Nmap can feel like a powerful, but manual, tool. Automating it to run scans on a schedule or trigger them based on events unlocks its true potential for continuous network visibility.
Let’s see Nmap in action, not just as a command-line utility, but as part of an automated workflow. Imagine you have a critical server that needs to be scanned for open ports and potential vulnerabilities every hour. You don’t want to be there manually typing nmap -sV -p- 192.168.1.100 every 60 minutes.
Here’s how you’d script that with cron on a Linux system:
# This entry in crontab will run the nmap scan every hour
0 * * * * /usr/bin/nmap -sV -p- 192.168.1.100 -oX /var/log/nmap/server_scan_$(date +\%Y\%m\%d_\%H\%M\%S).xml >> /var/log/nmap/server_scan_output.log 2>&1
Let’s break this down. 0 * * * * is the cron schedule, meaning "at minute 0 of every hour, every day, every month, every day of the week." The command itself uses nmap with -sV for service version detection and -p- to scan all 65535 TCP ports. The output is directed to an XML file (-oX) with a timestamped filename, and all standard output and error streams are appended to a log file. This gives you both structured data for later analysis and a running log of execution.
The core problem Nmap automation solves is drift. Networks change. Devices get added, ports open unexpectedly, services update, and sometimes, misconfigurations happen. Without regular, automated checks, you’re flying blind. You might not know about a new, vulnerable service exposed to the internet until it’s already been exploited. Automation turns Nmap from a diagnostic tool into a continuous monitoring system.
Internally, Nmap’s power comes from its vast array of scan techniques (SYN, TCP connect, UDP, etc.) and its scripting engine (NSE). For automation, you’re primarily leveraging cron (or Windows Task Scheduler) to invoke Nmap at desired intervals. The real magic for making automation useful comes from Nmap’s output formats and NSE scripts.
You control the automation through:
- Scan Frequency and Timing: How often do you need to know? Hourly, daily, weekly?
cronschedules are your primary lever. - Target Selection: What IP addresses, ranges, or hostnames are you scanning? This can be a static list, or dynamically generated by another script.
- Scan Intensity:
-T4(aggressive) for faster scans when network load isn’t a concern, or-T2(polite) for quieter scans.-sS(SYN scan) is the default and generally preferred for speed and stealth. - Output Format:
-oN(normal),-oX(XML),-oG(Grepable),-oA(all formats). XML is fantastic for programmatic parsing by other tools. - NSE Scripts: This is where Nmap truly shines. Instead of just port scanning, you can run scripts that actively check for vulnerabilities (
vuln), discover SMB shares (smb-enum-shares), or even brute-force credentials (http-brute).
For instance, to automate a check for common web vulnerabilities every night:
# Run NSE vulnerability scripts against web servers every day at 3 AM
0 3 * * * /usr/bin/nmap -p 80,443 --script vuln,http-enum 192.168.1.0/24 -oX /var/log/nmap/web_vuln_scan_$(date +\%Y\%m\%d).xml
This command scans the entire 192.168.1.0/24 subnet on ports 80 and 443, using the vuln and http-enum NSE scripts, saving the results in XML.
A common pitfall when automating Nmap is overwhelming your network or your scanning host. Running full -p- scans on hundreds of hosts every hour is a recipe for disaster. You need to be judicious about your scan intensity (-T level), the scope of your scans (which IPs, which ports), and the types of NSE scripts you employ. Some NSE scripts are very resource-intensive or can be quite noisy. Always test your automated scan configurations in a non-production environment first.
Once you have your Nmap scans generating XML output, you’ll likely want to process that data. Tools like xsltproc can transform the XML into human-readable HTML, or you can write custom scripts in Python (using libraries like xml.etree.ElementTree or lxml) to parse the results, identify changes from previous scans, and trigger alerts via email or a SIEM. The XML format is key here, as it provides a structured, machine-readable representation of Nmap’s findings.
The next logical step after automating regular scans is to integrate these scans into a broader security information and event management (SIEM) system or a custom dashboard.