So, You Want to Get Serious About Network Security?
You’ve probably heard of Nmap, the network mapper. It’s a powerful tool, but just knowing about it isn’t enough—understanding how to wield it is what separates the script kiddies from real pentesters.
But this post isn’t just another tool tutorial. We’re going deeper—this is about the art of enumeration, the skill of uncovering attack vectors and truly understanding your target.
What is Network Enumeration?
Forget just getting access. Enumeration is about mapping out every possible attack path into a target system. Think of it like being a detective, piecing together clues from different sources.
Tools like Nmap are great, but they’re useless if you don’t know how to interpret the data. Enumeration is not just scanning—it’s about actively interacting with services to see what they reveal, understanding their behaviors, and learning their syntax. The more information you collect, the easier it becomes to find vulnerabilities.
Imagine this: your partner lost the car keys. "They're in the living room" is vague and not very useful. But "They're in the living room, on the white shelf, next to the TV, in the third drawer"—that’s enumeration.
What to Look For
- Misconfigurations – Security oversights often lead to exploitable misconfigurations.
- Information Leaks – Some services unintentionally reveal sensitive details that can be valuable to an attacker.
- False Security Assumptions – Firewalls, GPOs, and software updates aren't enough if the underlying configurations are flawed.
Why Manual Enumeration Matters
Automated tools are great for speed, but they can also miss things. Manual enumeration is critical because:
- Scanners have timeouts—if a service is slow to respond, it may get falsely marked as closed.
- Firewalls and IDS can detect automated scans and block them.
- Blindly trusting scan results could mean missing hidden entry points.
You could waste hours going down the wrong path if you rely solely on automated scans.
Nmap: Your Network Swiss Army Knife
Nmap is an open-source tool for network exploration and security auditing. It uses raw packets to scan networks and identify:
- Hosts
- Services (and versions)
- Operating systems
- Firewalls & IDS/IPS systems
Nmap in Action: Use Cases
- Auditing network security
- Simulating penetration tests
- Checking firewall and IDS settings
- Network mapping
- Identifying open ports
- Performing vulnerability assessments
Basic Nmap Architecture
- Host Discovery – Finding active systems on the network
- Port Scanning – Identifying open ports and services
- Service Enumeration – Determining service names and versions
- OS Detection – Identifying the operating system
- Nmap Scripting Engine (NSE) – Automating tasks with Lua scripts
Nmap Syntax
The basic syntax is:
nmap <scan types> <options> <target>
Key Scan Techniques
- TCP SYN Scan (-sS) – The default and most common scan. It’s stealthy and fast, sending a SYN packet but never completing the three-way handshake.
- SYN-ACK response = Open port
- RST response = Closed port
- No response = Filtered port
- TCP Connect Scan (-sT) – Completes the full TCP handshake. More accurate but easier to detect.
- UDP Scan (-sU) – Slower but essential for finding open UDP ports.
Host Discovery: Finding Live Targets
Before scanning for vulnerabilities, you need to find live hosts.
- Scanning a Network Range – Use CIDR notation (e.g., 10.129.2.0/24). Use -sn to disable port scanning for faster results.
- Scanning from a File – Use -iL <filename> to read targets from a file.
- Scanning Multiple IPs – Just list them, e.g., nmap 192.168.1.1 192.168.1.2.
- Scanning a Single IP – Use -PE to send ICMP Echo Requests (pings).
Port Scanning: Probing for Open Doors
Port States
- Open – A connection was established.
- Closed – The port is not listening.
- Filtered – Nmap can’t determine if the port is open or closed due to a firewall.
- Unfiltered – The port is accessible, but its state is unknown.
Key Port Scanning Options
- Scan Specific Ports – -p 22,25,80
- Scan a Range – -p 22-445
- Scan the Top 10 Ports – --top-ports=10
- Scan All Ports – -p- (Can be slow!)
- Fast Scan – -F (Scans only the top 100 ports)
Dealing with Firewalls & IDS
Firewalls can block or drop packets. If a packet is dropped, Nmap gets no response. If it’s rejected, you’ll see an ICMP "port unreachable" message.
Evasion Techniques
- TCP ACK Scan (-sA) – Helps identify firewall rules.
- Decoys (-D) – Sends fake scan traffic from multiple IPs.
- Source IP Spoofing (-S) – Fakes the scan origin (useful for testing firewall rules).
- DNS Proxying – Uses specific DNS servers to bypass filters.
Service Version Detection: Identifying the Software
Knowing the exact version of a service is critical for finding vulnerabilities.
- Use -sV to detect service versions.
- Manually grab banners using nc (Netcat) for more detailed results.
Nmap Scripting Engine (NSE): Automating Advanced Tasks
NSE lets you run scripts written in Lua to automate various tasks. Scripts fall into categories like:
- Auth – Authentication bypass tests
- Brute – Brute-force attacks
- Vuln – Checks for known vulnerabilities
- Exploit – Exploit execution
- Malware – Detects malicious services
Running NSE Scripts
- Run a specific script:
nmap --script <script-name> <target>
- Run all scripts in a category:
nmap --script <category> <target>
Vulnerability Assessment: Finding the Exploits
To scan for known vulnerabilities, use:
nmap -p 80 -sV --script vuln <target>
Performance Tuning: Scanning Faster (and Smarter)
- Adjust Scan Speed – -T0 (slow) to -T5 (aggressive)
- Control Parallelism – --min-parallelism <num>
- Reduce Retries – --max-retries <num>
- Set Min Packet Rate – --min-rate <num>
Final Thoughts
Mastering network enumeration with Nmap isn’t just about running scans. It’s about:
- Understanding the data you collect
- Adapting your approach based on target defenses
- Using the right techniques to bypass security measures
Keep learning, keep experimenting, and keep those packets flowing! 🚀