Nmap for Red Teamers by Daily Redteam

By /

Listen to this Post

Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. Red teamers leverage Nmap to identify live hosts, open ports, running services, and vulnerabilities in target systems. Below is a detailed guide on using Nmap for offensive security operations.

Basic Nmap Scan Commands

1. Ping Sweep (Discover Live Hosts)

nmap -sn 192.168.1.0/24

This command scans a subnet to find active hosts without port scanning.

2. TCP SYN Scan (Stealth Scan)

nmap -sS 192.168.1.100

A fast and stealthy scan that doesn’t complete the TCP handshake.

3. Aggressive Scan (OS & Service Detection)

nmap -A 192.168.1.100

Enables OS detection, version detection, script scanning, and traceroute.

4. UDP Port Scan

nmap -sU 192.168.1.100

Scans for open UDP ports, which are often overlooked.

Advanced Nmap Techniques for Red Teaming

5. Evading Firewalls with Fragmentation

nmap -f 192.168.1.100

Splits packets into smaller fragments to bypass IDS/IPS.

6. Spoofing Source IP (Decoy Scan)

nmap -D RND:10 192.168.1.100

Hides your real IP among decoy addresses.

7. Timing and Delay Adjustments

nmap -T4 192.168.1.100

`-T4` for aggressive timing, `-T0` for paranoid (slowest).

8. NSE (Nmap Scripting Engine) for Exploitation

nmap --script vuln 192.168.1.100

Runs vulnerability detection scripts.

9. Saving Output to a File

nmap -oN output.txt 192.168.1.100

Saves results in normal format.

You Should Know:

  • Bypassing Network Restrictions: Use `–proxies` or `-Pn` to skip host discovery.
  • Service Fingerprinting: `-sV` detects service versions for exploit research.
  • Custom Port Ranges: `-p 80,443,8080` scans specific ports.
  • Brute-Force Attacks: Use NSE scripts like `http-brute` for credential attacks.

What Undercode Say

Nmap remains an essential tool for red teamers due to its versatility in reconnaissance and exploitation. Mastering advanced techniques like packet fragmentation, decoy scanning, and NSE scripting enhances offensive operations while evading detection.

Expected Output:

Starting Nmap 7.92 ( https://nmap.org ) 
Nmap scan report for 192.168.1.100 
Host is up (0.045s latency). 
Not shown: 995 closed ports 
PORT STATE SERVICE VERSION 
22/tcp open ssh OpenSSH 7.9p1 
80/tcp open http Apache 2.4.41 
443/tcp open ssl/http Apache 2.4.41 
3306/tcp open mysql MySQL 5.7.32 
8080/tcp open http-proxy Nginx 1.18.0

References:

Reported By: Alexrweyemamu Nmap – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: