<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>My Blog</title>
    <link>http://localhost:3000</link>
    <description>Built with mgx0_blog static publishing engine</description>
    <language>en</language>
    <generator>mgx0_blog</generator>
    <lastBuildDate>Fri, 03 Jul 2026 07:09:22 GMT</lastBuildDate>
    <item>
      <title>My First Blog Post</title>
      <link>http://localhost:3000/blog/first_blog/</link>
      <guid isPermaLink="true">http://localhost:3000/blog/first_blog/</guid>
      <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
      <description>A short summary of what this post is about.</description>
      <content:encoded><![CDATA[<h1 id="my-post-heading">My Post Heading<a aria-hidden="true" tabindex="-1" href="#my-post-heading"><span class="icon icon-link"></span></a></h1>
<p>Write your actual blog content here in markdown...</p>]]></content:encoded>
    </item>
    <item>
      <title>The Adversarial Doctrine of Network Reconnaissance: Nmap as the First Weapon</title>
      <link>http://localhost:3000/blog/hello-world/</link>
      <guid isPermaLink="true">http://localhost:3000/blog/hello-world/</guid>
      <pubDate>Mon, 24 Feb 2025 00:00:00 GMT</pubDate>
      <description>A comprehensive analysis of Nmap from both attacker and defender perspectives—understanding the reconnaissance doctrine that precedes every serious network intrusion. For advanced cybersecurity professionals.</description>
      <content:encoded><![CDATA[<blockquote>
<p><strong>TECHNICAL BRIEF — ADVERSARIAL OPERATIONS &#x26; DEFENSIVE DOCTRINE</strong><br>
<em>This analysis deconstructs Nmap from dual perspectives: as the attacker's opening move and as the defender's diagnostic mirror. Written for security professionals who need to understand both sides of the reconnaissance equation.</em></p>
</blockquote>
<h2 id="executive-summary">Executive Summary<a aria-hidden="true" tabindex="-1" href="#executive-summary"><span class="icon icon-link"></span></a></h2>
<p>Before exploit code fires, before credentials are compromised, before ransomware deploys—there is reconnaissance. This analysis argues that <strong>Nmap is not a scanning tool but the operationalized doctrine of network visibility</strong>: a four-layer intelligence platform that converts opaque networks into prioritized attack surfaces. Understanding Nmap at this depth is not optional for network security practitioners. The tool is universal, the techniques are baseline, and they are deployed against every network of consequence.</p>
<p><strong>Core Thesis:</strong> The attacker who maps your network before you do owns the strategic initiative. The organization that understands its own exposure before adversaries document it operates with a structural advantage that no amount of reactive incident response can replicate.</p>
<hr>
<h2 id="part-i-the-architecture-of-visibility">Part I: The Architecture of Visibility<a aria-hidden="true" tabindex="-1" href="#part-i-the-architecture-of-visibility"><span class="icon icon-link"></span></a></h2>
<h3 id="11-the-fundamental-information-asymmetry">1.1 The Fundamental Information Asymmetry<a aria-hidden="true" tabindex="-1" href="#11-the-fundamental-information-asymmetry"><span class="icon icon-link"></span></a></h3>
<p>The dominant security posture of most organizations rests on a dangerous assumption: <strong>obscurity as security</strong>. Change SSH to port 2222, run admin panels on port 8443, don't publish internal service documentation. This is security through obscurity—the belief that what isn't advertised isn't findable.</p>
<p>From an adversarial standpoint, obscurity is not protection—it is <em>friction</em>. And Nmap is specifically engineered to dissolve friction. A <code>-p-</code> scan across all 65,535 TCP ports finds SSH on port 2222 as reliably as port 22. The administrator who moved the port bought nothing except false confidence and a slightly larger command in the attacker's terminal.</p>
<p><strong>The Critical Asymmetry:</strong> A trained operator can construct a complete intelligence profile of any network—service inventory, OS distribution, software versions, vulnerability exposure—in minutes to hours. The network's operator may have no awareness this profiling occurred. This asymmetry cannot be corrected through firewalls alone. Firewalls manage traffic; they cannot prevent inference of internal architecture from the observable behavior of traffic they permit.</p>
<h3 id="12-the-four-layer-intelligence-architecture">1.2 The Four-Layer Intelligence Architecture<a aria-hidden="true" tabindex="-1" href="#12-the-four-layer-intelligence-architecture"><span class="icon icon-link"></span></a></h3>
<p>Nmap's true capability consists of four distinct intelligence layers, each building on the previous:</p>
<pre><code>[Layer 1] Host Discovery      → What devices are reachable?
    ↓
[Layer 2] Port Enumeration    → What services are accessible?
    ↓
[Layer 3] Version Detection   → What software/versions are running?
    ↓
[Layer 4] NSE Scripting       → What vulnerabilities are exploitable?
</code></pre>
<p>This progression—from gross network topology to granular vulnerability assessment—is not merely a scanning routine. It is a <strong>reconnaissance doctrine</strong>. Every authorized penetration test begins here. Every sophisticated intrusion attempt begins here. The tool doesn't change. The authorization does.</p>
<h3 id="13-what-networks-reveal-the-three-intelligence-objectives">1.3 What Networks Reveal: The Three Intelligence Objectives<a aria-hidden="true" tabindex="-1" href="#13-what-networks-reveal-the-three-intelligence-objectives"><span class="icon icon-link"></span></a></h3>
<p>The attacker's reconnaissance phase serves three explicit intelligence objectives:</p>
<pre><code>Target Network →  [1] What is running?        (service enumeration)
               →  [2] What version is it?     (vulnerability cross-reference)
               →  [3] How is it protected?    (firewall/IDS fingerprinting)
</code></pre>
<p>Each layer of Nmap capability directly serves one of these objectives:</p>
<ul>
<li><strong>Host discovery</strong> answers "what is alive"</li>
<li><strong>Port scanning</strong> answers "what is accessible"</li>
<li><strong>Version detection</strong> answers "what is running and what version"</li>
<li><strong>NSE scripts</strong> answer "is it exploitable?"</li>
<li><strong>Firewall evasion</strong> answers "can I ask these questions without being caught?"</li>
</ul>
<p>The attacker who completes this intelligence map before touching an exploit has already won a significant portion of the engagement. They know which CVEs apply, which services are likely misconfigured, which hosts are worth targeting, and which are hardened honeypots worth avoiding.</p>
<hr>
<h2 id="part-ii-the-adversarial-workflow">Part II: The Adversarial Workflow<a aria-hidden="true" tabindex="-1" href="#part-ii-the-adversarial-workflow"><span class="icon icon-link"></span></a></h2>
<h3 id="21-phase-one--external-footprinting-initial-triage">2.1 Phase One — External Footprinting: Initial Triage<a aria-hidden="true" tabindex="-1" href="#21-phase-one--external-footprinting-initial-triage"><span class="icon icon-link"></span></a></h3>
<p>The first operational question for any threat actor is <strong>scope</strong>: what is reachable from the outside? Before touching the target network, a competent attacker establishes scan origin carefully—a VPS in a neutral jurisdiction, a compromised host several hops from their actual location, or Tor-routed for maximum attribution resistance.</p>
<p>The initial scan is deliberately conservative. The objective is not complete enumeration—it is <strong>triage</strong>. Which hosts are alive? Which ports are obviously open? The attacker avoids full <code>-p-</code> scans at this stage. That comes later, stealthily.</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Speed-priority triage (noisy but quick)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -T4</span><span style="color:#79B8FF"> -F</span><span style="color:#9ECBFF"> 203.0.113.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Stealth alternative — SYN scan, polite timing, key ports</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -T2</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 21,22,23,25,53,80,110,143,443,445,3306,3389,8080,8443</span><span style="color:#9ECBFF"> 203.0.113.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Many hosts block ping but answer port probes</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -Pn</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 80,443</span><span style="color:#9ECBFF"> 203.0.113.0/24</span></span></code></pre></figure>
<p><strong>Attacker's Note:</strong> Every open port is a question: <em>what is this, and can I use it?</em></p>
<h3 id="22-phase-two--deep-enumeration-intelligence-extraction">2.2 Phase Two — Deep Enumeration: Intelligence Extraction<a aria-hidden="true" tabindex="-1" href="#22-phase-two--deep-enumeration-intelligence-extraction"><span class="icon icon-link"></span></a></h3>
<p>Version detection is the mechanism that converts a port number into a software version, which converts into a CVE lookup, which converts into an exploit selection. This is where reconnaissance becomes <strong>actionable intelligence</strong>.</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Version + OS detection on confirmed live hosts</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> -T3</span><span style="color:#79B8FF"> 203.0.113.15</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Aggressive detection — maximum probe intensity</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -A</span><span style="color:#79B8FF"> 203.0.113.15</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Typical result the attacker hunts for:</span></span>
<span data-line=""><span style="color:#6A737D"># PORT     STATE  SERVICE  VERSION</span></span>
<span data-line=""><span style="color:#6A737D"># 22/tcp   open   ssh      OpenSSH 7.2p2 Ubuntu    ← CVE-2016-6210: user enumeration</span></span>
<span data-line=""><span style="color:#6A737D"># 80/tcp   open   http     Apache 2.4.18          ← CVE-2017-7679: buffer overflow</span></span>
<span data-line=""><span style="color:#6A737D"># 3306/tcp open   mysql    MySQL 5.5.5            ← ancient, many unpatched vulns</span></span>
<span data-line=""><span style="color:#6A737D"># 5900/tcp open   vnc      VNC (protocol 3.8)     ← often no auth required</span></span></code></pre></figure>
<p>The version string <code>OpenSSH 7.2p2</code> is not just information. <strong>It is a key</strong>. The attacker cross-references it against CVE databases and finds a user enumeration vulnerability—not a direct shell, but an intelligence multiplier. They can now enumerate valid usernames, which feeds directly into credential attack phases.</p>
<h3 id="23-phase-three--nse-automated-vulnerability-surface-mapping">2.3 Phase Three — NSE: Automated Vulnerability Surface Mapping<a aria-hidden="true" tabindex="-1" href="#23-phase-three--nse-automated-vulnerability-surface-mapping"><span class="icon icon-link"></span></a></h3>
<p>Nmap Scripting Engine (NSE) is where reconnaissance becomes weaponized intelligence gathering. Over 600 scripts exist—many explicitly designed for vulnerability confirmation, misconfiguration detection, and exploitation surface mapping.</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Broad vulnerability sweep</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> vuln</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> 203.0.113.15</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># SMB exploitation surface</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=smb-vuln-ms17-010,smb-enum-shares,smb-enum-users</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 445</span><span style="color:#9ECBFF"> 203.0.113.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Web attack surface</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=http-enum,http-default-accounts,http-shellshock</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 80,443,8080</span><span style="color:#79B8FF"> 203.0.113.15</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># SSL/TLS audit</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=ssl-enum-ciphers,ssl-heartbleed</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 443</span><span style="color:#79B8FF"> 203.0.113.15</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Database exposure</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=mysql-empty-password,pgsql-brute</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 3306,5432</span><span style="color:#79B8FF"> 203.0.113.15</span></span></code></pre></figure>
<p><strong>Critical Understanding:</strong> Each NSE script returns not just "service present" but "service exploitable through X vector." The attacker doesn't guess—they <strong>confirm</strong> before exploitation.</p>
<h3 id="24-phase-four--evasion-operating-below-detection-thresholds">2.4 Phase Four — Evasion: Operating Below Detection Thresholds<a aria-hidden="true" tabindex="-1" href="#24-phase-four--evasion-operating-below-detection-thresholds"><span class="icon icon-link"></span></a></h3>
<p>Sophisticated actors don't scan carelessly. They scan with <strong>operational discipline</strong>:</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Slow, fragmented, randomized (IDS evasion)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -T1</span><span style="color:#79B8FF"> -f</span><span style="color:#79B8FF"> --randomize-hosts</span><span style="color:#9ECBFF"> 203.0.113.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Paranoid timing + decoy sources</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -T0</span><span style="color:#79B8FF"> -D</span><span style="color:#9ECBFF"> decoy1,decoy2,decoy3,ME</span><span style="color:#9ECBFF"> 203.0.113.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Zombie/idle scan (no source attribution)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sI</span><span style="color:#9ECBFF"> zombie_host</span><span style="color:#79B8FF"> 203.0.113.15</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Source port spoofing (bypass port-based filtering)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --source-port</span><span style="color:#79B8FF"> 53</span><span style="color:#79B8FF"> 203.0.113.15</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Fragmentation + data padding</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -f</span><span style="color:#79B8FF"> --data-length</span><span style="color:#79B8FF"> 200</span><span style="color:#79B8FF"> --randomize-hosts</span><span style="color:#9ECBFF"> 203.0.113.0/24</span></span></code></pre></figure>
<p><strong>Timing Philosophy:</strong></p>
<ul>
<li><code>-T0</code> (Paranoid): 5-minute delays between probes—designed to evade rate-based IDS</li>
<li><code>-T1</code> (Sneaky): 15-second delays—slow enough to avoid thresholds</li>
<li><code>-T2</code> (Polite): .4-second delays—balanced stealth/speed</li>
<li><code>-T3</code> (Normal): Default—assumes no IDS evasion needed</li>
<li><code>-T4</code> (Aggressive): Fast LANs, time-constrained scenarios</li>
<li><code>-T5</code> (Insane): Speed above all—generates obvious signatures</li>
</ul>
<p><strong>Defender's Insight:</strong> If someone has been running <code>-T1</code> fragmented scans against your network for three weeks, would you know? Most evidence expires from log storage before anyone correlates it.</p>
<hr>
<h2 id="part-iii-the-mechanics--how-nmap-actually-works">Part III: The Mechanics — How Nmap Actually Works<a aria-hidden="true" tabindex="-1" href="#part-iii-the-mechanics--how-nmap-actually-works"><span class="icon icon-link"></span></a></h2>
<h3 id="31-host-discovery-four-methods-different-detection-surfaces">3.1 Host Discovery: Four Methods, Different Detection Surfaces<a aria-hidden="true" tabindex="-1" href="#31-host-discovery-four-methods-different-detection-surfaces"><span class="icon icon-link"></span></a></h3>
<table>
<thead>
<tr>
<th>Method</th>
<th>Flag</th>
<th>Mechanism</th>
<th>Defensive Consideration</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>ICMP Echo</strong></td>
<td><code>-PE</code></td>
<td>Echo Request → Echo Reply</td>
<td>Blocked by most perimeter firewalls</td>
</tr>
<tr>
<td><strong>ARP Scan</strong></td>
<td><code>-PR</code></td>
<td>Layer 2 (Data Link)</td>
<td>Cannot be firewalled on local subnets—definitive</td>
</tr>
<tr>
<td><strong>TCP SYN</strong></td>
<td><code>-PS</code></td>
<td>SYN to port → any response confirms alive</td>
<td>Bypasses ICMP filtering</td>
</tr>
<tr>
<td><strong>TCP ACK</strong></td>
<td><code>-PA</code></td>
<td>ACK packet → RST confirms existence</td>
<td>Bypasses SYN-filtering firewalls</td>
</tr>
</tbody>
</table>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Disable port scan—host discovery only</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sn</span><span style="color:#9ECBFF"> 10.10.10.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># ARP discovery (local network)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -PR</span><span style="color:#79B8FF"> -sn</span><span style="color:#9ECBFF"> 192.168.1.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># TCP SYN discovery on HTTPS (bypasses ICMP blocks)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -PS443</span><span style="color:#79B8FF"> -sn</span><span style="color:#9ECBFF"> 10.0.0.0/16</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Skip discovery entirely—assume all hosts alive</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -Pn</span><span style="color:#79B8FF"> 10.10.10.10</span></span></code></pre></figure>
<h3 id="32-scan-types-the-taxonomy-of-port-interrogation">3.2 Scan Types: The Taxonomy of Port Interrogation<a aria-hidden="true" tabindex="-1" href="#32-scan-types-the-taxonomy-of-port-interrogation"><span class="icon icon-link"></span></a></h3>
<table>
<thead>
<tr>
<th>Scan Type</th>
<th>Flag</th>
<th>Mechanism</th>
<th>Stealth Level</th>
<th>Detection Surface</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>SYN Stealth</strong></td>
<td><code>-sS</code></td>
<td>Half-open scan—never completes handshake</td>
<td>High</td>
<td>Not logged by most applications</td>
</tr>
<tr>
<td><strong>TCP Connect</strong></td>
<td><code>-sT</code></td>
<td>Full three-way handshake</td>
<td>Low</td>
<td>Logged by target applications</td>
</tr>
<tr>
<td><strong>UDP</strong></td>
<td><code>-sU</code></td>
<td>Sends UDP packets; closed ports return ICMP unreachable</td>
<td>Medium</td>
<td>Slow, often filtered</td>
</tr>
<tr>
<td><strong>ACK</strong></td>
<td><code>-sA</code></td>
<td>Sends ACK packets—firewall rule mapping</td>
<td>High</td>
<td>Used for firewall fingerprinting</td>
</tr>
<tr>
<td><strong>FIN</strong></td>
<td><code>-sF</code></td>
<td>Sends FIN—closed ports return RST</td>
<td>High</td>
<td>Evades some stateless firewalls</td>
</tr>
<tr>
<td><strong>Xmas</strong></td>
<td><code>-sX</code></td>
<td>FIN+PSH+URG set—"Christmas tree" packet</td>
<td>High</td>
<td>Same as FIN scan</td>
</tr>
<tr>
<td><strong>Null</strong></td>
<td><code>-sN</code></td>
<td>No flags set</td>
<td>High</td>
<td>Same as FIN scan</td>
</tr>
</tbody>
</table>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Standard stealth scan (requires root)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Non-privileged alternative</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sT</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># UDP scan (critical services: DNS, DHCP, SNMP)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sU</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 53,67,161,500</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Firewall rule mapping</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sA</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Evasion scan types</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sF</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">  # FIN scan</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sX</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">  # Xmas scan</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sN</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">  # Null scan</span></span></code></pre></figure>
<h3 id="33-version-detection-the-vulnerability-cross-reference-engine">3.3 Version Detection: The Vulnerability Cross-Reference Engine<a aria-hidden="true" tabindex="-1" href="#33-version-detection-the-vulnerability-cross-reference-engine"><span class="icon icon-link"></span></a></h3>
<p>Version detection (<code>-sV</code>) is where port numbers become <strong>CVE lookups</strong>. Nmap maintains an extensive database of service probes—specific queries sent to services to elicit version-identifying responses.</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Standard version detection</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Maximum intensity (more probes, higher accuracy)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> --version-intensity</span><span style="color:#79B8FF"> 9</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Version detection + OS fingerprinting</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Aggressive mode (version + OS + scripts + traceroute)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -A</span><span style="color:#79B8FF"> 10.10.10.50</span></span></code></pre></figure>
<p><strong>Output Analysis:</strong></p>
<pre><code>PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql    MySQL 5.7.20-0ubuntu0.16.04.1
</code></pre>
<p>From this output, the attacker immediately searches:</p>
<ul>
<li><code>OpenSSH 7.2p2 CVE</code> → CVE-2016-6210 (user enumeration)</li>
<li><code>Apache 2.4.18 CVE</code> → CVE-2017-7679 (buffer overflow)</li>
<li><code>MySQL 5.7.20 CVE</code> → Multiple privilege escalation vectors</li>
</ul>
<h3 id="34-os-fingerprinting-stack-behavior-as-identity">3.4 OS Fingerprinting: Stack Behavior as Identity<a aria-hidden="true" tabindex="-1" href="#34-os-fingerprinting-stack-behavior-as-identity"><span class="icon icon-link"></span></a></h3>
<p>OS fingerprinting exploits subtle differences in TCP/IP stack implementations. Each OS responds to malformed packets, edge cases, and protocol violations slightly differently. Nmap sends these unusual probes and analyzes response patterns.</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># OS detection</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Aggressive OS detection</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> --osscan-guess</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Typical output:</span></span>
<span data-line=""><span style="color:#6A737D"># OS details: Linux 4.4 - 4.9</span></span>
<span data-line=""><span style="color:#6A737D"># Network Distance: 2 hops</span></span></code></pre></figure>
<p><strong>Defensive Consideration:</strong> OS fingerprinting is detectable through unusual packet patterns—malformed flags, unusual window sizes, atypical TTL values. Modern NDR platforms can identify these signatures.</p>
<hr>
<h2 id="part-iv-nse--the-weaponized-intelligence-layer">Part IV: NSE — The Weaponized Intelligence Layer<a aria-hidden="true" tabindex="-1" href="#part-iv-nse--the-weaponized-intelligence-layer"><span class="icon icon-link"></span></a></h2>
<h3 id="41-nse-architecture-lua-based-extensibility">4.1 NSE Architecture: Lua-Based Extensibility<a aria-hidden="true" tabindex="-1" href="#41-nse-architecture-lua-based-extensibility"><span class="icon icon-link"></span></a></h3>
<p>The Nmap Scripting Engine (NSE) transforms Nmap from a scanner into a <strong>programmable reconnaissance platform</strong>. Over 600 scripts exist across multiple categories:</p>
<ul>
<li><strong>auth</strong> — Authentication testing, credential attacks</li>
<li><strong>broadcast</strong> — Network discovery via broadcast/multicast</li>
<li><strong>brute</strong> — Brute-force credential attacks</li>
<li><strong>default</strong> — Default safe scripts (<code>-sC</code>)</li>
<li><strong>discovery</strong> — Service/network discovery beyond standard scanning</li>
<li><strong>dos</strong> — Denial-of-service testing (use with extreme caution)</li>
<li><strong>exploit</strong> — Actual exploitation (authorization required)</li>
<li><strong>external</strong> — Queries external databases (Whois, Shodan, VirusTotal)</li>
<li><strong>fuzzer</strong> — Sends unexpected input to detect crashes</li>
<li><strong>intrusive</strong> — Likely to crash services or trigger alerts</li>
<li><strong>malware</strong> — Malware detection</li>
<li><strong>safe</strong> — Unlikely to affect target</li>
<li><strong>version</strong> — Extended version detection</li>
<li><strong>vuln</strong> — Vulnerability detection</li>
</ul>
<h3 id="42-essential-nse-scripts-for-reconnaissance">4.2 Essential NSE Scripts for Reconnaissance<a aria-hidden="true" tabindex="-1" href="#42-essential-nse-scripts-for-reconnaissance"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Default safe scripts (recommended starting point)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sC</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Vulnerability assessment sweep</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> vuln</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># SMB vulnerability surface</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> smb-vuln-</span><span style="color:#79B8FF">*</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 445</span><span style="color:#9ECBFF"> 10.10.10.0/24</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> smb-enum-shares,smb-enum-users</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 445</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> smb-security-mode</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 445</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Web application enumeration</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> http-enum</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 80,443,8080</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> http-title,http-headers</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 80,443</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> http-default-accounts</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 80,443,8080</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> http-shellshock</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 80,443</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># SSL/TLS analysis</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> ssl-enum-ciphers</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 443</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> ssl-heartbleed</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 443</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> ssl-cert</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 443</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Database exposure</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> mysql-empty-password</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 3306</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> pgsql-brute</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 5432</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> mongodb-databases</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 27017</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># DNS reconnaissance</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> dns-brute</span><span style="color:#9ECBFF"> domain.com</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> dns-zone-transfer</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 53</span><span style="color:#9ECBFF"> ns.domain.com</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Authentication testing</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> ssh-auth-methods</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 22</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> ftp-anon</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 21</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> smtp-enum-users</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 25</span><span style="color:#79B8FF"> 10.10.10.50</span></span></code></pre></figure>
<h3 id="43-case-study-ms17-010-eternalblue-discovery">4.3 Case Study: MS17-010 (EternalBlue) Discovery<a aria-hidden="true" tabindex="-1" href="#43-case-study-ms17-010-eternalblue-discovery"><span class="icon icon-link"></span></a></h3>
<p>The EternalBlue vulnerability—weaponized by WannaCry ransomware in 2017—exploited a flaw in Windows SMB protocol. Before exploitation comes discovery.</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Identify EternalBlue-vulnerable hosts across subnet</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> smb-vuln-ms17-010</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 445</span><span style="color:#9ECBFF"> 192.168.1.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Typical vulnerable output:</span></span>
<span data-line=""><span style="color:#6A737D"># Host: 192.168.1.45 | Port 445: open</span></span>
<span data-line=""><span style="color:#6A737D"># | smb-vuln-ms17-010:</span></span>
<span data-line=""><span style="color:#6A737D"># |   VULNERABLE: Remote Code Execution in Microsoft SMBv1</span></span>
<span data-line=""><span style="color:#6A737D"># |     State: VULNERABLE</span></span>
<span data-line=""><span style="color:#6A737D"># |     Risk: HIGH  CVSSv3: 8.1</span></span>
<span data-line=""><span style="color:#6A737D"># |_    References: https://technet.microsoft.com/security/ms17-010.aspx</span></span></code></pre></figure>
<p>The 2017 campaigns that caused $4–8 billion in global damages began exactly this way: mass scanning, automated identification of vulnerable SMB services, systematic exploitation. This is not academic—this is the defensive baseline.</p>
<hr>
<h2 id="part-v-integration-with-exploitation-frameworks">Part V: Integration with Exploitation Frameworks<a aria-hidden="true" tabindex="-1" href="#part-v-integration-with-exploitation-frameworks"><span class="icon icon-link"></span></a></h2>
<h3 id="51-metasploit-integration-from-reconnaissance-to-exploitation">5.1 Metasploit Integration: From Reconnaissance to Exploitation<a aria-hidden="true" tabindex="-1" href="#51-metasploit-integration-from-reconnaissance-to-exploitation"><span class="icon icon-link"></span></a></h3>
<p>Nmap's XML output integrates directly with Metasploit, converting reconnaissance data into actionable exploitation targets.</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Generate XML output for Metasploit import</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> -p-</span><span style="color:#79B8FF"> -oX</span><span style="color:#9ECBFF"> full_recon.xml</span><span style="color:#9ECBFF"> 10.10.10.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Import into Metasploit</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">db_import</span><span style="color:#9ECBFF"> full_recon.xml</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">hosts</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">services</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">vulns</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Automatic exploitation workflow</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">db_autopwn</span><span style="color:#79B8FF"> -t</span><span style="color:#79B8FF"> -e</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 10.10.10.50</span></span></code></pre></figure>
<p><strong>Attacker's Workflow:</strong></p>
<ol>
<li><strong>Nmap reconnaissance</strong> identifies services and versions</li>
<li><strong>XML export</strong> structures the data</li>
<li><strong>Metasploit import</strong> creates target database</li>
<li><strong>Automated matching</strong> between services and exploits</li>
<li><strong>Exploitation</strong> executes against pre-validated targets</li>
</ol>
<p>Every open port with a known vulnerable version becomes a queued exploit. Every misconfigured service becomes a queued credential test. The attacker's next action isn't guesswork—it's execution against a pre-validated target list.</p>
<h3 id="52-output-formats-structured-intelligence">5.2 Output Formats: Structured Intelligence<a aria-hidden="true" tabindex="-1" href="#52-output-formats-structured-intelligence"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Normal text output (human-readable)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oN</span><span style="color:#9ECBFF"> scan_results.txt</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># XML output (machine-readable, Metasploit-compatible)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oX</span><span style="color:#9ECBFF"> scan_results.xml</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Grepable output (single-line per host, scriptable)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oG</span><span style="color:#9ECBFF"> scan_results.grep</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># All formats simultaneously</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oA</span><span style="color:#9ECBFF"> complete_scan</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Append to existing file</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oN</span><span style="color:#9ECBFF"> scan_results.txt</span><span style="color:#79B8FF"> --append-output</span><span style="color:#79B8FF"> 10.10.10.51</span></span></code></pre></figure>
<hr>
<h2 id="part-vi-detection-and-defensive-countermeasures">Part VI: Detection and Defensive Countermeasures<a aria-hidden="true" tabindex="-1" href="#part-vi-detection-and-defensive-countermeasures"><span class="icon icon-link"></span></a></h2>
<h3 id="61-what-the-attacker-fears-detection-surfaces">6.1 What the Attacker Fears: Detection Surfaces<a aria-hidden="true" tabindex="-1" href="#61-what-the-attacker-fears-detection-surfaces"><span class="icon icon-link"></span></a></h3>
<p>Understanding what attackers deliberately avoid reveals what defenders should monitor:</p>
<p><strong>1. Rate-Based Detection</strong></p>
<ul>
<li>Surge in SYN packets from single source to multiple ports</li>
<li>Attacker mitigation: <code>-T0</code>/<code>-T1</code> timing, source IP rotation</li>
<li>Defender strategy: Monitor for <em>slow, distributed</em> patterns—not just fast scans</li>
</ul>
<p><strong>2. Banner-Grabbing Logs</strong></p>
<ul>
<li>Version detection probes trigger connection logs</li>
<li>Series of short-lived connections from same IP across multiple services</li>
<li>Defender strategy: Correlate brief connections across services from common sources</li>
</ul>
<p><strong>3. NSE Script Signatures</strong></p>
<ul>
<li>Many scripts have detectable probe patterns</li>
<li><code>smb-vuln-ms17-010</code>: specific malformed SMB request</li>
<li><code>http-enum</code>: predictable directory probe sequence</li>
<li>Defender strategy: Signature-based IDS rules for common NSE scripts</li>
</ul>
<p><strong>4. Firewall State Table Anomalies</strong></p>
<ul>
<li>Half-open connections that never complete (SYN scans)</li>
<li>Unusual flag combinations (FIN, Xmas, Null scans)</li>
<li>Defender strategy: Monitor firewall logs for protocol violations</li>
</ul>
<h3 id="62-detection-strategies-for-defenders">6.2 Detection Strategies for Defenders<a aria-hidden="true" tabindex="-1" href="#62-detection-strategies-for-defenders"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Log all connection attempts (iptables example)</span></span>
<span data-line=""><span style="color:#B392F0">iptables</span><span style="color:#79B8FF"> -A</span><span style="color:#9ECBFF"> INPUT</span><span style="color:#79B8FF"> -j</span><span style="color:#9ECBFF"> LOG</span><span style="color:#79B8FF"> --log-prefix</span><span style="color:#9ECBFF"> "IPTABLES-DROPPED: "</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Monitor for scan signatures (example Snort rule)</span></span>
<span data-line=""><span style="color:#B392F0">alert</span><span style="color:#9ECBFF"> tcp</span><span style="color:#9ECBFF"> any</span><span style="color:#9ECBFF"> any</span><span style="color:#E1E4E8"> -</span><span style="color:#F97583">></span><span style="color:#E1E4E8"> $HOME_NET </span><span style="color:#9ECBFF">any</span><span style="color:#E1E4E8"> (msg:</span><span style="color:#9ECBFF">"SCAN nmap XMAS"</span><span style="color:#E1E4E8">; </span><span style="color:#79B8FF">\</span></span>
<span data-line=""><span style="color:#B392F0">  flags:FPU</span><span style="color:#E1E4E8">; </span><span style="color:#B392F0">sid:1000001</span><span style="color:#E1E4E8">;)</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Correlation-based detection</span></span>
<span data-line=""><span style="color:#6A737D"># Look for: Same source IP, multiple destination ports, no established connections</span></span></code></pre></figure>
<p><strong>Modern Defense Approach:</strong></p>
<ul>
<li>Traditional signature-based IDS: Limited effectiveness against timing evasion</li>
<li>Behavioral analysis (NDR platforms): Models normal traffic patterns, identifies statistical anomalies</li>
<li>Machine learning-based detection: Categorically different approach that timing tricks don't circumvent</li>
</ul>
<h3 id="63-the-defenders-scanning-doctrine">6.3 The Defender's Scanning Doctrine<a aria-hidden="true" tabindex="-1" href="#63-the-defenders-scanning-doctrine"><span class="icon icon-link"></span></a></h3>
<p><strong>Critical Defensive Practice:</strong> Organizations should run authorized Nmap scans against their own infrastructure regularly to understand what an external observer can determine.</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># External perspective audit</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> -p-</span><span style="color:#79B8FF"> -oA</span><span style="color:#9ECBFF"> external_audit</span><span style="color:#9ECBFF"> public_ip_range</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Internal vulnerability assessment</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> vuln</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -oA</span><span style="color:#9ECBFF"> internal_vuln</span><span style="color:#9ECBFF"> 10.0.0.0/8</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Compliance checking</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=http-security-headers,ssl-enum-ciphers</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 443</span><span style="color:#9ECBFF"> webapp.company.com</span></span></code></pre></figure>
<p><strong>The question is not whether your network can be scanned—it can.</strong> The question is whether you know what information that scan returns, and whether you've seen it before your adversary has.</p>
<hr>
<h2 id="part-vii-advanced-techniques-and-edge-cases">Part VII: Advanced Techniques and Edge Cases<a aria-hidden="true" tabindex="-1" href="#part-vii-advanced-techniques-and-edge-cases"><span class="icon icon-link"></span></a></h2>
<h3 id="71-ipv6-reconnaissance-challenges">7.1 IPv6 Reconnaissance Challenges<a aria-hidden="true" tabindex="-1" href="#71-ipv6-reconnaissance-challenges"><span class="icon icon-link"></span></a></h3>
<p>IPv6's massive address space (2^128 addresses) makes traditional sequential scanning infeasible. However, IPv6 addresses are often predictable:</p>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Multicast discovery (IPv6 local network)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -6</span><span style="color:#79B8FF"> -sn</span><span style="color:#9ECBFF"> ff02::1/128</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Scan known IPv6 addresses</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -6</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 80,443</span><span style="color:#9ECBFF"> 2001:db8::1</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># IPv6 neighbor discovery</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -6</span><span style="color:#79B8FF"> --script=ipv6-node-info</span><span style="color:#9ECBFF"> 2001:db8::/64</span></span></code></pre></figure>
<p><strong>Reality Check:</strong> The reconnaissance doctrine for IPv6-native networks remains an open problem in security research. Address prediction, DNS enumeration, and targeted scanning replace brute-force approaches.</p>
<h3 id="72-firewall-and-nat-traversal">7.2 Firewall and NAT Traversal<a aria-hidden="true" tabindex="-1" href="#72-firewall-and-nat-traversal"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># ACK scan for firewall rule mapping</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sA</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Idle/zombie scan (no packets from your IP)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sI</span><span style="color:#9ECBFF"> zombie_host</span><span style="color:#79B8FF"> 10.10.10.50</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># FTP bounce scan (deprecated but instructive)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -b</span><span style="color:#9ECBFF"> ftp_relay_host</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Firewall rule enumeration</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=firewalk</span><span style="color:#79B8FF"> --traceroute</span><span style="color:#79B8FF"> 10.10.10.50</span></span></code></pre></figure>
<h3 id="73-the-complete-adversarial-reconnaissance-command">7.3 The Complete Adversarial Reconnaissance Command<a aria-hidden="true" tabindex="-1" href="#73-the-complete-adversarial-reconnaissance-command"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Professional-grade reconnaissance sweep</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> -sC</span><span style="color:#79B8FF"> -T2</span><span style="color:#79B8FF"> -f</span><span style="color:#79B8FF"> -p-</span><span style="color:#79B8FF"> --randomize-hosts</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  --script=vuln,smb-enum-shares,http-enum</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  -oA</span><span style="color:#9ECBFF"> full_adversarial_recon</span><span style="color:#9ECBFF"> 10.10.10.0/24</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># What this does:</span></span>
<span data-line=""><span style="color:#6A737D"># -sS          SYN stealth scan</span></span>
<span data-line=""><span style="color:#6A737D"># -sV          Version detection</span></span>
<span data-line=""><span style="color:#6A737D"># -O           OS fingerprinting</span></span>
<span data-line=""><span style="color:#6A737D"># -sC          Default NSE scripts</span></span>
<span data-line=""><span style="color:#6A737D"># -T2          Polite timing (stealth)</span></span>
<span data-line=""><span style="color:#6A737D"># -f           Fragment packets (IDS evasion)</span></span>
<span data-line=""><span style="color:#6A737D"># -p-          All 65,535 ports</span></span>
<span data-line=""><span style="color:#6A737D"># --randomize  Non-sequential host scanning</span></span>
<span data-line=""><span style="color:#6A737D"># --script     Targeted vulnerability and enumeration scripts</span></span>
<span data-line=""><span style="color:#6A737D"># -oA          All output formats</span></span></code></pre></figure>
<hr>
<h2 id="part-viii-strategic-implications-and-systemic-consequences">Part VIII: Strategic Implications and Systemic Consequences<a aria-hidden="true" tabindex="-1" href="#part-viii-strategic-implications-and-systemic-consequences"><span class="icon icon-link"></span></a></h2>
<h3 id="81-the-permanent-condition-of-network-exposure">8.1 The Permanent Condition of Network Exposure<a aria-hidden="true" tabindex="-1" href="#81-the-permanent-condition-of-network-exposure"><span class="icon icon-link"></span></a></h3>
<p>From a structural analysis perspective, Nmap has achieved something unusual: it has become <strong>simultaneously the standard tool of authorized security assessment and the standard tool of unauthorized reconnaissance</strong>. This dual-use reality is not a flaw—it is the condition of all reconnaissance capability.</p>
<p><strong>Operational Reality:</strong> Any network connected to the internet should be modeled as having been Nmap-scanned by unknown parties. Not as theoretical risk—as <strong>baseline operational assumption</strong>.</p>
<p>Projects like Shodan, Censys, and FOFA maintain continuously updated databases of internet-exposed services derived from exactly this kind of systematic scanning. Your network's exposure is already documented. The question is whether you've documented it yourself.</p>
<h3 id="82-the-time-asymmetry-problem">8.2 The Time Asymmetry Problem<a aria-hidden="true" tabindex="-1" href="#82-the-time-asymmetry-problem"><span class="icon icon-link"></span></a></h3>
<p>By the time an organization suspects it may be under active attack, it has <strong>almost certainly already been scanned</strong>. The reconnaissance phase precedes every other phase by days, weeks, sometimes months.</p>
<p>An attacker patient enough to use <code>-T0</code> against a high-value target will spend weeks mapping the network before touching an exploit. During those weeks, the security team's logs contain evidence—fragmented packets from rotating IPs, occasional connection attempts to unusual ports, slow SMB probes staying just below alerting thresholds.</p>
<p><strong>Most evidence is never reviewed. Most is never correlated. Most expires from log storage before anyone looks.</strong></p>
<h3 id="83-the-defenders-critical-question">8.3 The Defender's Critical Question<a aria-hidden="true" tabindex="-1" href="#83-the-defenders-critical-question"><span class="icon icon-link"></span></a></h3>
<p><strong>If someone has been running a <code>-T1</code> fragmented Nmap scan against your network for the past three weeks, would you know?</strong></p>
<p>If the answer is no or uncertain, your detection posture requires immediate reassessment.</p>
<h3 id="84-continuous-internet-scanning-infrastructure">8.4 Continuous Internet Scanning Infrastructure<a aria-hidden="true" tabindex="-1" href="#84-continuous-internet-scanning-infrastructure"><span class="icon icon-link"></span></a></h3>
<p>Traditional "security through obscurity"—unusual ports, non-default services—is definitively invalidated. Some IP ranges are indexed by Shodan within <strong>minutes</strong> of a new service appearing.</p>
<p><strong>The reconnaissance calculus has fundamentally changed:</strong></p>
<ul>
<li>Question is not: "Can I be found?"</li>
<li>Question is: "Can I respond faster to my exposed vulnerabilities than automated scanning infrastructure can index them?"</li>
</ul>
<hr>
<h2 id="conclusion-reconnaissance-as-permanent-condition">Conclusion: Reconnaissance as Permanent Condition<a aria-hidden="true" tabindex="-1" href="#conclusion-reconnaissance-as-permanent-condition"><span class="icon icon-link"></span></a></h2>
<p>This analysis has argued that Nmap is not a port scanner. It is the <strong>operationalized doctrine of network visibility</strong>—a four-layer intelligence platform whose capabilities extend from gross network topology through OS fingerprinting, service identification, NSE-driven vulnerability confirmation, and structured exploitation framework integration.</p>
<p>Understanding Nmap at this depth is not optional for network security practitioners. The tool is universal. The techniques it implements are not exotic—they are the <strong>baseline of competent reconnaissance</strong>. They are used against every network of consequence.</p>
<p><strong>From the adversarial perspective:</strong> Nmap is the first act of war—the systematic, disciplined intelligence operation that converts an unknown network into a prioritized attack surface. The scan happens. The only variable is who gets to see the results first.</p>
<p><strong>From the defensive perspective:</strong> Organizations that understand this—that have run their own Nmap scans, reviewed their own exposure, modeled their own attack surface before an adversary has—operate with a structural advantage that no amount of reactive incident response can replicate.</p>
<p><strong>Network reconnaissance is not a phase of an attack. It is a permanent condition of network existence—and Nmap is how that condition is made legible.</strong></p>
<hr>
<h2 id="appendix-the-complete-professional-command-reference">Appendix: The Complete Professional Command Reference<a aria-hidden="true" tabindex="-1" href="#appendix-the-complete-professional-command-reference"><span class="icon icon-link"></span></a></h2>
<h3 id="host-discovery">Host Discovery<a aria-hidden="true" tabindex="-1" href="#host-discovery"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sn</span><span style="color:#9ECBFF"> 10.10.10.0/24</span><span style="color:#6A737D">                    # Ping sweep (ICMP+TCP+ARP)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -PR</span><span style="color:#79B8FF"> -sn</span><span style="color:#9ECBFF"> 192.168.1.0/24</span><span style="color:#6A737D">               # ARP discovery (LAN only, cannot be filtered)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -PS443</span><span style="color:#79B8FF"> -sn</span><span style="color:#9ECBFF"> 10.0.0.0/16</span><span style="color:#6A737D">               # TCP SYN discovery on HTTPS (bypass ICMP blocks)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -Pn</span><span style="color:#79B8FF"> 10.10.10.10</span><span style="color:#6A737D">                      # Skip discovery, assume alive</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -iL</span><span style="color:#9ECBFF"> targets.txt</span><span style="color:#6A737D">                      # Scan from file</span></span></code></pre></figure>
<h3 id="scan-types">Scan Types<a aria-hidden="true" tabindex="-1" href="#scan-types"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # SYN stealth (default with root)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sT</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Full TCP connect (no root required)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sU</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # UDP scan</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sA</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # ACK scan (firewall rule mapping)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sF</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # FIN scan (stateless firewall evasion)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sX</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Xmas scan (FIN+PSH+URG)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sN</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Null scan (no flags set)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sI</span><span style="color:#9ECBFF"> zombie</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                    # Idle/zombie scan (no source attribution)</span></span></code></pre></figure>
<h3 id="port-specification">Port Specification<a aria-hidden="true" tabindex="-1" href="#port-specification"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 22,80,443</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                  # Specific ports</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -p-</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # All 65,535 TCP ports</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 1-1024</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                     # Port range</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -F</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                            # Fast scan (top 100 ports)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> U:53,161,T:21-25,80</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">        # UDP and TCP ports combined</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --top-ports</span><span style="color:#79B8FF"> 1000</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">              # Most common 1000 ports</span></span></code></pre></figure>
<h3 id="detection-and-enumeration">Detection and Enumeration<a aria-hidden="true" tabindex="-1" href="#detection-and-enumeration"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sV</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Service version detection</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -O</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                            # OS fingerprinting</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -A</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                            # Aggressive (OS+version+scripts+traceroute)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> --version-intensity</span><span style="color:#79B8FF"> 9</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">     # Maximum version probe intensity</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> --version-all</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">             # Try all version probes</span></span></code></pre></figure>
<h3 id="nse-scripts">NSE Scripts<a aria-hidden="true" tabindex="-1" href="#nse-scripts"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sC</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                                       # Default safe scripts</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> vuln</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                             # Vulnerability assessment</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=smb-vuln-ms17-010</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 445</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">         # EternalBlue detection</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=smb-enum-shares,smb-enum-users</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">   # SMB enumeration</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=http-enum</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 80,443,8080</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">         # Web directory enumeration</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=ssl-enum-ciphers</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 443</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">          # TLS cipher audit</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=mysql-empty-password</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 3306</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">     # Database credential testing</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=ssh-auth-methods</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 22</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">           # SSH authentication methods</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=dns-brute</span><span style="color:#9ECBFF"> domain.com</span><span style="color:#6A737D">                    # DNS subdomain enumeration</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script=broadcast-dhcp-discover</span><span style="color:#6A737D">                 # DHCP discovery</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --script-updatedb</span><span style="color:#6A737D">                                # Update NSE script database</span></span></code></pre></figure>
<h3 id="timing-and-performance">Timing and Performance<a aria-hidden="true" tabindex="-1" href="#timing-and-performance"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -T0</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Paranoid (5-min delays, IDS evasion)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -T1</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Sneaky (15-sec delays)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -T2</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Polite (.4-sec delays, recommended stealth)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -T3</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Normal (default)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -T4</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Aggressive (fast, for LANs)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -T5</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                           # Insane (overwhelm target, obvious)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --min-rate</span><span style="color:#79B8FF"> 100</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                # Minimum packets per second</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --max-rate</span><span style="color:#79B8FF"> 1000</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">               # Maximum packets per second</span></span></code></pre></figure>
<h3 id="idsfirewall-evasion">IDS/Firewall Evasion<a aria-hidden="true" tabindex="-1" href="#idsfirewall-evasion"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -f</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                                        # Fragment packets (8-byte fragments)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -ff</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                                       # Ultra-small fragments (16 bytes)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -D</span><span style="color:#9ECBFF"> decoy1,decoy2,decoy3,ME</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                # Decoy scan (hide among noise)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --source-port</span><span style="color:#79B8FF"> 53</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                          # Spoof source port (bypass port-based ACLs)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --data-length</span><span style="color:#79B8FF"> 200</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                         # Append random data (evade signatures)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --randomize-hosts</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                         # Scan hosts in random order</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --spoof-mac</span><span style="color:#9ECBFF"> Apple</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                         # MAC address spoofing</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --proxies</span><span style="color:#9ECBFF"> socks4://127.0.0.1:9050</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">         # Proxy through Tor/SOCKS</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -g</span><span style="color:#79B8FF"> 53</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                                     # Set source port to 53 (DNS)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --badsum</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                                  # Send invalid checksums (firewall test)</span></span></code></pre></figure>
<h3 id="output-and-reporting">Output and Reporting<a aria-hidden="true" tabindex="-1" href="#output-and-reporting"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oN</span><span style="color:#9ECBFF"> results.txt</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">               # Normal text output</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oX</span><span style="color:#9ECBFF"> results.xml</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">               # XML output (Metasploit-compatible)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oG</span><span style="color:#9ECBFF"> results.grep</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">              # Grepable output</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oA</span><span style="color:#9ECBFF"> full_scan</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                 # All formats (Normal+XML+Grepable)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -oS</span><span style="color:#9ECBFF"> results.skid</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">              # Script kiddie format (l33t speak)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -v</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                            # Verbose output</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -d</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                            # Debugging output</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --reason</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                      # Show reason for port state</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --open</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">                        # Only show open ports</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> --append-output</span><span style="color:#9ECBFF"> target</span><span style="color:#6A737D">               # Append to existing output file</span></span></code></pre></figure>
<h3 id="advanced-reconnaissance-combinations">Advanced Reconnaissance Combinations<a aria-hidden="true" tabindex="-1" href="#advanced-reconnaissance-combinations"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Complete external footprint (balanced stealth/thoroughness)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> -sC</span><span style="color:#79B8FF"> -T2</span><span style="color:#79B8FF"> -p-</span><span style="color:#79B8FF"> -oA</span><span style="color:#9ECBFF"> external_recon</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Aggressive internal assessment (assumes authorized LAN access)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -A</span><span style="color:#79B8FF"> -T4</span><span style="color:#79B8FF"> -p-</span><span style="color:#79B8FF"> --script</span><span style="color:#9ECBFF"> vuln</span><span style="color:#79B8FF"> -oA</span><span style="color:#9ECBFF"> internal_assessment</span><span style="color:#9ECBFF"> 10.0.0.0/8</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Stealth reconnaissance (maximum evasion)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -T1</span><span style="color:#79B8FF"> -f</span><span style="color:#79B8FF"> --randomize-hosts</span><span style="color:#79B8FF"> --data-length</span><span style="color:#79B8FF"> 200</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  -D</span><span style="color:#9ECBFF"> decoy1,decoy2,ME</span><span style="color:#79B8FF"> --source-port</span><span style="color:#79B8FF"> 53</span><span style="color:#79B8FF"> -oA</span><span style="color:#9ECBFF"> stealth_scan</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Web application security audit</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 80,443,8080,8443</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  --script=http-enum,http-headers,http-methods,http-security-headers,\</span></span>
<span data-line=""><span style="color:#79B8FF">ssl-enum-ciphers,ssl-cert</span><span style="color:#79B8FF"> -oA</span><span style="color:#9ECBFF"> web_audit</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Database security assessment</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> 1433,3306,5432,27017</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  --script=ms-sql-info,mysql-info,pgsql-brute,mongodb-databases</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  -oA</span><span style="color:#9ECBFF"> database_audit</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># SMB vulnerability and enumeration sweep</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -p</span><span style="color:#79B8FF"> 445</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  --script=smb-vuln-</span><span style="color:#F97583">*</span><span style="color:#79B8FF">,smb-enum-shares,smb-enum-users,smb-security-mode</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  -oA</span><span style="color:#9ECBFF"> smb_assessment</span><span style="color:#9ECBFF"> target</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Complete adversarial sweep (the works)</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> -sC</span><span style="color:#79B8FF"> -T2</span><span style="color:#79B8FF"> -f</span><span style="color:#79B8FF"> -p-</span><span style="color:#79B8FF"> --randomize-hosts</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  --script=vuln,smb-enum-shares,http-enum,ssl-enum-ciphers</span><span style="color:#79B8FF"> \</span></span>
<span data-line=""><span style="color:#79B8FF">  -D</span><span style="color:#9ECBFF"> decoy1,decoy2,ME</span><span style="color:#79B8FF"> -oA</span><span style="color:#9ECBFF"> full_adversarial_recon</span><span style="color:#9ECBFF"> target</span></span></code></pre></figure>
<h3 id="metasploit-integration-workflow">Metasploit Integration Workflow<a aria-hidden="true" tabindex="-1" href="#metasploit-integration-workflow"><span class="icon icon-link"></span></a></h3>
<figure data-rehype-pretty-code-figure=""><pre style="background-color:#24292e;color:#e1e4e8" tabindex="0" data-language="bash" data-theme="github-dark"><code data-language="bash" data-theme="github-dark" style="display: grid;"><span data-line=""><span style="color:#6A737D"># Nmap reconnaissance with Metasploit-compatible XML</span></span>
<span data-line=""><span style="color:#B392F0">nmap</span><span style="color:#79B8FF"> -sS</span><span style="color:#79B8FF"> -sV</span><span style="color:#79B8FF"> -O</span><span style="color:#79B8FF"> -p-</span><span style="color:#79B8FF"> -oX</span><span style="color:#9ECBFF"> recon.xml</span><span style="color:#9ECBFF"> target_range</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Import into Metasploit</span></span>
<span data-line=""><span style="color:#B392F0">msfconsole</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">workspace</span><span style="color:#79B8FF"> -a</span><span style="color:#9ECBFF"> project_name</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">db_import</span><span style="color:#9ECBFF"> recon.xml</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">hosts</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">services</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">vulns</span></span>
<span data-line=""> </span>
<span data-line=""><span style="color:#6A737D"># Automatic vulnerability matching</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">search</span><span style="color:#9ECBFF"> type:exploit</span><span style="color:#9ECBFF"> platform:windows</span></span>
<span data-line=""><span style="color:#B392F0">msf6</span><span style="color:#E1E4E8">> </span><span style="color:#9ECBFF">db_autopwn</span><span style="color:#79B8FF"> -t</span><span style="color:#79B8FF"> -e</span><span style="color:#79B8FF"> -p</span><span style="color:#9ECBFF"> target_ip</span></span></code></pre></figure>
<hr>
<h2 id="legal-and-ethical-disclaimer">Legal and Ethical Disclaimer<a aria-hidden="true" tabindex="-1" href="#legal-and-ethical-disclaimer"><span class="icon icon-link"></span></a></h2>
<p>⚠️ <strong>CRITICAL:</strong> All techniques described in this document must only be applied to networks and systems you own or have <strong>explicit written authorization</strong> to test.</p>
<p>Unauthorized network scanning is illegal under:</p>
<ul>
<li>Computer Fraud and Abuse Act (CFAA) — United States</li>
<li>Computer Misuse Act — United Kingdom</li>
<li>Cybercrime Act — Australia</li>
<li>Equivalent legislation worldwide</li>
</ul>
<p><strong>This document is written for educational purposes</strong> to help security professionals understand both offensive and defensive aspects of network reconnaissance. Understanding how attackers operate is essential for building effective defenses.</p>
<p><strong>Know the attacker's playbook. Then close every chapter of it.</strong></p>
<hr>
<p><strong>References:</strong></p>
<ul>
<li><a href="https://nmap.org">Nmap.org Official Documentation</a></li>
<li><a href="https://nmap.org/book/">The Nmap Book by Gordon Lyon</a></li>
<li><a href="https://nvd.nist.gov/">NIST CVE Database</a></li>
<li><a href="https://attack.mitre.org/tactics/TA0007/">MITRE ATT&#x26;CK Framework — Discovery Tactics</a></li>
</ul>
<p><strong>About the Author:</strong> This analysis is presented from dual perspectives—adversarial operations doctrine and defensive reconnaissance—to provide security professionals with comprehensive understanding of network intelligence gathering. Written for practitioners who need to think like attackers to defend effectively.</p>
<hr>
<p><em>Network reconnaissance is not a phase of an attack. It is a permanent condition of network existence—and Nmap is how that condition is made legible.</em></p>]]></content:encoded>
    </item>
  </channel>
</rss>