The Nmap Tool and How to Use It

3.2K

Nmap is a sophisticated tool for scanning networks, and it is used for doing security audits and penetration tests. It is one of the most essential tools that network managers may make use of when it comes to diagnosing issues with network connections and carrying out port scanning.

In addition, Nmap can determine the Mac address, operating system kind, service version, and a great deal more.

This tutorial will walk you through the fundamentals of using the nmap command to carry out a variety of network-related activities.

Installing Nmap

Nmap is an application that may be installed on a variety of different platforms, including all of the main operating systems. It was first distributed as an utility that was only compatible with Linux, but subsequently it was adapted to other operating systems such as macOS, Windows, and BSD.

There is also a graphical user interface for Nmap called Zenmap, which you may use if you find the command line less appealing.

The Nmap download page provides access to the official binary packages, which may be installed on your computer.

The process of installation is not complicated and differs depending on the operating system that you are using.

Installing Nmap on Ubuntu and Debian

Nmap may be downloaded from the default repositories for both Ubuntu and Debian. To install it, you need to run:

sudo apt update

sudo apt install nmap

Installing Nmap on CentOS and Fedora

On CentOS and other Red Hat derivatives, the following programmes may be run:

sudo dnf install nmap

Installing Nmap on macOS

Installing Nmap on a macOS device may be accomplished either by downloading the “.dmg” installation package from the Nmap website or by using Homebrew:

brew install nmap

Installing Nmap on Windows

The Windows implementation of Nmap is often a bit slower and comes with a few more restrictions in comparison to the UNIX version.

Downloading the self-installation executable file for Nmap and running it is the simplest method available for installing Nmap on Windows.

On Windows, you can execute Nmap using either the command line or the Zenmap software. Both of these methods are available to you. Check out the post-install use instructions if you want further information on how to use Nmap on Windows.

Using Nmap

Nmap is commonly used to do tasks such as auditing network security, network mapping, locating online devices, and identifying open ports.

The following is a condensed version of the nmap command’s original syntax:

nmap [Options] [Target...]

The most basic method of using Nmap is to do a scan on a single target while logged in as the regular user and without supplying any options:

nmap scanme.nmap.org

Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-16 20:19 CET
Nmap scan report for X (x.x.x.x)
Host is up (0.048s latency).
Not shown: 981 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open     pop3
143/tcp  open     imap
443/tcp  open     https
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
1025/tcp open     NFS-or-IIS
1080/tcp open     socks
8080/tcp open     http-proxy
8081/tcp open     blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

TCP connect scan is performed by nmap whenever it is called by a user other than root who does not have raw packet rights. In unprivileged mode, the (-sT) switch is activated automatically and by default.

The result will seem somewhat like this, and it will provide fundamental information about the scan as well as a list of open and restricted TCP ports.

The TCP SYN scan (-sS) is the most used scan option since it works against all compliant TCP stacks, is quicker than the connect option, and is thus the most popular.

When nmap is run in the context of a user with administrative capabilities, the -sS switch is automatically enabled.

sudo nmap 10.0.0.25

Increase the verbosity of the output by using the -v or -vv switch to get more specific information:

sudo nmap -vv 10.0.0.25

In order to conduct a UDP scan, you must run the following command as the root user while using the (-sU) option:

sudo nmap -sU 10.0.0.25

For a complete list of port scanning methods, visit the Nmap documentation page .

IPv6 addresses may also be scanned using Nmap. Use the -6 option if you want to provide an IPv6 host:

sudo nmap -6 fd12:3456:789a:1::1

Specifying Target Hosts

Nmap considers any arguments that are not options to be target hosts and processes them accordingly.

If an argument starts with a dash, whether it be a single dash or a double dash, it is considered an alternative.

The approach that is the most straightforward is to provide one or more domain names or destination addresses:

nmap 10.0.0.25 host.to.scan

You may define a network range by using the CIDR notation, which is as follows:

nmap 10.0.0.0/24

Using the dash character allows you to define an octet range. For instance, the following would need to be done in order to scan 192.168.10.1, 192.168.11.1, and 192.168.12.1:

nmap 10.0.0-12.1

The comma is also a character that may be used to define the targets that you want to hit. The next command aims for the same hosts as the one that was just executed:

nmap 10.0.0,11,12.1

You are able to mix any and all forms:

nmap 10.8-10.10,11,12.0/28  10.0.0-2.100,101

Use the list scan option (-sL), which just lists the targets without actually executing a scan, to be absolutely certain that you have chosen the appropriate hosts before beginning the scanning process:

nmap -sL 10.8-10.10,11,12.0/28  10.0.0-2.100,101

Utilize the —exclude option if you want to exclude scanning for targets that fall inside the range that you have defined.

nmap 10.8-10.10,11,12.0/28 --exclude 10.10.12.12

Specifying and Scanning Ports

Nmap is configured to carry out a cursory search for the 1000 most frequently used ports by default. These ports are not the first 1000 ports in sequential order; rather, they are the 1000 ports that are used the most often, with numbers ranging from 1 to 65389.

Utilize the -p option to search for ports ranging from 1 all the way up to 65535:

nmap -p- 10.0.0.25

Each port may be in any of these statuses at any one time:

• open – Requests are fulfilled by the application that is currently executing on the port.
• closed – The port is not used by any programmes, and the host just responds to requests that are made.
• filtered – There is no response from the host to the request.

For instance, if you simply wanted to scan port 443, you would use the following command:

nmap -p 443 10.0.0.25

In order to specify more than one port, you must separate the target ports with a comma, like follows:

nmap -p 80,443 10.0.0.25

It is possible to specify port ranges by using the dash sign. To scan all UDP ports ranging from 1 to 1024, for instance, you might execute the following command:

sudo nmap -sU -p 1-1024 10.0.0.25

All combined:

nmap -p 1-1024,8080,9000 10.0.0.25

The port’s name may also be used in place of the port number to specify the port. For instance, the following might be used in order to do a scan for the ssh port:

nmap -p ssh 10.0.0.25

Ping Scanning

Invoke the nmap command with the -sn option to carry out a ping scan or conduct host discovery:

sudo nmap -sn 192.168.10.0/24

Nmap is instructed by the -sn option to do merely a search for online hosts rather than a port scan. When you need a fast way to identify whether of the hosts you mentioned are up and functioning, this is a valuable tool.

Disabling DNS Name Resolution

The default behavior of Nmap is to carry out reverse-DNS resolution for each host that is identified. This causes the scan duration to rise.

It is a good idea, when scanning big networks, to stop reverse-DNS resolution, since this will speed up the scanning process. To do this, you need to run the command with the -n option:

sudo nmap -n 10.0.0.0/16

OS, Service and Version Detection

Through the use of TCP/IP stack fingerprinting, Nmap is able to determine the operating system of the remote host. Invoke the command with the -O option to do the operating system detection:

sudo nmap -O scanme.nmap.org

...
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.4
Network Distance: 18 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.47 seconds

If Nmap is able to identify the host operating system, it will provide output similar to the following:

Generally speaking, system services will only listen on standard ports that have been specifically designated for them and are widely recognised. For instance, if the port that is associated with the SSH service (port 22) is open on the host, you will presume that an SSH server is running on the host. On the other hand, you can’t be one hundred percent certain since individuals are free to operate services on whatever port they like.

Nmap’s service and version detection features will let you know what software is listening on the port as well as the version of that programme.

Utilize the -sV option to do a search for the service and version:

sudo nmap -sV scanme.nmap.org

...
PORT      STATE    SERVICE      VERSION
19/tcp    filtered chargen
22/tcp    open     ssh          OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http         Apache httpd 2.4.7 ((Ubuntu))
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
9929/tcp  open     nping-echo   Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap Output

The information is delivered to standard output by default when you use Nmap (stdout).

You have the option of saving the output to a file, which is useful if you are scanning a big network or if you require the information for later use.

Nmap has several different output kinds. Use the -oN option, followed by the file name, to save the output in normal format:

sudo nmap -sU -p 1-1024 10.0.0.25 -oN output.txt

Choosing to save the output in XML format is by far the most common choice. To do this, make advantage of the -oX option:

sudo nmap -sU -p 1-1024 10.0.0.25 -oX output.xml

Another format that is helpful is the grepable output, which can be processed using the typical tools that come with Unix, such as grep, awk, and cut. The -oG option allows you to specify the output to be grepable:

sudo nmap -sU -p 1-1024 10.0.0.25 -oG output

Nmap Scripting Engine

The scripting engine in Nmap is often regarded as one of the program’s most powerful capabilities. In addition to the hundreds of scrips that come pre-installed with Nmap, you have the ability to develop your own scrips using the Lua programming language.

Scrips may be used for a wide variety of purposes, including finding malware and backdoors, performing brute-force assaults, and more.

For instance, the following tools may be used to determine whether or not a certain host has been compromised:

nmap -sV --script http-malware-host scanme.nmap.org

Conclusion

Nmap is a tool that is available for free download and is generally used by network managers to find hosts and scan ports.

Please take notice that it is against the law in certain countries to scan networks without first obtaining authorisation to do so.

In the event that you have any inquiries or observations, do leave a comment down below.