Loading courses...
Please wait while we prepare your learning journey.
Please wait while we prepare your learning journey.
Duration: 2 hours (Estimated)
Welcome to the ninth episode of our comprehensive Nmap course! In this module, we'll move beyond individual techniques to complete security assessment workflows. We'll explore real-world security scenarios and show you exactly how professionals approach different network security challenges from start to finish.
Theory is important, but real mastery comes from applying your skills to solve actual cases. The best network security professionals don't just know the tools—they know how to use them methodically to uncover vulnerabilities and strengthen defenses.
By examining practical case studies, you'll learn how to combine the techniques we've covered into comprehensive security assessment procedures tailored to specific scenarios. By the end of this module, you'll understand how to approach different security situations methodically and effectively, from initial reconnaissance to final reporting.
Effective security assessment requires a structured methodology. While specific techniques vary by scenario, the overall approach follows consistent phases:
Establish the foundation and authorization.
Build a map of the environment.
Reveal system details for vulnerability identification.
Analyze information to find specific weaknesses.
Transform findings into actionable intelligence.
This structured approach ensures comprehensive coverage, minimizes missed issues, and provides actionable results.
A network baseline documents the normal state of your environment—essential for detecting changes and anomalies. Creating an effective baseline involves:
A well-maintained baseline transforms ad-hoc scanning into systematic security monitoring, allowing you to quickly identify unauthorized changes or potential security incidents.
Proper documentation transforms raw scan data into actionable intelligence. Effective security documentation includes:
Documentation should be:
Remember: Even the most thorough assessment is only as valuable as its documentation. Your findings must be communicated effectively to drive security improvements.
Let's walk through a complete vulnerability assessment workflow for a web application environment:
Identify hosts and potential web servers.
# Identify hosts nmap -sn 192.168.1.0/24 -oA webapp_discovery # Find web servers nmap -p 80,443,8000-8100 --open 192.168.1.0/24 -oA webapp_servers # Extract targets grep "open" webapp_servers.gnmap | cut -d " " -f 2 > webapp_targets.txt
Perform detailed service and OS detection.
# Detailed service detection nmap -sV -p 80,443,8000-8100 -iL webapp_targets.txt -oA webapp_services # OS detection sudo nmap -O -iL webapp_targets.txt -oA webapp_os
Use NSE scripts for web application enumeration and vulnerability checks.
# Basic web application enumeration nmap --script http-enum -p 80,443,8000-8100 -iL webapp_targets.txt -oA webapp_enum # Check for common vulnerabilities nmap --script "http-vuln*" -p 80,443,8000-8100 -iL webapp_targets.txt -oA webapp_vulns
Assess SSL/TLS configuration for HTTPS services.
# Check SSL/TLS configuration nmap --script ssl-enum-ciphers -p 443,8443 -iL webapp_targets.txt -oA webapp_ssl
Analyze results and prepare documentation.
# Generate HTML report (if using Zenmap or with xsltproc) # xsltproc webapp_services.xml -o webapp_services.html # Summarize findings grep "open" webapp_services.gnmap | sort | uniq -c > service_summary.txt grep "VULNERABLE" webapp_vulns.nmap > vulnerabilities.txt
#!/bin/bash
# Web Application Environment Assessment
OUTDIR="webapp_assessment_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTDIR"
cd "$OUTDIR"
TARGET_RANGE="192.168.1.0/24"
WEB_PORTS="80,443,8000-8100"
echo "[+] Phase 1: Discovery - Identifying hosts in $TARGET_RANGE..."
sudo nmap -sn $TARGET_RANGE -oA discovery
grep "Up" discovery.gnmap | cut -d " " -f 2 > up_hosts.txt
echo "[+] Phase 2: Port Scanning - Identifying web servers on ports $WEB_PORTS..."
sudo nmap -p $WEB_PORTS --open -iL up_hosts.txt -oA webservers
grep "open" webservers.gnmap | cut -d " " -f 2 > webserver_targets.txt
echo "[+] Phase 3: Service Enumeration - Detecting services and OS..."
sudo nmap -sV -O -p $WEB_PORTS -iL webserver_targets.txt -oA services
echo "[+] Phase 4: Vulnerability Scanning - Running NSE scripts..."
sudo nmap --script "http-enum,http-vuln*,ssl-enum-ciphers" -p $WEB_PORTS -iL webserver_targets.txt -oA vulnerabilities
echo "[+] Phase 5: Analysis - Summarizing findings..."
grep "VULNERABLE" vulnerabilities.nmap > vulnerable_systems.txt
grep "open" services.gnmap | sort | uniq -c > service_summary.txt
echo "[+] Assessment complete. Results saved to $PWD"Let's explore how to create and maintain a network security baseline:
Perform comprehensive discovery and documentation.
# Create baseline directory BASE_DIR="network_baseline/$(date +%Y-%m-%d)" mkdir -p "$BASE_DIR" cd "$BASE_DIR" # Discover all hosts (adjust range) TARGET_RANGE="10.0.0.0/16" sudo nmap -sn $TARGET_RANGE -oA host_discovery # Perform comprehensive scan grep "Up" host_discovery.gnmap | cut -d " " -f 2 > up_hosts.txt sudo nmap -sV -O -p 1-1000 -iL up_hosts.txt -oA service_baseline # Document network topology (optional, can be slow) # sudo nmap --traceroute -iL up_hosts.txt -oA network_topology
Script to compare current state against the baseline.
#!/bin/bash
# Network Baseline Comparison
BASELINE_DIR="/path/to/your/latest/baseline" # Point to the baseline dir
CURRENT_DIR="comparison_$(date +%Y%m%d_%H%M%S)"
TARGET_RANGE="10.0.0.0/16" # Match baseline range
PORTS_TO_SCAN="1-1000" # Match baseline ports
mkdir -p "$CURRENT_DIR"
cd "$CURRENT_DIR"
echo "[+] Performing current state scan..."
sudo nmap -sn $TARGET_RANGE -oA host_discovery_current
grep "Up" host_discovery_current.gnmap | cut -d " " -f 2 > up_hosts_current.txt
sudo nmap -sV -O -p $PORTS_TO_SCAN -iL up_hosts_current.txt -oA service_baseline_current
echo "[+] Comparing host lists..."
comm -3 <(sort $BASELINE_DIR/up_hosts.txt) <(sort up_hosts_current.txt) > host_changes.txt
echo "[+] Comparing services using ndiff..."
ndiff $BASELINE_DIR/service_baseline.xml service_baseline_current.xml > service_changes.txt
echo "[+] Comparison complete. Review host_changes.txt and service_changes.txt in $PWD"Automate baseline maintenance using cron.
# Add to crontab (e.g., runs monthly at 2 AM on the 1st) # Example line for /etc/crontab: # 0 2 1 * * root /path/to/your/baseline_creation_script.sh
When responding to a potential security incident, Nmap can help identify compromised systems:
Scan for unusual open ports that might indicate compromise.
# Scan for common backdoor/C2 ports (adjust as needed) BACKDOOR_PORTS="4444,5555,6666,31337,12345,54321" sudo nmap -p $BACKDOOR_PORTS 10.0.0.0/16 --open -oA backdoor_check
Use NSE scripts to check for signs of malware (use specific scripts if possible).
# Check for malware indicators (may be broad) sudo nmap --script "malware*" 10.0.0.5 -oA malware_check # More targeted checks if possible # sudo nmap --script=http-malware-host 10.0.0.5 -p 80
Compare current services against the baseline if available.
# Perform current scan sudo nmap -sV 10.0.0.5 -oA current_state # Compare against baseline (replace with actual baseline file) ndiff baseline_10.0.0.5.xml current_state.xml > system_changes.txt
Verify that compromised systems are properly isolated.
# Check if isolation is effective (expect no open ports if isolated) sudo nmap -sS -p- --max-retries 1 10.0.0.5 -oA isolation_check
#!/bin/bash
# Security Incident Response Helper Script
if [ -z "$1" ]; then
echo "Usage: $0 <target_ip>"
exit 1
fi
TARGET=$1
NETWORK=$(echo $TARGET | cut -d "." -f 1-3).0/24
OUTDIR="incident_response_$TARGET_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTDIR"
cd "$OUTDIR"
BACKDOOR_PORTS="4444,5555,6666,31337,12345,54321"
LATERAL_PORTS="22,3389,445,135,139"
echo "[+] Investigating potential compromise of $TARGET"
# Check for unusual ports
echo "[+] Checking for backdoor ports ($BACKDOOR_PORTS)..."
sudo nmap -p $BACKDOOR_PORTS $TARGET --open -oA backdoor_check
# Check for lateral movement potential on the local network
echo "[+] Checking for lateral movement potential on $NETWORK (Ports: $LATERAL_PORTS)..."
sudo nmap -p $LATERAL_PORTS $NETWORK --open -oA lateral_movement
# Check for malware indicators
echo "[+] Checking for malware indicators on $TARGET (using NSE)..."
sudo nmap --script "malware*,auth-owners,unusual-port" $TARGET -oA malware_check
# Compare against baseline if available
BASELINE_FILE="/path/to/baselines/baseline_$TARGET.xml" # UPDATE THIS PATH
if [ -f "$BASELINE_FILE" ]; then
echo "[+] Comparing $TARGET against baseline $BASELINE_FILE..."
sudo nmap -sV $TARGET -oA current_state
ndiff "$BASELINE_FILE" current_state.xml > system_changes.txt
echo "[+] System changes saved to system_changes.txt"
else
echo "[-] Baseline file $BASELINE_FILE not found. Skipping comparison."
fi
echo "[+] Investigation complete. Review output files in $PWD"Nmap can help verify compliance with security standards like PCI DSS:
Identify systems in scope for compliance (e.g., Cardholder Data Environment).
# Discover systems in PCI scope (example range) PCI_RANGE="10.0.0.0/24" sudo nmap -sn $PCI_RANGE -oA pci_discovery grep "Up" pci_discovery.gnmap | cut -d " " -f 2 > pci_scope.txt
Scan for services often prohibited by compliance standards.
# Check for prohibited services (e.g., Telnet, FTP, unencrypted POP/IMAP) PROHIBITED_PORTS="21,23,110,143" sudo nmap -p $PROHIBITED_PORTS -iL pci_scope.txt --open -oA prohibited_services
Check SSL/TLS configurations against requirements (e.g., disable SSLv3, early TLS).
# Check SSL/TLS configurations HTTPS_PORTS="443,8443" # Add other relevant ports sudo nmap --script ssl-enum-ciphers -p $HTTPS_PORTS -iL pci_scope.txt -oA ssl_check # Identify non-compliant protocols/ciphers grep -E "SSLv2|SSLv3|TLSv1.0|TLSv1.1|RC4|MD5" ssl_check.nmap > non_compliant_ssl.txt
Create a basic compliance report.
#!/bin/bash
# Basic Compliance Report Generation
REPORT_FILE="compliance_report_$(date +%Y%m%d).txt"
PCI_SCOPE_FILE="pci_scope.txt"
PROHIBITED_FILE="prohibited_services.nmap"
SSL_CHECK_FILE="ssl_check.nmap"
NON_COMPLIANT_SSL_FILE="non_compliant_ssl.txt"
echo "Compliance Scan Report - $(date)" > "$REPORT_FILE"
echo "====================================" >> "$REPORT_FILE"
echo "
1. Systems in Scope:" >> "$REPORT_FILE"
cat "$PCI_SCOPE_FILE" >> "$REPORT_FILE"
echo "
2. Prohibited Services Found:" >> "$REPORT_FILE"
if [ -s "$PROHIBITED_FILE" ]; then
grep "open" "$PROHIBITED_FILE" >> "$REPORT_FILE"
else
echo " None found." >> "$REPORT_FILE"
fi
echo "
3. Non-Compliant SSL/TLS Found:" >> "$REPORT_FILE"
if [ -s "$NON_COMPLIANT_SSL_FILE" ]; then
cat "$NON_COMPLIANT_SSL_FILE" >> "$REPORT_FILE"
else
echo " None found." >> "$REPORT_FILE"
fi
# Example: Add a simple pass/fail check
FAILED=false
if [ -s "$PROHIBITED_FILE" ] || [ -s "$NON_COMPLIANT_SSL_FILE" ]; then
FAILED=true
fi
echo "
Overall Status: $(if $FAILED; then echo 'FAILED'; else echo 'PASSED'; fi)" >> "$REPORT_FILE"
echo "
Report generated: $REPORT_FILE"Create a baseline for your lab or home network.
sudo nmap -sn 192.168.1.0/24 -oA baseline_discoverygrep ... | cut ... > up_hosts.txt && sudo nmap -sV -O -p 1-1000 -iL up_hosts.txt -oA baseline_servicesndiff baseline_services.xml new_services.xml > changes.txtPerform a web app assessment on a test server (e.g., Metasploitable).
sudo nmap -p 80,443,8000... --open ...sudo nmap --script http-enum ...sudo nmap --script "http-vuln*" ...Simulate an incident response.
nc -lvp 4444 on target).sudo nmap -p 1-10000 --open ...), look for unusual services (sudo nmap -sV ...).Verify compliance with a simple standard.
sudo nmap -p 21,23 --open ...Missing critical systems.
Solution:
# Use multiple discovery techniques sudo nmap -sn ... # Network range sudo nmap -sL ... # DNS based sudo nmap -sn --send-ip ... # Passive
Vulnerability scans report non-existent issues.
Solution:
# Validate findings manually or # Use targeted NSE script args sudo nmap --script ... --script-args ...
Too much data to analyze.
Solution:
# Focus on high-value targets sudo nmap -p ... --open ... # Find critical # Filter results/outputs grep ... | cut ...
Documentation varies.
Solution:
# Use templates & automation scripts # Example: bash script to run scans # and format output consistently.
Verify security controls for patient data (HIPAA).
--script ssl-enum-ciphers), prohibited services.--script vuln.Identified: Weak encryption, unauthorized access, unpatched systems.
Assess acquired company's network security before integration.
nmap -sn ...).nmap -sV ...), check vulnerabilities (--script vuln).Revealed: Critical vulnerabilities, inadequate segmentation, shadow IT.
In the final episode, we'll explore:
Technical Guide to Information Security Testing.
Web Security Testing Guide.
Includes network security scanning procedures.
The official Nmap book by Gordon Lyon.
Note: Use this video as a visual guide to complement the written material.
1. What is the first phase in a structured security assessment methodology as outlined in this episode?
2. What is the primary purpose of establishing a network security baseline using Nmap?
3. In a web application environment assessment scenario, which category of Nmap NSE scripts would be most useful for identifying common web-related vulnerabilities?
4. When using Nmap for security incident response, what might scanning for a specific range of unusual open ports help to identify?
5. In the context of compliance verification (like PCI DSS), what is a key aspect that Nmap can help assess regarding the security of systems handling sensitive data?