Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing that has been around since 1997.
Surveillance and network scanning is often one of the first steps in Penetration Testing or Security Validation.
Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap generates raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.
This tool is quite powerful, and some people think it is an evil network hacking tool. While it can be used for hacking, we prefer to use it to troubleshoot networks. Indeed it is powerful and we want to dedicate a few tips and tricks to the use of nmap.
In this article we will get started with the tool. We will be using it in a Linux environment, but know that it is available for all systems at www.nmap.org.
Here is an overview video:
We will not go into the installation further than what is covered in the video, but assume you can follow the directions for downloading and installing the tool from their web site. Some systems, like Kali Linux or Parrot Linux, come with nmap pre-installed. You can check this by entering:
nmap --version
If you are running a different version of Linux, and nmap is not installed, simple enter:
sudo apt-get install nmap
or
sudo apt install nmap
Once installed, understand that nmap is primarily run from the command line or via a terminal window. You can run the graphics front end (called Zenmap) – but we will save that for a later article.
If nmap is installed you should get something like this:
You can see I have version 7.80 running on my system.
For a full list of nmap command line options, just enter ‘nmap –help” or “nmap -h”:
root@kali:~# nmap -h
Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)https://netscionline.com/mod/glossary/showentry.php?eid=8188&displayformat=dictionary" class="glossary autolink concept glossaryid17" style="box-sizing: border-box; color: rgb(45, 74, 250); text-decoration: none; background-color: transparent;" title="Our On-Line School of Network Science Glossary of Telecommunications Terms and Acronyms: IP">IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2https://netscionline.com/mod/glossary/showentry.php?eid=8532&displayformat=dictionary" class="glossary autolink concept glossaryid17" style="box-sizing: border-box; color: rgb(45, 74, 250); text-decoration: none; background-color: transparent;" title="Our On-Line School of Network Science Glossary of Telecommunications Terms and Acronyms: PS">PS/PA/PU/PY[portlisthttps://netscionline.com/mod/glossary/showentry.php?eid=8141&displayformat=dictionary" class="glossary autolink concept glossaryid17" style="box-sizing: border-box; color: rgb(45, 74, 250); text-decoration: none; background-color: transparent;" title="Our On-Line School of Network Science Glossary of Telecommunications Terms and Acronyms: TCP">TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol listhttps://netscionline.com/mod/glossary/showentry.php?eid=8188&displayformat=dictionary" class="glossary autolink concept glossaryid17" style="box-sizing: border-box; color: rgb(45, 74, 250); text-decoration: none; background-color: transparent;" title="Our On-Line School of Network Science Glossary of Telecommunications Terms and Acronyms: IP">IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimeshttps://netscionline.com/mod/glossary/showentry.php?eid=8135&displayformat=dictionary" class="glossary autolink concept glossaryid17" style="box-sizing: border-box; color: rgb(45, 74, 250); text-decoration: none; background-color: transparent;" title="Our On-Line School of Network Science Glossary of Telecommunications Terms and Acronyms: DNS">dns-servers <serv1[,serv2https://netscionline.com/mod/glossary/showentry.php?eid=8135&displayformat=dictionary" class="glossary autolink concept glossaryid17" style="box-sizing: border-box; color: rgb(45, 74, 250); text-decoration: none; background-color: transparent;" title="Our On-Line School of Network Science Glossary of Telecommunications Terms and Acronyms: DNS">DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeporthttps://netscionline.com/mod/glossary/showentry.php?eid=8905&displayformat=dictionary" class="glossary autolink concept glossaryid17" style="box-sizing: border-box; color: rgb(45, 74, 250); text-decoration: none; background-color: transparent;" title="Our On-Line School of Network Science Glossary of Telecommunications Terms and Acronyms: SCTP">SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...https://netscionline.com/mod/glossary/showentry.php?eid=8131&displayformat=dictionary" class="glossary autolink concept glossaryid17" style="box-sizing: border-box; color: rgb(45, 74, 250); text-decoration: none; background-color: transparent;" title="Our On-Line School of Network Science Glossary of Telecommunications Terms and Acronyms: OS">OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,MEhttps://netscionline.com/mod/glossary/showentry.php?eid=8143&displayformat=dictionary" class="glossary autolink concept glossaryid17" style="box-sizing: border-box; color: rgb(45, 74, 250); text-decoration: none; background-color: transparent;" title="Our On-Line School of Network Science Glossary of Telecommunications Terms and Acronyms: HTTP">HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
Let’s do our first scan!
It’s really easy. I am going to scan my local router. I need to know it’s IP address. In my case it is at address 192.168.1.254. To scan that device, just enter:
nmap 192.168.1.254
Here is what I got when I scanned the address:
What we see is that nmap started and once completed issued a report. It reported that the host at 192.168.1.254 is up and operating. The next line reports the latency or delay to the system. The next several lines indicate what logical ports responded to the scan. These items are shown in three columns: Ports, the State, and the Service.
We see port 80, port 443, and port 49152 are open on this host. Your scan may have more ports than this.
These ports generally refer to applications or services on the host, which is the Service column. Port 80 is HTTP or Hypertext Transfer Protocol used for web browsing. You can see a full list of ports and their assignments here. If you were curious, port 49152 is called an ephemeral port, and is not assigned to a specific service.
Next to the port number is either tcp or udp. This indicates which Layer 4 protocol is being used on that port.
The State column tells us whether that port is open, closed or even being blocked or filtered!
Depending on what you scanned you will get a number of different items in this simple scan. In the screen shot below I tried scanning a system at 192.168.1.74:
It looks like the system is not working, but it is there. I tried pinging it and got a response:
So as nmap suggests I tried the ‘-Pn’ command. Now this scan took considerably longer to run. Here is what I got:
We see that the system is in fact running but is filtering the 1000 ports that were scanned. Cool. But, let me explain that a little further. What nmap does it it uses the ICMP (Internet Control Message Protocol) to discover devices on the network. Ping is actually an ICMP echo message. Some devices and firewalls block these messages, so by using the -Pn option, it turned off the normal nmap procedure and skipped to a more aggressive scan.
Now you can scan more that one IP address by listing them after the nmap command:
nmap 192.168.1.1 192.168.1.2 193.168.1.3 192.168.1.254
If they are all in the same sub network, you could also type:
nmap 192.168.1.1,2,3,254
If you wanted to scan a range of systems just type:
nmap 192.168.1.1-254
This may take some time to run, but you will get a scan report for each system found at any of the IP addresses in the range! So this can be a great way to find out what is connected to a network, as well as see what services are running on those devices. The report may be long and require you scroll through the report. By the way, if nmap is off working and you have no information on the console, simply hit enter and nmap will tell you what it is up to and how much more time it anticipates the current process will take. Nice.
Here is another cool shortcut:
nmap 192.168.1.*
The ‘*’ is essentially a wildcard. So here is a cooler one:
nmap 192.168.1-10.*
Above I have combined the wildcard and the range!
For you hard core networkers, you can also use the CIDR notation to scan a network or subnetwork:
nmap 192.168.1.1/24
But what if I wanted to exclude a certain address in the subnet? Easy:
nmap 192.168.1.1/24 --exclude 192.168.1.253
In the example, I have asked nmap to scan the subnet 192.168.1.0-192.168.1.255 excluding IP address 192.168.1.253. You can also exclude a range of addresses if you want. Here is an example:
nmap 192.168.1.1/24 --exclude 192.168.1.250-253
Popular Command: What if you wanted a simple scan of a subnetwork, just to see what targets exist at what IP addresses? This is really easy, use the ‘-sP’ option:
nmap -sP 192.168.1.0/24
Now here is something a little different. the nmap scanner can randomly scan devices in your network. For example:
nmap -iR 5
This means nmap will randomly scan 5 targets on the network! Just for fun!!
Lastly, you can create a text file with a list of the IP’s you want to scan. Let’s say I create a list called ‘andysiplist.txt’. The text file should have one IP address per line. I can then use the following command to scan those IP’s using nmap:
nmap -iL andysiplist.txt
And nmap will run a scan on whatever IP addresses are in the text file.
You can also use a .txt file with an exclude list. Above the file andysiplist.txt contained the IP addresses we wanted to scan. You can create a different text file – we will call it ‘skipthese.txt’. As before, you will then have a list, one IP per line, of the IP’s you want to skip in the scan. Once created, enter the following nmap command:
nmap 192.168.1.0/24 --excludefile skipthese.txt
And nmap will scan the entire 192.168.1.0 subnet excluding whatever addresses are in the skipthese.txt file.
OK, we are off to a great start. Have fun with nmap and look for further tips and tricks here on nmap. Just click on the ‘nmap’ tag below to see other nmap related content.
I hope you find this article and its content helpful. Comments are welcomed below. If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!