How To Use Nmap

The nmap tool is a network scanning tool which can be used for a whole variety of network discovery tasks including port scanning, service enumeration and OS fingerprinting. With the number of networked devices rising everyday, network administrators must know how to scan their network for devices, track IP addresses, and perform IP address management.

Maintaining good network health and prevent unauthorized users from spying or wasting valuable bandwidth is essential to know for administrators. Network security professionals are expected to not only know how to scan their network to locate devices, but also understand the importance behind IP address management.

How to install nmap?

To install nmap on Ubuntu or Raspbian use:

sudo apt-get install nmap

Install nmap command. Learn cyber security.

For Linux versions that use yum, like Fedora, run this as root:

yum install nmap

Nmap has an extensive list of arguments that can be used to tailor your active scanning and results. The simplest command you can run without any arguments is to just use nmap followed by the IP address you are looking to scan. The command below will scan the IP to see which ports are open.

nmap 192.168.1.1

Nmap basic scan command. Learn cyber security.

Behind the scenes TCP/IP connections can seem pretty complicated from a technical standpoint but from a birds-eye view they are very much simple. TCP/IP use port numbers to identify network services in a network. For instance, when you are browsing the internet, your browser will either connect using port 80 (HTTP) or 443 (HTTPS). If you are sending an email, it will most likely be sent via port 25 (SMTP) and donwloaded on the receving end on port 110 (POP3). This is why nmap is so useful. It will show which ports are currently open and able to receive connections. To learn more about the TCP/IP protocol and spoofing, check out this article.

Looking at a network from a security point of view, the less services that are running on a host, the more secure it typically will be. More functionality will generally equal to being less secure due to more exposure from different applications. It is also a useful way to perform a preliminary check to see if a service is running (and accepting connections). A quick scan of my Ubuntu server looks like this:

To discover which software is providing the server behind each of the open ports use the -sV option:

nmap -sV 192.168.1.101

Here are the results from a basic scan:

Nmap -sV scan command. Learn cyber security.

nmap has correctly discovered that there are several open ports on this box such as SMB (139). The tool also notes that the box is running an apache server.

nmap is able to perform advanced operating system detection using the -O option. For operating system detection, nmap needs to be run with root privileges:

sudo nmap -O 192.168.1.43

Here is the output from a scan performed against a local OWASP server:

Nmap -O scan command. Learn cyber security.

If you want to scan more than one host at a time, nmap allows you to specify multiple addresses or use address ranges. To scan more than one host just add extra addresses to the parameter list (with each one separated by a SPACE). For example to scan for open ports on 192.168.1.1, 192.168.1.4 and 192.168.1.43, use:

nmap 192.168.1.1 192.168.1.4 192.168.1.43

To specify an address range use the dash symbol. For example to scan the first five hosts on your network you could use:

nmap 192.168.1.1-5

The output would look something like this:

Nmap multiple scan command. Learn cyber security.

The first host found is the router supplied by my Internet Service Provider (on address 192.168.1.1) in a test lab environment.

Cookbook and summary

Although nmap is simple to use, it offers a range of advanced features. The next part in this series will touch on some of the more advanced uses, but in closing here is a short list of other commands you might find useful:

To check if a specific port is open use -p followed by the port number or the port name, for example:

nmap -p ssh 192.168.1.4

It can be combined with the -sV flag to determine the version of the software attached to that port:

nmap -p ssh -sV 192.168.1.4

To discover which hosts are alive on your network use the -sn flag. This will just ping the hosts specified in the address range. For example:

nmap -sn 192.168.1.1-254

As a closing word of warning, don’t run scans against hosts that you don’t control or have permission to scan. Excessive scanning can be interpreted as an attack or could disrupt services unnecessarily.