Nmap is a sophisticated tool for scanning networks, and it is used for doing security audits and penetration tests. It is one of the most essential tools that network managers may make use of when it comes to diagnosing issues with network connections and carrying out port scanning.
In addition, Nmap can determine the Mac address, operating system kind, service version, and a great deal more.
This tutorial will walk you through the fundamentals of using the nmap command to carry out a variety of network-related activities.
Nmap is an application that may be installed on a variety of different platforms, including all of the main operating systems. It was first distributed as an utility that was only compatible with Linux, but subsequently it was adapted to other operating systems such as macOS, Windows, and BSD.
There is also a graphical user interface for Nmap called Zenmap, which you may use if you find the command line less appealing.
The Nmap download page provides access to the official binary packages, which may be installed on your computer.
The process of installation is not complicated and differs depending on the operating system that you are using.
Installing Nmap on Ubuntu and Debian
Nmap may be downloaded from the default repositories for both Ubuntu and Debian. To install it, you need to run:
sudo apt update
sudo apt install nmap
Installing Nmap on CentOS and Fedora
On CentOS and other Red Hat derivatives, the following programmes may be run:
sudo dnf install nmap
Installing Nmap on macOS
Installing Nmap on a macOS device may be accomplished either by downloading the “.dmg” installation package from the Nmap website or by using Homebrew:
brew install nmap
Installing Nmap on Windows
The Windows implementation of Nmap is often a bit slower and comes with a few more restrictions in comparison to the UNIX version.
Downloading the self-installation executable file for Nmap and running it is the simplest method available for installing Nmap on Windows.
On Windows, you can execute Nmap using either the command line or the Zenmap software. Both of these methods are available to you. Check out the post-install use instructions if you want further information on how to use Nmap on Windows.
Nmap is commonly used to do tasks such as auditing network security, network mapping, locating online devices, and identifying open ports.
The following is a condensed version of the nmap command’s original syntax:
nmap [Options] [Target...]
The most basic method of using Nmap is to do a scan on a single target while logged in as the regular user and without supplying any options:
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-16 20:19 CET Nmap scan report for X (x.x.x.x) Host is up (0.048s latency). Not shown: 981 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 1025/tcp open NFS-or-IIS 1080/tcp open socks 8080/tcp open http-proxy 8081/tcp open blackice-icecap Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds
TCP connect scan is performed by nmap whenever it is called by a user other than root who does not have raw packet rights. In unprivileged mode, the (-sT) switch is activated automatically and by default.
The result will seem somewhat like this, and it will provide fundamental information about the scan as well as a list of open and restricted TCP ports.
The TCP SYN scan (-sS) is the most used scan option since it works against all compliant TCP stacks, is quicker than the connect option, and is thus the most popular.
When nmap is run in the context of a user with administrative capabilities, the -sS switch is automatically enabled.
sudo nmap 10.0.0.25
Increase the verbosity of the output by using the -v or -vv switch to get more specific information:
sudo nmap -vv 10.0.0.25
In order to conduct a UDP scan, you must run the following command as the root user while using the (-sU) option:
sudo nmap -sU 10.0.0.25
For a complete list of port scanning methods, visit the Nmap documentation page .
IPv6 addresses may also be scanned using Nmap. Use the -6 option if you want to provide an IPv6 host:
sudo nmap -6 fd12:3456:789a:1::1
Specifying Target Hosts
Nmap considers any arguments that are not options to be target hosts and processes them accordingly.
If an argument starts with a dash, whether it be a single dash or a double dash, it is considered an alternative.
The approach that is the most straightforward is to provide one or more domain names or destination addresses:
nmap 10.0.0.25 host.to.scan
You may define a network range by using the CIDR notation, which is as follows:
Using the dash character allows you to define an octet range. For instance, the following would need to be done in order to scan 192.168.10.1, 192.168.11.1, and 192.168.12.1:
The comma is also a character that may be used to define the targets that you want to hit. The next command aims for the same hosts as the one that was just executed:
You are able to mix any and all forms:
nmap 10.8-10.10,11,12.0/28 10.0.0-2.100,101
Use the list scan option (-sL), which just lists the targets without actually executing a scan, to be absolutely certain that you have chosen the appropriate hosts before beginning the scanning process:
nmap -sL 10.8-10.10,11,12.0/28 10.0.0-2.100,101
Utilize the —exclude option if you want to exclude scanning for targets that fall inside the range that you have defined.
nmap 10.8-10.10,11,12.0/28 --exclude 10.10.12.12
Specifying and Scanning Ports
Nmap is configured to carry out a cursory search for the 1000 most frequently used ports by default. These ports are not the first 1000 ports in sequential order; rather, they are the 1000 ports that are used the most often, with numbers ranging from 1 to 65389.
Utilize the -p option to search for ports ranging from 1 all the way up to 65535:
nmap -p- 10.0.0.25
Each port may be in any of these statuses at any one time:
- open – Requests are fulfilled by the application that is currently executing on the port.
- closed – The port is not used by any programmes, and the host just responds to requests that are made.
- filtered – There is no response from the host to the request.
For instance, if you simply wanted to scan port 443, you would use the following command:
nmap -p 443 10.0.0.25
In order to specify more than one port, you must separate the target ports with a comma, like follows:
nmap -p 80,443 10.0.0.25
It is possible to specify port ranges by using the dash sign. To scan all UDP ports ranging from 1 to 1024, for instance, you might execute the following command:
sudo nmap -sU -p 1-1024 10.0.0.25
nmap -p 1-1024,8080,9000 10.0.0.25
The port’s name may also be used in place of the port number to specify the port. For instance, the following might be used in order to do a scan for the ssh port:
nmap -p ssh 10.0.0.25
Invoke the nmap command with the -sn option to carry out a ping scan or conduct host discovery:
sudo nmap -sn 192.168.10.0/24
Nmap is instructed by the -sn option to do merely a search for online hosts rather than a port scan. When you need a fast way to identify whether of the hosts you mentioned are up and functioning, this is a valuable tool.
Disabling DNS Name Resolution
The default behavior of Nmap is to carry out reverse-DNS resolution for each host that is identified. This causes the scan duration to rise.
It is a good idea, when scanning big networks, to stop reverse-DNS resolution, since this will speed up the scanning process. To do this, you need to run the command with the -n option:
sudo nmap -n 10.0.0.0/16
OS, Service and Version Detection
Through the use of TCP/IP stack fingerprinting, Nmap is able to determine the operating system of the remote host. Invoke the command with the -O option to do the operating system detection:
sudo nmap -O scanme.nmap.org
... Device type: general purpose Running: Linux 5.X OS CPE: cpe:/o:linux:linux_kernel:5 OS details: Linux 5.0 - 5.4 Network Distance: 18 hops OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.47 seconds
If Nmap is able to identify the host operating system, it will provide output similar to the following:
Generally speaking, system services will only listen on standard ports that have been specifically designated for them and are widely recognised. For instance, if the port that is associated with the SSH service (port 22) is open on the host, you will presume that an SSH server is running on the host. On the other hand, you can’t be one hundred percent certain since individuals are free to operate services on whatever port they like.
Nmap’s service and version detection features will let you know what software is listening on the port as well as the version of that programme.
Utilize the -sV option to do a search for the service and version:
sudo nmap -sV scanme.nmap.org
... PORT STATE SERVICE VERSION 19/tcp filtered chargen 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 9929/tcp open nping-echo Nping echo 31337/tcp open tcpwrapped Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The information is delivered to standard output by default when you use Nmap (stdout).
You have the option of saving the output to a file, which is useful if you are scanning a big network or if you require the information for later use.
Nmap has several different output kinds. Use the -oN option, followed by the file name, to save the output in normal format:
sudo nmap -sU -p 1-1024 10.0.0.25 -oN output.txt
Choosing to save the output in XML format is by far the most common choice. To do this, make advantage of the -oX option:
sudo nmap -sU -p 1-1024 10.0.0.25 -oX output.xml
Another format that is helpful is the grepable output, which can be processed using the typical tools that come with Unix, such as grep, awk, and cut. The -oG option allows you to specify the output to be grepable:
sudo nmap -sU -p 1-1024 10.0.0.25 -oG output
Nmap Scripting Engine
The scripting engine in Nmap is often regarded as one of the program’s most powerful capabilities. In addition to the hundreds of scrips that come pre-installed with Nmap, you have the ability to develop your own scrips using the Lua programming language.
Scrips may be used for a wide variety of purposes, including finding malware and backdoors, performing brute-force assaults, and more.
For instance, the following tools may be used to determine whether or not a certain host has been compromised:
nmap -sV --script http-malware-host scanme.nmap.org
Nmap is a tool that is available for free download and is generally used by network managers to find hosts and scan ports.
Please take notice that it is against the law in certain countries to scan networks without first obtaining authorisation to do so.
In the event that you have any inquiries or observations, do leave a comment down below.