Nmap is one of the best network mapping tools out there. This guide will explain how to use Nmap to identify machines and services available in a network.
What is Nmap?
Nmap is a free and open-source tool that can be used by network and system administrators and penetration testers, to map environments and identify target devices, as well as running services.
Nmap is most used via a command line interface, however it does also have a Graphical User Interface (GUI) called Zenmap. It can run on all major operating systems and can be downloaded from the following location: https://nmap.org/download.html
What can Nmap do – and why would I use it?
This is a great question and the crux of this guide.
Nmap is very versatile and can therefore be used to achieve many activities. As a key tool within the penetration testers arsenal, some of the most common tasks it can be used for are:
- Host Discovery – Nmap can be used to identify computers on a network. It can do so using a variety of protocols and can identify hosts that do not respond to a ping.
- Port Scanning – One of the most common goals is to use Nmap to identify any and all open ports on a computer. This helps understand the attack surface of a device and network.
- Banner Grabbing – Once open ports have been identified, Nmap can be used to identify the version of software installed.
- OS Fingerprinting – By using a database of Operating System fingerprints, Nmap can identify the operating system of a target machine.
- Vulnerability Analysis – While Nmap is predominantly a port scanner, the Nmap scripting engine (NSE) can be used to connect to open ports and identify security weaknesses.
If the above does not convince you why you should use Nmap, it is a tool that is easy to learn and can be used for a variety of cyber security activities, as well as to provide output in different formats that can feed into other tools.
How to install Nmap
The installation process is simple enough for most people, although it varies slightly from operating system to operating system:
- Linux – simply open the terminal and run ‘sudo apt install nmap’
- Windows – download the installer and execute it. This will take you through a graphical installation and will give access to both Nmap (command line) and Zenmap (GUI)
- Mac – download and execute the installer in the same was as with Windows
Using Nmap
Once you have Nmap installed, it is best to learn by doing. Assuming you are connected to a wired or wireless network, you can begin identifying devices, and the services they are running. Throughout this document, I will be using the 192.168.1.0/24 network address for the examples.
Host discovery
One of the first things that users of Nmap may want to do is to identify hosts on a network. Nmap can be used to do this with a ping scan, which will identify all the live hosts on a network by sending a ping request.
Ping sweep
To run a ping sweep, simply run the following command.
Nmap -sn 192.168.1.0/24
This command will send a ping request to each IP address in the network and report back on the hosts that responded.
However, if you are scanning the same network you are connected to and use the command:
sudo nmap -sn 192.168.1.0/24
Nmap will use the Address Resolution Protocol (ARP) instead of ping. This can be a key distinction, as it will allow users to identify hosts that do not respond to ping.
Port scanning
The main purpose of Nmap is to act as a port scanner. This means identifying open ports on target machines.
TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the most common protocols to scan using Nmap. These can be achieved in a variety of ways, with different flags (settings) being used to increase efficiency.
It is important to be aware of default settings within Nmap, and how they differ when executed with different levels of privilege (in a similar way to different protocols being used for host discovery, depending on if root privileges are used).
For a generic command such as:
Nmap 192.168.1.0/24
Nmap will attempt to run a SYN scan against the most common 1000 ports. This will only be possible if this command runs with root privileges. If the command is executed with user privileges, Nmap will revert to a full TCP connect scan.
TCP scan
Nmap can be used to conduct a full TCP connect scan. This establishes a full TCP three-way handshake with every open port on the target device, to identify the open ports.
To run a TCP connect scan, simply run the following command:
Nmap -sT 192.168.1.0/24
SYN scan
Nmap can be used to conduct a SYN scan (sometimes known as a half-open scan). This will attempt to connect to a TCP port using the first 2 parts of the TCP three-way handshake. Regardless of whether a port is open or closed, the tool will not establish a full connection.
To run a SYN scan, simply run the following command:
Nmap -sS 192.168.1.0/24
UDP scan
It is also possible to scan UDP ports using Nmap – however, due to the lack of any verification, like the TCP three-way handshake, UDP scans take much longer to complete (it is therefore recommended to reduce the number of ports assessed wherever possible).
To run a UDP scan, simply run the following command:
Nmap -sU 192.168.1.0/24
Version scan
It is possible to use Nmap to conduct banner grabbing during a port scan. This is referred to as a version scan and will allow Nmap to not only identify open ports, but to go and collect details about the type and version of software being used.
To run a Version scan, simply run the following command:
Nmap -sV 192.168.1.0/24
Script scan
As with the version scan, Nmap can go further than simply identifying open ports.
This is possible due to the Nmap Scripting Engine (NSE) scripts. These are short scripts that can be used to identify common misconfigurations, weaknesses, or gather additional information. While these can be chosen in a granular fashion, you can run a ‘default’ script scan.
To run a ‘default’ script scan, simply run the following command:
Nmap -sC 192.168.1.0/24
Useful optional flags
As well as having multiple types of scans that can be used, Nmap is incredibly flexible and has a variety of flags (settings) that can be used to tailor scans to your specific need. While not a complete list, this section details the most common flags that are used during scanning.
OS detection
While the -O flag has been superseded by the aggressive flag (-A), it can still be used if you want to restrict the amount of traffic being generated by Nmap, and focus purely on S fingerprinting.
To identify the type of Operating System being used by the target device, the following command can be used:
Nmap -O 192.168.1.0/24
Port selection
By default, Nmap will scan the most common 1,000 ports.
This may be sufficient for your test, or you may need to tailor the ports being scanned. There are a couple of different flags that can be used for this.
- -p
- This specifies a specific port or port range. The following commands can be used:
- Nmap -p 80 192.168.1.0/24
- Nmap -p 80,443,3306 192.168.1.0/24
- Nmap -p 80-100 192.168.1.0/24
- This specifies a specific port or port range. The following commands can be used:
- -F
- This specifies that you want to conduct a fast scan and will only scan the top 100 most common ports. The following command can be used:
- Nmap -F 192.168.1.0/24
- This specifies that you want to conduct a fast scan and will only scan the top 100 most common ports. The following command can be used:
- –top-ports
- This gives you the ability to define the range of top ports you want scanned, without having to know specifically what they are. The following command can be used:
- Nmap –top-ports 20 192.168.1.0/24
- This gives you the ability to define the range of top ports you want scanned, without having to know specifically what they are. The following command can be used:
Verbose mode
Nmap scans can take a long time, and it can be easy to question whether the scan is running or want to know whether it is nearly finished.
The verbose flag can be used to show you information about the scan while its running. This is also the only flag that can be used if a scan has already started.
To use the verbose flag, simply run the following command:
Nmap -v 192.168.1.0/24
No DNS resolution
When Nmap scans an IP address, it will also try to identify the name of the device. If this is not important information, it is possible to speed up scans by removing these checks. This can be achieved with the -n flag.
To run a scan without DNS resolution, simply run the following command:
Nmap -n 192.168.1.0/24
Time
It is possible to speed up or slow down how fast nmap scans an environment. This ranges from -T 0 (paranoid) to -T 5 (insane).
The default setting for Nmap is -T 3. You may choose to slow down scans to avoid detection from monitoring systems, while you may choose to speed up scans that are taking a while. Be aware that the more you speed up a scan, the higher the possibility for incorrect results.
To run a scan using the Time flag, simply run the following command:
Nmap -T 4 192.168.1.0/24
Specific script
To run a specific script from the NSE (Nmap Scripting Engine), you will need to choose the script you want from /usr/share/nmap/scripts and then use the –script flag. It is possible to use the wildcard character * to load multiple scripts of the same type in a single command.
To run a specific script, simply run the following command:
Nmap –script smb-vuln-ms17-010 192.168.1.0/24
To run a group of scripts, simply run the following command:
Nmap –script smb-vuln* 192.168.1.0/24
Input list
Sometimes you may not want Nmap to scan an entire network range. Instead, you may want to provide it with a list of IP addresses to scan (these need to be listed 1 per line). This can be created after your host discovery and used to speed up scans.
To run a scan with an input list, simply run the following command:
Nmap -iL hostfile.txt
Output to files
By default, Nmap output is not saved to a file. This can cause problems when you want to go back to previous scans, or when you want to be able to extract useful information from a scan of hundreds of hosts. Making sure you output results to files gives you a form of evidence and can allow you to look back later.
There are a few different ways to output to files depending on what type of file you want to create:
- -oN
- This will output in normal Nmap style. The following command can be used:
- Nmap 192.168.1.0/24 -oN networkscan
- This will output in normal Nmap style. The following command can be used:
- -oX
- This will output the scan results in XML format. The following command can be used:
- Nmap 192.168.1.0/24 -oX networkscan
- This will output the scan results in XML format. The following command can be used:
- -oG
- This will output the scan in a ‘greppable’ format. This is helpful when using the command line tool grep to be able to extract information. The following command can be used:
- Nmap 192.168.1.0/24 -oG networkscan
- This will output the scan in a ‘greppable’ format. This is helpful when using the command line tool grep to be able to extract information. The following command can be used:
- -oA
- This will create three files, one with each file extension. The following command can be used:
- Nmap 192.168.1.0/24 -oA networkscan
- This will create three files, one with each file extension. The following command can be used: