Practical Worked Examples: From Network Discovery to Vulnerability Verification
Enterprise Network Inventory: Tuning for Scale
Scanning a /16 (65,536 addresses) without crashing network segments or your own host requires deliberate performance tuning. The default timing templates are too conservative for this scale and too aggressive for congested WAN links.
sudo nmap -sn -PE -PP -PM -n --min-parallelism 512 --max-rtt-timeout 300ms --initial-rtt-timeout 150ms --max-retries 2 --max-scan-delay 10ms -oA corp-discovery 192.0.2.0/16
What it does: Host discovery (
-sn, no port scan) with ICMP echo (-PE), timestamp (-PP), and netmask request (-PM) probes; disables DNS resolution (-n) to eliminate resolver bottlenecks. When to use it: Baseline inventory sweeps, CMDB reconciliation, or pre-patching scope validation. Risks: ICMP filters silently drop probes; parallelization above 1,024 can overwhelm local sockets on the scanning host. Expected output: Greppable list of live hosts with latency metrics.
Lab variant (aggressive): --min-rate 10000 to saturate a local lab switch and test your own monitoring. Production variant (conservative): Add --scan-delay 5ms and throttle to --max-rate 500 to avoid triggering rate-based IDS thresholds.
A /16 scan typically reveals 8–15% live hosts in sparse enterprise allocations. A port marked filtered is not a clean result — it is an unanswered question. Always distinguish between filtered (probe sent, no response) and admin-prohibited (ICMP type 3, code 13 received), which confirms a firewall rule explicitly blocking you.
Web Server Assessment: Proxies, WAFs, and Service Deception
Web services rarely expose themselves directly. Detecting intermediaries prevents you from fingerprinting the wrong target and misattacking a CDN edge node.
sudo nmap -sS -sV -p80,443,8080,8443 --script=http-title,http-server-header,http-waf-detect,http-security-headers -d --reason 198.51.100.25
Sanitized output excerpt:
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.24.0 (reverse proxy)
| http-server-header: cloudflare
|_http-title: 301 Moved Permanently
443/tcp open ssl/http nginx 1.24.0
| http-waf-detect: IDS/WAF detected: Cloudflare
| ssl-cert: Subject: commonName=origin.internal.example
|_Not valid before: 2024-01-15T00:00:00
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/9.0.82
Interpretation: Port 80 terminates at Cloudflare (WAF confirmed). The ssl-cert on 443 leaks the origin server's internal name (origin.internal.example) — a common misconfiguration when certificates are copied from origin to edge without SAN scrubbing. Port 8080 exposes a management interface directly, bypassing the WAF entirely.
| Discovered Service | Common Misconfiguration | Verification Command |
|---|---|---|
| Cloudflare front-end | Origin certificate leaks internal names | openssl s_client -connect 198.51.100.25:443 |
| nginx reverse proxy | Version disclosure in Server: header |
--script http-server-header |
| Tomcat management | /manager/html accessible without IP restriction |
--script http-auth,http-brute (authorized only) |
| Apache with mod_proxy | X-Forwarded-For trust misconfiguration |
Manual header injection test |
Remediation guidance: Restrict Tomcat management to loopback and require mTLS; strip version banners via server_tokens off; in nginx; deploy separate public-facing certificates without internal SANs.
Database Exposure Audit: Default Ports and Banner Reliability
Default ports are not guarantees, but they are strong priors for misconfiguration. Verify with service detection, never assume.
sudo nmap -sS -sV -sC -p3306,5432,27017,6379,1433,1521 --version-intensity 7 192.168.50.0/24
What it does: SYN scan with version detection (
-sV) and default NSE scripts (-sC) against common database ports; intensity 7 balances speed against probe depth. When to use it: Segmentation validation, cloud migration security review, or post-incident exposure assessment. Risks: MongoDB and Redis probes can trigger authentication failures that lock accounts if fail2ban or similar is active; MySQL version probes may be logged as connection attempts. Expected output: Service names, versions, and any script-detected configurations.
Critical caveat: Detected versions and banners are not 100% reliable. Honeypots deliberately mimic vulnerable services; some containers report the host kernel version rather than their own patch level. Always correlate with authenticated patch inventory when available.
IoT and Embedded Device Fingerprinting
Embedded devices often run unconventional services or ancient protocol implementations that standard scans miss.
sudo nmap -sV --version-all -p- --script=banner -T4 --max-retries 1 --host-timeout 15m 10.0.3.0/24
Key flags explained: -p- = all 65,535 ports; --version-all = send every probe in Nmap's database (slow but thorough); --max-retries 1 = accept more false negatives for speed on unreliable IoT networks.
Sanitized output excerpt:
PORT STATE SERVICE VERSION
23/tcp open telnet BusyBox telnetd (D-Link router)
| banner: \xFF\xFD\x03\xFF\xFB\x01\xFF\xFD\x1F\xFF\xFB\x01\r\nD-Link DSL-2740B
80/tcp open http micro_httpd
| http-title: Router Login - DSL-2740B
|_http-server-header: micro_httpd
1900/tcp open upnp Portable SDK for UPnP devices 1.6.6
| upnp-info:
| Server: LINUX/2.4 UPnP/1.0 BRCM400/1.0
| Location: http://10.0.3.15:49152/gatedesc.xml
|_ Last boot: 2023-08-14
2323/tcp open telnet Boa embedded web server config console
Interpretation: Telnet on 23 and an alternate telnet management console on 2323 — both unencrypted. The UPnP service (1900/tcp) exposes device description XML that often contains firmware versions and service endpoints. Last boot August 2023 with no subsequent patches suggests chronic neglect.
SSL/TLS Configuration Analysis with NSE
Internal corporate sites cannot reach external tools like Qualys SSL Test. Nmap's ssl-enum-ciphers provides equivalent grading for internal audit scope.
nmap --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed -p443 198.51.100.100
Sanitized output with cipher strength annotation:
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=legacy-app.internal
| Issuer: commonName=Corporate-ICA-2019
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2023-06-01T00:00:00
| Not valid after: 2025-06-01T23:59:59
|_ssl-date: TLS randomness does not represent time
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - F
| least strength: F
|_ Grade: F (due to TLSv1.0 with RC4 and 1024-bit RSA)
| Grade | Meaning | Typical Triggers |
|---|---|---|
| A | Strong forward secrecy, AEAD ciphers, no known weaknesses | ECDHE + AES-GCM, TLS 1.2+ |
| B | Minor issues (no FS for some clients, SHA-1 in chain) | Static RSA key exchange, old chain hash |
| C | Weak or obsolete algorithms permitted | CBC mode without EtM, 3DES, static RSA |
| D | Significant weaknesses | Export-grade crypto, MD5 signatures |
| F | Critical vulnerability or effectively broken | RC4, SSLv2/v3, 512/1024-bit RSA, no encryption |
What it does: Enumerates all ciphersuites per protocol version, grades each, and reports the weakest link. When to use it: Pre-migration baseline, compliance gap analysis, or validating cipher-suite restrictions pushed via GPO/registry. Risks: Grading methodology weights key exchange and stream cipher strength; message integrity (MAC algorithm) is not factored — a "C" grade with SHA-1 HMAC is still permitted without downgrade. Expected output: Per-version cipher lists with letter grades and aggregate
least strengthsummary.
Interpretation of sample: The F grade is driven entirely by TLS 1.0 supporting RC4 with 1024-bit RSA — trivially breakable with modest resources. Yet TLS 1.2 offers A-grade ciphers, meaning remediation is configuration-only (disable TLS 1.0/1.1 and weak ciphers), not certificate replacement.
Confirming Vulnerability Remediation: Before/After Workflow
Scan output diffing is essential when change-control windows are narrow and rollback decisions must be evidence-based.
# Baseline (pre-remediation)
nmap --script ssl-enum-ciphers -p443 -oX baseline-198.51.100.100.xml 198.51.100.100
# Post-remediation
nmap --script ssl-enum-ciphers -p443 -oX postfix-198.51.100.100.xml 198.51.100.100
# Structured diff
ndiff baseline-198.51.100.100.xml postfix-198.51.100.100.xml > ssl-cipher-diff.txt
Sanitized diff excerpt:
- TLSv1.0:
- ciphers:
- TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - F
- least strength: F
- Grade: F
+ TLSv1.2:
+ ciphers:
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
+ least strength: A
+ Grade: A
Automation note: Integrate ndiff exit codes into CI/CD gates — non-zero exit on any degradation from baseline. For rolling deployments, baseline against the production target, not the golden image; configuration drift in production often invalidates lab-tested assumptions.
Rate-Limiting and IDS Evasion: Real Encounters
During the /16 scan above, several behaviors indicated defensive countermeasures:
| Symptom | Likely Cause | Diagnostic | Response |
|---|---|---|---|
All ports filtered after initial open results |
Rate-limiting firewall rule | nping --tcp -p80 --rate 100 vs --rate 1000 |
Reduce --max-rate to 200, extend --scan-delay |
| Consistent 10-second delays on SYN replies | IPS shunning or tarpit | tcptraceroute to identify hop where delay appears |
Switch to -sS -T1 with decoys: -D RND:10,ME |
| ICMP admin-prohibited on port 80 only | Explicit ACL deny, not blanket drop | Compare against known-open port behavior | Document as confirmed control, not scan failure |
| SYN-ACK followed by RST before full handshake | SYN proxy or TCP intercept | tcpdump shows no payload from target |
Reduce probe complexity; version intensity to 2 |
⚠️ Authorized, defensive use only. Decoy scans (
-D) and fragmentation (-f) are described here for IDS validation exercises and tuning your own detection thresholds. Use only in lab environments or explicitly authorized detection-validation exercises where you own or have written permission to test all infrastructure involved.
Common Mistakes in Production Scanning
| Mistake | Why it bites you |
|---|---|
Running -A (aggressive) on /8 scopes |
OS detection and traceroute multiply probe count 10×; scans fail from memory exhaustion or network ban |
Omitting -n on large ranges |
DNS resolver timeouts stall the entire scan; PTR records leak reconnaissance intent to DNS administrators |
Trusting Service Info: OS: Linux from -sV |
Nmap guesses OS from service banners; containerized apps report host kernel, not their runtime |
Running NSE brute-force scripts without --script-args defaults |
Default username lists (e.g., oracle-brute) lock accounts after 3 attempts; always review brute.* arguments |
Ignoring filtered as "probably nothing" |
Filtered ports often indicate the most sensitive segments — the assets worth hiding |