NMAP Scanning Procedures | Cyber Portfolio

Detailed record of scan commands, flag selection, and service enumeration steps. Shows how I translate network data into actionable insight.

# Nmap Scanning Reference Guide

This guide covers common Nmap scanning techniques, options, and output features. It summarizes how to perform host discovery, port scanning, service detection, OS fingerprinting, stealth scanning, script execution, and report generation.

---

## 1. Host Discovery

Nmap can perform a **ping sweep** to identify active hosts on a network.

**Command:**
```bash
nmap -sP <target-ip-or-range>
````

**Example (scan an entire subnet):**

```bash
nmap -sP 10.1.16.0/24
```

---

## 2. Port Scanning

### Scan all ports

By default, Nmap scans only the top 1000 common ports. To scan every port:

```bash
nmap -p- <target>
```

Equivalent full-range form:

```bash
nmap -p 1-65535 <target>
```

**Example:**

```bash
nmap -p- 10.1.16.12
```

### Scan specific ports or ranges

```bash
nmap -p 80 <target>
nmap -p 22,80,443 <target>
nmap -p 1-200 <target>
```

---

## 3. Service and OS Detection

You can combine multiple options to identify more information about a target.

### Detect OS and service versions

```bash
nmap -sV -O <target>
```

**Example:**

```bash
nmap -p 80 -sV -O 10.1.16.12
```

---

## 4. Scan Techniques

### TCP Connect Scan

Uses the full TCP handshake.

```bash
nmap -sT 10.1.16.0/24
```

### SYN Stealth Scan

Sends SYN packets without completing the handshake. Useful for quieter scans.

```bash
nmap -sS 10.1.16.0/24
```

### UDP Scan

Helps identify UDP services.

```bash
nmap -sU 10.1.16.1
```

### Disable host discovery

Useful when hosts might block ICMP.

```bash
nmap -Pn 10.1.16.1
```

---

## 5. Default Script and Advanced Scan

### Default script scan

Runs Nmap’s built-in default scripts.

```bash
nmap -sC 10.1.16.1
```

### Aggressive scan

Performs OS detection, version detection, script execution, and traceroute.

```bash
nmap -A 10.1.16.1
```

---

## 6. Timing Options

Firewalls and IDS systems often detect fast or repetitive scans. Nmap supports timing templates to help reduce detection or speed up scanning as needed.

| Option | Description |
| ------ | ----------- |
| -T0    | Paranoid    |
| -T1    | Sneaky      |
| -T2    | Polite      |
| -T3    | Normal      |
| -T4    | Aggressive  |
| -T5    | Insane      |

**Example:**

```bash
nmap -sS -T1 10.1.16.1
```

Slower scans help avoid detection.

---

## 7. Nmap Scripting Engine (NSE)

Nmap includes a powerful script engine used to detect vulnerabilities and gather additional information.

### Run default scripts

```bash
nmap -sC <target>
```

### Run specific scripts

```bash
nmap --script=<script-name> <target>
```

### Banner grabbing

```bash
nmap --script=banner <target>
```

### Vulnerability scanning

```bash
nmap --script=vuln <target>
```

### Update the script database

```bash
nmap --script-updatedb
```

---

## 8. Output Formatting

Nmap can output scan results in several formats:

| Option | Format             |
| ------ | ------------------ |
| -oN    | Normal text output |
| -oX    | XML output         |
| -oG    | Grepable output    |

### Example: output to XML

```bash
nmap -O 10.1.16.0/24 -oX enum.xml
```

### Convert XML to HTML

You can convert an XML report into an HTML file for easier viewing using `xsltproc`.

```bash
xsltproc enum.xml -o enum.html
```

### View in browser

```bash
firefox enum.html
```

Full example workflow:

```bash
nmap -O 10.1.16.0/24 -oX enum.xml && xsltproc enum.xml -o enum.html
firefox enum.html
```

---