How To Use Nmap for Vulnerability Scanning: Complete Tutorial

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The powerful open-source tool Nmap scans the ports of network devices and probes website domains for known vulnerabilities. Since both internal security teams and malicious hackers can use Nmap, internal security teams should make sure to perform the scan first!

To become familiar with Nmap as a basic tool to detect basic vulnerabilities this article will cover:

• Getting Started with Nmap
• Nmap Vulnerability Scanning
• Vuln vs Vulners vs Vulscan
• How Do Attackers Use Nmap?
• Pros and Cons of Using Nmap
• Nmap Vulnerability Scanner Alternatives
• Bottom Line: Use Nmap for Inexpensive, Effective Vulnerability Scanning

If you’re looking for an easy-to-use vulnerability scanner with good technical support, Intruder — this article’s sponsor — is one such tool, with enterprise-grade protection covering more than 10,000 security checks, from internal scans out to the perimeter, web applications and the cloud.

Try Intruder free for 14 days!

Getting Started with Nmap

Nmap, or network map, provides open-source and free capabilities for auditing IT infrastructure, such as port scanning, host discovery, or device identification across a network. Both pen testers and threat actors use Nmap to collect information about their target, and Nmap has been recognized by CISA as an important free tool for network security.

Installing Nmap

Nmap began as a Linux utility, but it’s now available for all major operating systems, including Windows and macOS. Nmap comes pre-installed on several versions of Linux including Kali Linux. Other Linux systems users can use the command “apt-get install Nmap” to install it.

Users of all operating systems can download Nmap as well as the ZeNmap graphical user interface (GUI) front-end for Nmap. Those that prefer to use github can clone the official git repository using this command:

git clone https://github.com/Nmap/Nmap.git 

After installing Nmap, users can use the command line or ZeNmap to execute simple commands to map the local domain, scan ports on a host, and detect operating system versions running on hosts.

Many open source software packages have been infected with malware. To verify that the specific download of Nmap matches the intended contents, an organization can compare the download against the signature records maintained by Nmap.

Built-in Nmap Scripts

Running basic functions can be tedious. Users increase the capabilities of Nmap by running built-in Nmap scripts. These scripts should be periodically updated by running this command:

sudo Nmap --script-updatedb

An overview of basic commands and example scripts can be found in Nmap: Pen Testing Product Overview and Analysis.

Using Custom Nmap Scripts

Advanced users may prefer to combine multiple lines of instructions or more complex commands using the Python language and the Python-Nmap package.  Advanced users can also use the Nmap Scripting Engine (NSE) to enable network discovery, vulnerability detection (e.g., backdoor), and even specific exploits using the Lua programming language.  These scripts are .nse files and will typically contain comments for end users and code instructions for the machines.

Nmap Vulnerability Scanning

Nmap’s vulnerability scanning capabilities rely upon the vulnerability-detecting scripts categorized under “vuln” for vulnerability or custom scripts. Users can run built-in scripts individually or collectively using the “vuln” command. In addition, users can also download custom scripts such as Vulscan or Vulners.

As with any penetration testing or vulnerability scan, users must keep in mind that these invasive scans should only be performed with permission. Even scanning a system without permission could lead to attempts to impose fines or jail time depending upon the jurisdiction. For more information, a user can investigate regulations such as those found in the US (The Computer Fraud and Abuse Act), England (Computer Misuse Act 1990), India (Information Technology Act Sec. 43 and 66), Japan (The Act on the Prohibition of Unauthorised Computer Access), and many other countries.

Specific Nmap Vulnerability Scans

Nmap scripts contain well over 100 specific scans for vulnerabilities that can be run against domains or against specific host IP addresses. A comprehensive list of scanned vulnerabilities can be found on the Nmap website.

Application Scans: Run Nmap against a target domain (ex: esecurityplanet.com)  to check websites for vulnerabilities such as:

• http-csrf: Detect Cross-Site Request Forgery (CSRF) vulnerabilities by entering the command: Nmap -sV –script http-csrf <target domain>
• http-sherlock: Check if the “shellshock” vulnerability can be exploited in web applications by entering the command: Nmap -sV –script http-sherlock <target domain>

IT Host Scans: Run Nmap against a target IP address (ex: 166.96.06.4) to check for host vulnerabilities such as: 

• dns-update: Attempt to perform a dynamic domain name service (DNS) update without authentication by entering the command: Nmap -sU -p 53 –script=dns-update –script-args=dns-update.hostname=foo.example.com,dns-update.ip=192.0.2.1 <target IP address>
• smb-vuln-cve-2017-7494: Check if target IP address are vulnerable to the arbitrary shared library load vulnerability by using a script such as: Nmap –script smb-vuln-cve-2017-7494 -p 445 <target IP address>

Government advocated Nmap scripts will sometimes be released or promoted on official websites to help organizations address specific vulnerabilities. For example, the UK government maintains an open-source GitHub repository to help organizations scan networks for the Exim MTA vulnerability as part of the Scanning Made Easy project from the National Cyber Security Centre (NCSC) and its i100 industry partnership.

The repository provides a collection of officially promoted Nmap scripts to users, such as sysadmins, for detecting system vulnerabilities. The initial UK script focuses on the Exim message transfer agent (MTA) remote code execution vulnerabilities CVE-2020-28017 through CVE-2020-28026, also known as 21Nails.

The script contains information on:

• How it checks for the presence of the vulnerability
• Why the check is not intrusive
• Why there may be false positives and false negatives

How to Use Vuln

Nmap can scan a target domain or IP address for all vulnerabilities in the default script library for the “vuln” category with the appropriately named Vuln command:

sudo Nmap --script vuln <target domain or IP Address> -v

Note that the command may require “sudo” in Linux to run the command as a super user or as the Linux equivalent of an administrator. In most cases, elevated privileges will be required to run the more invasive and probing commands for Nmap. The -v, or verbosity, flag will provide extensive information about the tests run and their results.

Running these commands can be dangerous because of invasive and disruptive aspects of specific vulnerability scans. Instead of simply obtaining information, certain scans attempt to verify a vulnerability by attempting to exploit the vulnerability. In some cases, a successful exploitation will result in changes to the service or even crashing the service, website, or operating system.

A subset of the vulnerability scans can be performed using wildcards or asterisks (*) to run multiple scripts with similar names simultaneously. For example, adding the wildcard after the http command (http*) will run all vulnerability scans that start with “http” against a targeted domain.

When using any of the bulk scans, the results can become overwhelming and some users will want to exclude low CVSS score vulnerabilities. To only show vulnerabilities within a certain range, add the following flag to the command where “x.x” is the CVSS score (ex: 6.5).

--script-args=mincvss=x.x

The complete command to exclude vulnerabilities below 6.5 would be:

Nmap --script vuln --script-args mincvss=6.5 <target>

Results of the scan can be exported in various file formats by adding flags followed by the file name in the command. This export will make it easier to share information or make the vulnerabilities available for other software.

Two common examples of the complete command are:

• XML File: Nmap –script vuln -oX file.xml <target>
• Browser Friendly XML File: Nmap –script vuln –webxml -oX file.xml <target>

Of course, the basic set of vulnerability scans may not be sufficient for some users because it only examines a limited, although important, set of vulnerabilities. Advanced users may download custom scripts such as Vulscan or Vulners to access a larger database of vulnerabilities.

How to Use Vulscan

To use the NSE script Vulscan, a user must first clone the software from the github repository using the git command:

sudo git clone https://github.com/scipag/vulscan

The user may need to make a soft link to the NSE scripts directory by executing the following command:

sudo ln -s pwd /scipag_vulscan /usr/share/Nmap/scripts/vulscan

In this case, /usr/share/Nmap/scripts/vulscan is the presumed directory for Nmap scripts on the user’s machine, but this directory may be adjusted as necessary. Once the directory is known to Nmap, Vulscan is available to be called by the –script flag to run additional vulnerability checks using the following syntax:

sudo Nmap -sV --script=vulscan/vulscan.nse <target IP address or host name>

Vulscan can be run to detect IT vulnerabilities against an IP address in the network or software vulnerabilities against a host name (ex: esecurityplanet.com). Vulscan will run non-invasive tests for all applicable vulnerabilities against the target. The results will display the port followed by limited information on the specific CVEs discovered.

How to Use Vulners

Vulners will typically be included in the standard Nmap NSE scripts, but a user can also clone the NSE script for Vulners from its github repository using the git command:

sudo git clone https://github.com/vulnersCom/Nmap-vulners.git /usr/share/Nmap/scripts/vulners

The file directory /usr/share/Nmap/scripts/vulscan is the presumed directory for Nmap scripts on the user’s machine, but this directory may be adjusted as necessary. Once cloned, Vulners is available to be called by the –script flag using the following syntax:

sudo Nmap -sV --script Nmap-vulners/vulners.nse <target host or IP address>

Users can target specific ports on an IP address by adding -p<#> (ex: -p80 to target port 80) at the end of the command line. The results will display the discovered CVEs and will link to the Vulners website for more information.

Vuln vs Vulners vs Vulscan

Vuln and Vulners are included in the basic NSE script database and will be updated when updating all scripts for Nmap. Vulscan is not included in the basic script set and must be downloaded and updated separately. 

Vulners sends common platform enumeration (CPE) information received from port scans to vulners.com using the site’s API to actively download the latest common vulnerabilities and exposures (CVE) information from the site’s database. Vulners also requires internet access to reach the external databases of vulnerabilities. 

This information sharing of vulnerabilities may not be appropriate for organizations deeply concerned about the secrecy of their environment. There is an option with Vulscan to use a local database, but this generally removes the advantage of using Vulscan’s fully updated database. 

Vuln and Vulscan do not send CPE information outside of the scanned organization and use locally stored vulnerability databases.

The advantage of sending the CPE information is that Vulners hosts a fully updated set of CVEs. Vuln only detects 150 top vulnerabilities for systems and Vulscan uses an offline copy of vulnerability databases.

Vuln can risk disruption because Vuln tests for the presence of some vulnerabilities by attempting to verify exploitation and disruption or corruption of that service. However, the active probing will increase confidence and reduce the chance of a false positive. 

Vulners and Vulscan avoid the risk of disruption because they do not attempt to verify or exploit vulnerabilities. The confidence in both of these tools depends upon the accuracy and precision of the detection capabilities of the specific version of Nmap. Both of these tools may also be confused by non-standard, custom, or patched builds of specific services, which may lead to more false positives.

Of the three tools, the Vuln category of scripts can immediately produce highly accurate scans for a limited set of important vulnerabilities. However, while the number of vulnerabilities is small, the in-depth probing of the vulnerability can take 3-4 times longer than Vulners or Vulscan.

While both of the manually downloaded vulnerability scanners will enjoy a much more extensive and robust selection of CVEs to detect, Vulners will typically be the most updated scan since IT teams may forget to manually update Vulscan databases. But for more secretive organizations that need to avoid releasing CPE information, Vulscan’s use of a local database may be the best choice among the Nmap options.

How Do Attackers Use Nmap?

Attackers use Nmap to scan large networks quickly by using raw IP packets to identify available hosts and services on the network and determine their vulnerabilities. Hackers and pen testers typically add specific options to cover their tracks.

Decoy scans add the -D option flag (Nmap -p 123 -D decoyIP targetIP), to hide the attacking IP address and send source-spoofed packets to the target in addition to the scanning machine packets. The additional packets make port scan detection harder for defenders.

Attackers can also run zombie scans, also known as idle scans. This side-channel attack attempts to send forged SYN packets to the target using the IP address of the “zombie” endpoint on the network. This method attempts to fool the intrusion detection system (IDS) into mistaking the innocent zombie computer for the attacker. A more thorough review of Nmap attacks can be found in the Nmap Ultimate Guide: Pentest Product Review and Analysis.

Do Host Systems Detect Nmap Scans?

SIEM tools, firewalls, and other defensive tools, can receive alerts from systems and the scanned system will log the successful TCP requests from the many Nmap port scans. More sophisticated IDS/IDP tools might also detect malformed TCP requests, such as the Nmap stealthy requests that do not complete a TCP connection. Disruptive scans that cause system or service failure will definitely be detected by systems as well as by affected users.

Pros and Cons of Using Nmap

Nmap provides powerful vulnerability capabilities and should be under consideration for use within most organizations. However, there are many reasons why Nmap is not used universally.

Pros: Reasons to Use Nmap

• Open source and free so great for hackers, students, and all organizations
• Quick scans provide a fast look at potential vulnerabilities
• Lightweight TCP scans do not consume enormous network bandwidth and can escape some network security tools
• A hacker preview for organizations checking their internal systems
• Scriptable scans enable an organization to create repeatable vulnerability scans usable by non-technical users and for hackers to embed Nmap commands and scans into malware

Cons: Reasons Not to Use Nmap

• Less user friendly than commercial tools with more advanced GUIs
• Easy to make mistakes with command line entries
• Lack of programmers in an organization’s IT staff to create custom scripts or understand Nmap scripts
• Less formal support than commercial tools
• Limited vulnerability scans through the basic vuln command

Nmap Vulnerability Scanner Alternatives

Nmap remains a popular tool among many, but it certainly is not the only vulnerability scanner available. Open-source vulnerability scanner options for applications include OSV-Scanner or OWASP Zed Attack Proxy (ZAP) and for infrastructure include CloudSploit or OpenVAS.

There are many commercially available vulnerability scanners as well. The best vulnerability scanners for applications or infrastructure include Invicti, Tenable.io, ManageEngine’s Vulnerability Manager Plus, as well as others listed below:

Bottom Line: Use Nmap for Inexpensive, Effective Vulnerability Scanning

Nmap provides a no-cost option to detect vulnerabilities, double-check the results of commercial vulnerability scanners, or provide an effective sneak peek at the way a hacker might view opportunities in the organization’s infrastructure. Everyone, even an organization selecting to use a commercial vulnerability scanner, should consider using Nmap as a vulnerability scanning tool in their arsenal.

Read next: 

• Top Vulnerability Management Tools
• The 8 Best Vulnerability Scanner Tools for 2023
• 10 Best Open-Source Vulnerability Assessment Tools for 2023

This article was originally written by Julien Maury on February 8, 2022 and revised by Chad Kime on July 14, 2023.