Networking/Computing Tips/Tricks

A really nice network tool that has been around since 1997 is called 'nmap'.  This tool is quite powerful, and some people think it is an evil network hacking tool.  While it can be used for hacking, we prefer to use it to troubleshoot networks.  Indeed it is powerful and we want to dedicate a few tips and tricks to the use of nmap.

In this article we will get started with the tool.  We will be using it in a Linux environment, but know that it is available for all systems at www.nmap.org.

Here is an overview video:

We will not go into the installation further than what is covered in the video, but assume you can follow the directions for downloading and installing the tool from their web site.  Some systems, like Kali Linux or Parrot Linux, come with nmap pre-installed.  You can check this by entering:

nmap --version

If you are running a different version of Linux, and nmap is not installed, simple enter:

sudo apt-get install nmap

Once installed, understand that nmap is primarily run from the command line or via a terminal window.  You can run the graphics front end (called Zenmap) - but we will save that for a later article.

If nmap is installed you should get something like this:

Screen Shot 2014-07-20 at 10.16.26 PM

You can see I have version 6.40 running on my system. 

Let's do our first scan!

It's really easy.  I am going to scan my local router.  I need to know it's IP address.  In my case it is at address 192.168.1.254.  To scan that device, just enter:

nmap 192.168.1.254

Here is what I got when I scanned the address:

Screen Shot 2014-07-20 at 10.32.34 PM

What we see is that nmap started and once completed issued a report.  It reported that the host at 192.168.1.254 is up and operating.  The next line reports the latency or delay to the system.  The next several lines indicate what logical ports responded to the scan.  These items are shown in three columns: Ports, the State, and the Service.

We see port 80, port 443, and port 49152 are open on this host.  Your scan may have more ports than this.

These ports generally refer to applications or services on the host, which is the Service column.  Port 80 is HTTP or Hypertext Transfer Protocol used for web browsing. You can see a full list of ports and their assignments here.  If you were curious, port 49152 is called an ephemeral port, and is not assigned to a specific service.

Next to the port number is either tcp or udp.  This indicates which Layer 4 protocol is being used on that port.

The State column tells us whether that port is open, closed or even being blocked or filtered!

Depending on what you scanned you will get a number of different items in this simple scan.  In the screen shot below I tried scanning a system at 192.168.1.74:

Screen Shot 2014-07-20 at 10.49.41 PM

It looks like the system is not working, but it is there.  I tried pinging it and got a response:

Screen Shot 2014-07-20 at 10.52.02 PM

So as nmap suggests I tried the '-Pn' command.  Now this scan took considerably longer to run.  Here is what I got:

Screen Shot 2014-07-20 at 10.58.16 PM

 We see that the system is in fact running but is filtering the 1000 ports that were scanned.  Cool.  But, let me explain that a little further.  What nmap does it it uses the ICMP (Internet Control Message Protocol) to discover devices on the network.  Ping is actually an ICMP echo message.  Some devices and firewalls block these messages, so by using the -Pn option, it turned off the normal nmap procedure and skipped to a more aggressive scan.

Now you can scan more that one IP address by listing them after the nmap command:

nmap 192.168.1.1 192.168.1.2 193.168.1.3 192.168.1.254

If they are all in the same sub network, you could also type:

nmap 192.168.1.1,2,3,254

If you wanted to scan a range of systems just type:

nmap 192.168.1.1-254

This may take some time to run, but you will get a scan report for each system found at any of the IP addresses in the range!  So this can be a great way to find out what is connected to a network, as well as see what services are running on those devices.  The report may be long and require you scroll through the report.  By the way, if nmap is off working and you have no information on the console, simply hit enter and nmap will tell you what it is up to and how much more time it anticipates the current process will take.  Nice.

Here is another cool shortcut:

nmap 192.168.1.*

The '*' is essentially a wildcard.  So here is a cooler one:

nmap 192.168.1-10.*

Above I have combined the wildcard and the range!  

For you hard core networkers, you can also use the CIDR notation to scan a network or subnetwork:

nmap 192.168.1.1/24

But what if I wanted to exclude a certain address in the subnet?  Easy:

nmap 192.168.1.1/24 --exclude 192.168.1.253

In the example, I have asked nmap to scan the subnet 192.168.1.0-192.168.1.255 excluding IP address 192.168.1.253.  You can also exclude a range of addresses if you want.  Here is an example:

nmap 192.168.1.1/24 --exclude 192.168.1.250-253

Popular Command: What if you wanted a simple scan of a subnetwork, just to see what targets exist at what IP addresses?  This is really easy, use the '-sP' option:

nmap -sP 192.168.1.0/24

Now here is something a little different.  the nmap scanner can randomly scan devices in your network.  For example:

nmap -iR 5

This means nmap will randomly scan 5 targets on the network!  Just for fun!!

Lastly, you can create a text file with a list of the IP's you want to scan.  Let's say I create a list called 'andysiplist.txt'.  The text file should have one IP address per line.  I can then use the following command to scan those IP's using nmap:

nmap -iL andysiplist.txt

And nmap will run a scan on whatever IP addresses are in the text file.  

You can also use a .txt file with an exclude list.  Above the file andysiplist.txt contained the IP addresses we wanted to scan.  You can create a different text file - we will call it 'skipthese.txt'.  As before, you will then have a list, one IP per line, of the IP's you want to skip in the scan.  Once created, enter the following nmap command:

nmap 192.168.1.0/24 --excludefile skipthese.txt

And nmap will scan the entire 192.168.1.0 subnet excluding whatever addresses are in the skipthese.txt file.

 

OK, we are off to a great start.  Have fun with nmap and look for further tips and tricks here on nmap.  Just click on the ‘nmap’ tag below to see other nmap related content.

Comments powered by CComment

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Addressing Analysis Ansible Architecture ARP Assessment AToM Baseline BGP Bloom's Taxonomy Broadband Cable cat CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud CMD Coloring Rules Computer Consulting Customer Support Data Center Data Networking DHCPv6 DNS Docker Documentation Dublin-Traceroute dumpcap ECMP Ethernet Ethics Evaluation Field Operations Fragmentation G-MPLS GeoIP Git GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 India Interface Control Internet IoT IPsec IPv4 IPv6 IRINN IS-IS L2VPN L3VPN LDP Linux LLN LoL M-BGP MAC Macro Microsoft mininet Monitoring MPLS mtr MTU Multicast Name Resolution Netcat Netmiko NetMon netsh Networking Network Science nmap NSE Observations Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Paris-Traceroute Parrot PIM PMTU Policy POTS POTS to Pipes PPP Profile Programming Project Management PW3E Python QoS QUIC Remote Desktop Requirements Resume Review RIP Routing RPL RSVP Rural SDN Security Service Provider Small Business SONET Speed SS7 SSH SSL Subnetting SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone termshark Testing TLS Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN Writing Zenmap ZigBee

Twitter Feed