Nmap, the popular port scanning tool, is more than that. Besides port scanning it can do much more:
It can scan for vulnerabilities:
# nmap -Pn --script vuln latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 12:43 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.064s latency).
rDNS record for 35.198.120.103: 103.120.198.35.bc.googleusercontent.com
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp open https
| http-aspnet-debug:
|_ status: DEBUG is enabled
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=latebits.com
| Found the following possible CSRF vulnerabilities:
|
| Path: https://latebits.com:443/
| Form id:
|_ Form action: https://latebits.com/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Here is a link with more info on vulnerability scanning:
https://securitytrails.com/blog/nmap-vulnerability-scan
It can do whois and ASN lookups:
# nmap --script=whois-ip latebits.com
Host script results:
| whois-ip: Record found at whois.arin.net
| netrange: 35.192.0.0 - 35.207.255.255
| netname: GOOGLE-CLOUD
| orgname: Google LLC
| orgid: GOOGL-2
| country: US stateprov: CA
| orgtechname: Google LLC
|_orgtechemail: arin-contact@google.com
# nmap --script=asn-query latebits.com
Host script results:
| asn-query:
| BGP: 35.198.0.0/16 | Country: US
| Origin AS: 15169 - GOOGLE, US
|_ Peer AS: 209 6453
It can check the SSL/TLS ciphers and the certificate :
# nmap -sV -p 443 --script ssl-enum-ciphers latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 12:22 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.046s latency).
rDNS record for 35.198.120.103: 103.120.198.35.bc.googleusercontent.com
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
# nmap -sV -p 443 --script ssl-cert latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 13:08 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.046s latency).
rDNS record for 35.198.120.103: 103.120.198.35.bc.googleusercontent.com
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-cert: Subject: commonName=latebits.com
| Subject Alternative Name: DNS:latebits.com
| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-08-07T17:24:28
| Not valid after: 2020-11-05T17:24:28
| MD5: d96f ba51 7079 7b41 f816 1c40 5cd8 ea79
|_SHA-1: b5c1 35cc 372f 4692 cf7c 4ef5 419b 53e2 9c54 e28b
It can check SSH algorithms:
# nmap --script ssh2-enum-algos -sV -p 22 latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 12:23 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.045s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (4)
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| server_host_key_algorithms: (4)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| aes128-ctr
| aes192-ctr
| aes256-ctr
| mac_algorithms: (2)
| hmac-sha2-256
| hmac-sha2-512
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
It can do IP geolocation also:
# nmap --traceroute --script traceroute-geolocation cisco.com
Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-12 10:34 UTC
Nmap scan report for cisco.com (72.163.4.185)
Host is up (0.12s latency).
Other addresses for cisco.com (not scanned): 2001:420:1101:1::185
rDNS record for 72.163.4.185: redirect-ns.cisco.com
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Host script results:
| traceroute-geolocation:
| HOP RTT ADDRESS GEOLOCATION
| 1 109.08 209.85.246.211 37.751,-97.822 United States ()
| 2 116.90 209.85.250.54 37.751,-97.822 United States ()
| 3 128.81 108.170.228.87 37.751,-97.822 United States ()
| 4 116.97 108.170.252.139 37.751,-97.822 United States ()
| 5 116.95 eqix-da1.cisco2.com (206.223.118.167) 37.751,-97.822 United States ()
| 6 119.35 72.163.0.98 32.947,-96.703 United States (Texas)
| 7 117.75 72.163.0.98 32.947,-96.703 United States (Texas)
| 8 118.25 rcdn9-cd2-dmzdcc-gw2-por1.cisco.com (72.163.0.182) 32.947,-96.703 United States (Texas)
| 9 117.86 rcdn9-16b-dcz05n-gw2-por1.cisco.com (72.163.2.102) 32.947,-96.703 United States (Texas)
|_ 10 117.86 redirect-ns.cisco.com (72.163.4.185) 32.947,-96.703 United States (Texas)
# nmap --traceroute --script traceroute-geolocation 1.1.1.1
Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-12 10:34 UTC
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.0014s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
Host script results:
| traceroute-geolocation:
| HOP RTT ADDRESS GEOLOCATION
| 1 1.45 209.85.242.0 37.751,-97.822 United States ()
| 2 1.70 162.158.84.65 50.119,8.684 Germany (Hesse)
|_ 3 1.23 one.one.one.one (1.1.1.1) -33.494,143.210 Australia ()
It has many other scripts, but these are the ones that I’ve used more frequently.
And to make things easier, I’ve automated the process. Here is an example to scan a server (ssh,HTTP,HTTPS) :
- name: Advanced NMAP Scan using NSE
hosts: localhost
vars:
ports:
- 22
- 443
scan_host: latebits.com
tasks:
- name: Running Nmap NSE scan
shell: "nmap -Pn -p {{ ports|join(',') }} --script {{ item }} -oA nmap-{{ item }}-results-%Y-%m-%d {{ scan_host }}"
with_items:
- ssl-enum-ciphers
- ssl-cert
- ssh2-enum-algos