**Introduction: Python-Based Nmap Scanning**

Network security assessments require efficient and accurate scanning techniques to identify active devices, open ports, and running services. This project explores how to integrate Nmap with Python to perform network scans, analyze device responses, and compare different scanning techniques.

By leveraging Python’s automation capabilities with Nmap, we conducted both non-aggressive (-sV -T4) and aggressive (-A) scans on a local network to examine the effectiveness and efficiency of each approach. The results provided insights into how different scan types affect detection accuracy and scan duration.

This project highlights:
✔️ Setting up Nmap in Python for automated network scanning.
✔️ Comparing standard vs. aggressive scans to evaluate effectiveness.
✔️ Identifying open ports and services on different devices.
✔️ Understanding dynamic port behavior on devices like MacBooks and iPhones.

Through this hands-on analysis, we gained a deeper understanding of network scanning methodologies and how Python enhances cybersecurity automation.

 **Python-Based Nmap Scanning**

**Objective:**
This project aimed to set up Nmap in Python, perform network scans, analyze the differences between basic (-sV -T4) and aggressive (-A) scans, and identify devices and open ports on a local network.

**🔹 Step 1: Setting Up Python and Nmap**
Before beginning, we verified that Python and Nmap were installed using the command line:

python3 --version  # Check Python version  
nmap --version  # Check Nmap version  

✅ Result: Both Python and Nmap were installed and ready.

We then installed the python-nmap package in Jupyter Notebook to enable Python-based Nmap scanning:
!pip install python-nmap
✅ Result: Successfully installed python-nmap-0.7.1, allowing us to control Nmap from Python.

**🔹 Step 2: Importing Nmap and Running a Basic Scan**
The first scan aimed to detect all live devices on the network.
📌 Code Used:

import nmap

**Create an Nmap scanner object**
nm = nmap.PortScanner()

**Define the target network (your local network)**
target = "192.168.1.0/24"  # Assigns the target network (subnet) as a string

**Run a basic scan**
nm.scan(hosts=target, arguments="-sn")  # -sn = Ping Scan (find live hosts)

**Print the results**
print("Live hosts on the network:")
for host in nm.all_hosts():
    print(f"{host} is up")


**✅ Result:**
This scan successfully detected five live devices on the network:


Live hosts on the network:
192.168.1.148 is up
192.168.1.180 is up
192.168.1.254 is up
192.168.1.78 is up
192.168.1.95 is up
🔹 This provided a list of active devices, which we later used in more detailed scans.


**🔹 Step 3: Initial Non-Aggressive Scan (-sV -T4)**
Now that we knew which devices were online, we performed a non-aggressive port scan on them.

📌 Code Used:

**Define the target hosts**
live_hosts = ["192.168.1.148", "192.168.1.180", "192.168.1.254", "192.168.1.78", "192.168.1.95"]
ports = "20-1000" #Defines the port range as a string for later use in scanning

**Open a file to store scan results**
with open("scan_results.txt", "w") as file:
    file.write("Nmap Scan Results\n")
    file.write("=" * 30 + "\n")

    for host in live_hosts:
        print(f"\n🔍 Scanning {host} for open ports...")
        file.write(f"\n🔍 Scanning {host} for open ports...\n")
        
        # Perform a port scan
        nm.scan(host, ports, arguments="-sV -T4")

        if nm[host].all_protocols():
            file.write(f"✅ Open ports on {host}:\n")
            print(f"✅ Open ports on {host}:")
            for proto in nm[host].all_protocols():
                open_ports = nm[host][proto].keys()
                for port in sorted(open_ports):
                    service = nm[host][proto][port]['name']
                    file.write(f"  - Port {port}: {service}\n")
                    print(f"  - Port {port}: {service}")
        else:
            file.write("❌ No open ports found.\n")
            print("❌ No open ports found.")

print("\n📄 Scan results saved to scan_results.txt")


**✅ Results:**


🔍 Scanning 192.168.1.148 for open ports...
❌ No open ports found.

🔍 Scanning 192.168.1.180 for open ports...
❌ No open ports found.

🔍 Scanning 192.168.1.254 for open ports...
✅ Open ports on 192.168.1.254:
  - Port 53: domain
  - Port 80: http
  - Port 111: rpcbind
  - Port 443: http

🔍 Scanning 192.168.1.78 for open ports...
❌ No open ports found.

🔍 Scanning 192.168.1.95 for open ports...
❌ No open ports found.

📄 Scan results saved to scan_results.txt


**Key Findings:**
The scan completed in just 22.6 seconds.
Only the router (192.168.1.254) showed open ports.
The MacBook and iPhone did not show any open ports.
This was unexpected, since previous scans had detected open ports on these devices.


**🔹 Step 4: Aggressive Scan (-A) for Deeper Analysis**
Since the previous scan most liokely missed open ports on known devices, we ran an aggressive scan (-A) to compare results.

📌 Code Used:

**Run aggressive scan**
target_network = "192.168.1.0/24"
print(f"\n🔍 Running Aggressive Scan on {target_network}...\n")

nm.scan(hosts=target_network, arguments="-A")

**Print results**

for host in nm.all_hosts():
    print(f"✅ Host: {host}")
    if nm[host].all_protocols():
        for proto in nm[host].all_protocols():
            open_ports = nm[host][proto].keys()
            for port in sorted(open_ports):
                service = nm[host][proto][port]['name']
                print(f"  - Port {port}: {service}")
    else:
        print("❌ No open ports found.")


**✅ Results:**


🔍 Running Aggressive Scan on 192.168.1.0/24...

✅ Host: 192.168.1.148 (MacBook)
  - Port 5000: rtsp
  - Port 7000: rtsp
  - Port 49152: 

✅ Host: 192.168.1.156 (iPhone)
  - Port 49152: tcpwrapped
  - Port 62078: tcpwrapped

✅ Host: 192.168.1.180
❌ No open ports found.

✅ Host: 192.168.1.254 (Router)
  - Port 53: domain
  - Port 80: http
  - Port 111: rpcbind
  - Port 443: http

✅ Host: 192.168.1.95 (Google Nest Audio)
  - Port 8008: http
  - Port 8009: ajp13
  - Port 8443: https-alt
  - Port 9000: cslistener
  - Port 10001: scp-config
  - Port 10002: documentum


**🔹 Key Takeaways**

Feature	Basic Scan (-sV -T4)	
Scan Time	22.6 seconds
Devices Scanned	5
Detected Open Ports	Only Router	
Missed iPhone & MacBook ports	

Aggressive Scan (-A)
Scan Time 3m 47s
Devices Scanned	5	
**Key Difference:** Detected all known devices & services


✅ Conclusion:

Aggressive scans (-A) are more effective, but they take much longer.
Non-aggressive scans (-sV -T4) can miss open ports on some devices.
iPhones & MacBooks dynamically close ports, requiring deeper scan

**Why Use Python for Nmap Scanning?**

While command-line Nmap (nmap -A 192.168.1.0/24) is great for quick, manual scans, Python scripting is beneficial when you need automation, customization, and integration with other tools.

**✅ 1️⃣ Automating Repetitive Scans**
Running one scan from the command line is easy, but what if you need to scan your network every hour?
With Python, you can schedule periodic scans and analyze changes automatically.
Example: A Python script can run daily, detect new open ports, and send an alert.

import time

while True:
    nm.scan(hosts="192.168.1.0/24", arguments="-A")
    print("🔍 Scan complete. Sleeping for 1 hour...")
    time.sleep(3600)  # Sleep for 1 hour

✅ Advantage: Automates scanning without manual effort.

**✅ 2️⃣ Storing & Analyzing Results**

Command-line Nmap shows results in the terminal but doesn’t save them unless manually redirected.
Python allows you to save scan results in structured formats like:
CSV (for Excel & data analysis)
JSON (for integration with security tools)
Databases (for long-term storage)

**Example: Save scan results to CSV for tracking open ports over time.**

import csv

with open("scan_results.csv", "w", newline="") as file:
    writer = csv.writer(file)
    writer.writerow(["IP Address", "Open Ports"])
    
    for host in nm.all_hosts():
        ports = ", ".join(str(port) for port in nm[host].all_protocols())
        writer.writerow([host, ports])

**✅ Advantage: Tracks network changes over time instead of just showing results once.**

**✅ 3️⃣ Custom Alerts & Notifications**
Python can send emails or Slack messages if suspicious ports are detected.

**Example: Alert if a critical port (e.g., SSH or RDP) opens unexpectedly.**

import smtplib

if "22" in open_ports:  # If SSH is open
    server = smtplib.SMTP("smtp.gmail.com", 587)
    server.starttls()
    server.login("your_email@gmail.com", "password")
    server.sendmail("your_email@gmail.com", "alert_recipient@gmail.com", "⚠️ ALERT: SSH Port Open on Network!")
    server.quit()

**✅ Advantage: Real-time monitoring & security alerts.**

**✅ 4️⃣ Filtering & Processing Data**

The command line prints everything, making it hard to find critical information.
Python filters results automatically, highlighting only important findings.

**Example: Only show high-risk ports like RDP (3389) & SMB (445).**

high_risk_ports = [22, 23, 445, 3389]

for host in nm.all_hosts():
    for port in nm[host].all_protocols():
        if port in high_risk_ports:
            print(f"⚠️ {host} has a high-risk open port: {port}")

**✅ Advantage: Reduces noise and highlights security risks quickly.**

**✅ 5️⃣ Combining Nmap with Other Security Tools**
Python can integrate Nmap with vulnerability scanners, firewalls, and log analysis tools.

**Example: Scan for open ports, then use Shodan API to check for known vulnerabilities.**

import shodan

api = shodan.Shodan("YOUR_SHODAN_API_KEY")

for host in nm.all_hosts():
    result = api.host(host)
    print(f"Vulnerabilities for {host}: {result['vulns']}")

✅ Advantage: Automates vulnerability assessments with Nmap + Shodan.

**🔹 Summary: When to Use Python vs. Command Line**---------------------------------------------------------------------------------------------
Use Case	                                 Command Line (nmap -A 192.168.1.0/24)	              Python (import nmap)

Quick, one-time scan	                     ✅ Best choice	                                      ❌ Overkill

Automated periodic scans	                 ❌ Requires manual execution	                      ✅ Fully automated

Storing results in files	                 ❌ Requires redirection	                              ✅ Saves structured data

Custom filtering (e.g., show only RDP/SSH)	 ❌ Must manually review	                              ✅ Filters results automatically

Sending alerts (email, Slack, etc.)	         ❌ Not possible	                                      ✅ Can notify instantly

Combining with other tools (Shodan, SIEM, etc.)	❌ Standalone	                                  ✅ Full integration


**✅ Final Thought:**

Use Nmap CLI when you need a quick, one-time scan.
Use Python + Nmap when you need automation, alerts, storage, or integration.