CHAPTER 11: USING NMAP IN THE "REAL WORLD"
Now that all of these nmap scan types, option settings, and information screens have been documented, how can this conglomeration of data help an organization with real-world security requirements?


The following scenarios are common examples that are found in many organizations. These are written from the perspective of a network or security manager who provides uptime and availability of an organization's systems. It's also assumed that the security team will have nmap scanning systems that run with privileged access.

With every nmap scan, there are some options that are always recommended. The verbose option should always be specified at its highest level (-vv), and the universal output format (-oA) should also be used. Since the differently formatted nmap output files occasionally contain different pieces of information, saving the nmap information into all formats can provide important information after the scan. It's also assumed that the security team will have nmap scanning system that run with privileged access.

The --excludefile option should also be used with every nmap scan. The exclude file should be updated with the most important IP addresses in the organization, or the IP addresses that should never be scanned under any circumstances. Nmap scans that operate without incident on some systems may have far-reaching effects on others! For example, an older telephone system or a legacy router may not be able to provide the resources required by nmap, and these systems may crash or become unavailable if the nmap scan is too aggressive. Exclude options always take priority over any includes, so identifying these IP addresses in an exclude file will ensure that they are never scanned by nmap.