Nmap — Network Scanning Mastery

Nmap — Network Mapper

Nmap adalah tool network discovery dan security auditing yang paling banyak digunakan di dunia. Digunakan oleh sysadmin untuk inventaris jaringan dan pentester untuk reconnaissance.

Host Discovery

# Ping scan — temukan host yang aktif
nmap -sn 192.168.1.0/24

# Tidak kirim ping (untuk firewall yang blokir ICMP)
nmap -Pn 192.168.1.100

# ARP scan (lebih reliable di local network)
nmap -PR 192.168.1.0/24

# TCP SYN ping
nmap -PS22,80,443 192.168.1.0/24

# UDP ping
nmap -PU53,161 192.168.1.0/24

# Combine semua metode
nmap -sn -PE -PS22,80,443 -PA80 192.168.1.0/24

Port Scanning Techniques

# TCP SYN scan (default, requires root) — cepat dan relatif stealth
sudo nmap -sS 192.168.1.100

# TCP Connect scan (no root needed) — lebih lambat, tercatat di log
nmap -sT 192.168.1.100

# UDP scan (lebih lambat, sering terlewat)
sudo nmap -sU 192.168.1.100

# Combined TCP + UDP
sudo nmap -sS -sU 192.168.1.100

# Scan semua 65535 port
nmap -p- 192.168.1.100

# Scan port tertentu
nmap -p 22,80,443,8080 192.168.1.100
nmap -p 1-1000 192.168.1.100
nmap -p T:80,443 -p U:53,161 192.168.1.100

# Top 100, 1000 ports
nmap --top-ports 100 192.168.1.100
nmap --top-ports 1000 192.168.1.100

Service & Version Detection

# Service version detection
nmap -sV 192.168.1.100

# Intensity 0-9 (default 7)
nmap -sV --version-intensity 9 192.168.1.100

# OS detection (requires root)
sudo nmap -O 192.168.1.100

# Aggressive scan — OS detection + version + scripts + traceroute
sudo nmap -A 192.168.1.100

# Full recommended scan
sudo nmap -sS -sV -sC -O -p- --min-rate 5000 192.168.1.100 -oA scan_results

Nmap Scripting Engine (NSE)

NSE adalah salah satu fitur paling powerful Nmap. Scripts tersedia untuk vulnerability detection, brute force, exploitation, dll.

# Default scripts
nmap -sC 192.168.1.100

# Script tertentu
nmap --script=http-title 192.168.1.100
nmap --script=ftp-anon 192.168.1.21

# Kategori script
nmap --script=vuln 192.168.1.100          # Vulnerability detection
nmap --script=auth 192.168.1.100          # Authentication testing
nmap --script=brute 192.168.1.100         # Brute force
nmap --script=discovery 192.168.1.100     # Discovery
nmap --script=exploit 192.168.1.100       # Exploitation (hati-hati!)
nmap --script=default,safe 192.168.1.100

# Script dengan arguments
nmap --script=http-brute --script-args http-brute.path=/admin/ 192.168.1.100

# SMB scripts (sangat berguna untuk Windows)
nmap --script=smb-vuln* 192.168.1.100
nmap --script=smb-enum-shares,smb-enum-users 192.168.1.100

# HTTP scripts
nmap --script=http-* -p 80,443 192.168.1.100

# SSL/TLS analysis
nmap --script=ssl-enum-ciphers -p 443 192.168.1.100
nmap --script=ssl-heartbleed -p 443 192.168.1.100

Output Formats

# Normal output ke file
nmap -oN output.txt 192.168.1.100

# XML output (untuk tools lain)
nmap -oX output.xml 192.168.1.100

# Grepable output
nmap -oG output.gnmap 192.168.1.100

# Semua format sekaligus (-oA = All)
nmap -oA scan_full 192.168.1.100

# Parse hasil untuk quick review
grep "open" output.gnmap
grep "/open/" output.gnmap | awk '{print $2}'

Evasion & Stealth Techniques

# Decoy scan — samarkan IP sumber
nmap -D RND:10 192.168.1.100
nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.100

# Scan lebih lambat untuk hindari IDS
nmap -T0 192.168.1.100  # Paranoid (sangat lambat)
nmap -T1 192.168.1.100  # Sneaky
nmap -T2 192.168.1.100  # Polite

# Fragment packets
nmap -f 192.168.1.100
nmap -ff 192.168.1.100  # 16-byte fragments

# Spoof source port
nmap --source-port 53 192.168.1.100

# Randomize scan order
nmap --randomize-hosts 192.168.1.0/24

Contoh Skenario Praktis

# Phase 1: Temukan host aktif
nmap -sn 10.10.10.0/24 | grep "Nmap scan report" | awk '{print $NF}'

# Phase 2: Quick port scan semua host
nmap -sS --min-rate 5000 -p- 10.10.10.0/24 -oG quick_scan.gnmap

# Phase 3: Full scan pada host yang menarik
sudo nmap -sS -sV -sC -O -A 10.10.10.50 -oA full_10.10.10.50

# Phase 4: Vulnerability scan
nmap --script=vuln 10.10.10.50 -oN vuln_scan.txt