP,HTTPS) :

- name: Advanced NMAP Scan using NSE
  hosts: localhost
  vars:
    ports:
      - 22
      - 443
    scan_host: latebits.com
  tasks:
  - name: Running Nmap NSE scan
    shell: "nmap -Pn -p {{ ports|join(',') }} --script {{ item }} -oA nmap-{{ item }}-results-%Y-%m-%d {{ scan_host }}"
    with_items:
      - ssl-enum-ciphers
      - ssl-cert
      - ssh2-enum-algos

https://github.com/czirakim/Ansible.nmap

About the author

Mihai is a Senior Network Engineer with more than 15 years of experience