A really nice network tool that has been around since 1997 is called 'nmap'. This tool is quite powerful, and some people think it is an evil network hacking tool. While it can be used for hacking, we prefer to use it to troubleshoot networks. Indeed it is powerful and we want to dedicate a few tips and tricks to the use of nmap.
In this article we will get started with the tool. We will be using it in a Linux environment, but know that it is available for all systems at
Here is an overview video:
We will not go into the installation further than what is covered in the video, but assume you can follow the directions for downloading and installing the tool from their web site. Some systems, like Kali Linux or Parrot Linux, come with nmap pre-installed. You can check this by entering:
If you are running a different version of Linux, and nmap is not installed, simple enter:
sudo apt-get install nmap
Once installed, understand that nmap is primarily run from the command line or via a terminal window. You can run the graphics front end (called Zenmap) - but we will save that for a later article.
If nmap is installed you should get something like this:
You can see I have version 6.40 running on my system.
Let's do our first scan!
It's really easy. I am going to scan my local router. I need to know it's IP address. In my case it is at address 192.168.1.254. To scan that device, just enter:
Here is what I got when I scanned the address:
What we see is that nmap started and once completed issued a report. It reported that the host at 192.168.1.254 is up and operating. The next line reports the latency or delay to the system. The next several lines indicate what logical ports responded to the scan. These items are shown in three columns: Ports, the State, and the Service.
We see port 80, port 443, and port 49152 are open on this host. Your scan may have more ports than this.
These ports generally refer to applications or services on the host, which is the Service column. Port 80 is HTTP or Hypertext Transfer Protocol used for web browsing. You can see a full list of ports and their assignments
Next to the port number is either tcp or udp. This indicates which Layer 4 protocol is being used on that port.
The State column tells us whether that port is open, closed or even being blocked or filtered!
Depending on what you scanned you will get a number of different items in this simple scan. In the screen shot below I tried scanning a system at 192.168.1.74:
It looks like the system is not working, but it is there. I tried pinging it and got a response:
So as nmap suggests I tried the '-Pn' command. Now this scan took considerably longer to run. Here is what I got:
We see that the system is in fact running but is filtering the 1000 ports that were scanned. Cool. But, let me explain that a little further. What nmap does it it uses the ICMP (Internet Control Message Protocol) to discover devices on the network. Ping is actually an ICMP echo message. Some devices and firewalls block these messages, so by using the -Pn option, it turned off the normal nmap procedure and skipped to a more aggressive scan.
Now you can scan more that one IP address by listing them after the nmap command:
nmap 192.168.1.1 192.168.1.2 126.96.36.199 192.168.1.254
If they are all in the same sub network, you could also type:
If you wanted to scan a range of systems just type:
This may take some time to run, but you will get a scan report for each system found at any of the IP addresses in the range! So this can be a great way to find out what is connected to a network, as well as see what services are running on those devices. The report may be long and require you scroll through the report. By the way, if nmap is off working and you have no information on the console, simply hit enter and nmap will tell you what it is up to and how much more time it anticipates the current process will take. Nice.
Here is another cool shortcut:
The '*' is essentially a wildcard. So here is a cooler one:
Above I have combined the wildcard and the range!
For you hard core networkers, you can also use the CIDR notation to scan a network or subnetwork:
But what if I wanted to exclude a certain address in the subnet? Easy:
nmap 192.168.1.1/24 --exclude 192.168.1.253
In the example, I have asked nmap to scan the subnet 192.168.1.0-192.168.1.255 excluding IP address 192.168.1.253. You can also exclude a range of addresses if you want. Here is an example:
nmap 192.168.1.1/24 --exclude 192.168.1.250-253
Popular Command: What if you wanted a simple scan of a subnetwork, just to see what targets exist at what IP addresses? This is really easy, use the '-sP' option:
nmap -sP 192.168.1.0/24
Now here is something a little different. the nmap scanner can randomly scan devices in your network. For example:
nmap -iR 5
This means nmap will randomly scan 5 targets on the network! Just for fun!!
Lastly, you can create a text file with a list of the IP's you want to scan. Let's say I create a list called 'andysiplist.txt'. The text file should have one IP address per line. I can then use the following command to scan those IP's using nmap:
nmap -iL andysiplist.txt
And nmap will run a scan on whatever IP addresses are in the text file.
You can also use a .txt file with an exclude list. Above the file andysiplist.txt contained the IP addresses we wanted to scan. You can create a different text file - we will call it 'skipthese.txt'. As before, you will then have a list, one IP per line, of the IP's you want to skip in the scan. Once created, enter the following nmap command:
nmap 192.168.1.0/24 --excludefile skipthese.txt
And nmap will scan the entire 192.168.1.0 subnet excluding whatever addresses are in the skipthese.txt file.
OK, we are off to a great start. Have fun with nmap and look for further tips and tricks here on nmap. Just click on the ‘nmap’ tag below to see other nmap related content.