Nmap sends packets and analyzes the response it gets to discover hosts and services on a computer network. It is one of the most widely used port scanners available today to help you find open ports and detecting security risks on a network. This is the first step for an attacker to get information about the network of targets and identify a potential way to launch an attack. An attacker will know about the services running on open ports along with their version, which helps in determining vulnerabilities for the corresponding version. It is popularly known as System Administrator’s Swiss Army Knife owing its ability to serve multiple purposes – probing computer networks, host discovery, port scan, vulnerability detection, OS detection, version detection, etc. Its cross-platform utility. If you do not like working in the command-line interface, it is also available in a GUI – Zenmap, the official Nmap Security Scanner GUI.

Installation

We will demonstrate the installation of Nmap on two commonly used Linux distribution – CentOS and Ubuntu. It is available as a package in most Linux distribution’s repository.

Installing Nmap On CentOS 6/7.x

To install the Nmap package on CentOS, run the command:

The system will prompt to confirm and complete the installation. Type y and press Enter

Check if it was installed successfully and the version installed, execute the below command.

Installing Nmap on CentOS 8.x

We will use DNF to install.

With -y option, DNF/YUM will install the specified package without asking for confirmation.

And, to verify the installation. 

Ubuntu

Run the below command to make sure all packages are up-to-date on the Ubuntu server.

Execute the below command to install

And, run the -version to ensure it is installed.

Real-time Nmap Usage Example

We will see a few examples illustrating the usage of the Nmap command.

Scan for open ports

Syntax for nmap nmap [Scan Type(s)] [Options] {target specification} Target specification could be a hostname, IP address, domain name, network, subnet, etc.

Scan a domain

With no flags, Nmap will, by default –

Scan for the top 1000 commonly used ports (list of these ports can be modified in the nmap-services file). Nmap with attempt a TCP SYN connection to ports when running with a privileged user. Sends ICMP echo requests to target hosts to confirm if it is alive or not. Will perform a DNS reverse lookup to get the hostname.

We could see four open ports, one filtered port, and 995 closed ports in the output shown above. A port that cannot be determined by Nmap if it is closed or open, which may be due to a firewall, is filtered. Here in the example shown above, we scan scanme.nmap.com, which has authorized itself to be scanned. You could also use the fast scan option -F to scan only the top 100 most commonly used ports of each protocol it is asked to scan.

Scan IP address

Scan a subnet

Scanning multiple hosts

Scanning multiple hosts is easy!

Add hostnames or IP addresses you want to scan one after another in a row

Use comma

Above mentioned command could also be written as below to avoid mentioning the IP address again

Use hyphens (-) to specify the IP address range as shown below

The above command will scan the first twenty hosts of the sub-network.

Use wild cards to scan entire subnet –

The above command will scan for all 256 IP addresses in the subnet.

Read Hosts from a file

You could specify all the hosts required to be scanned in a file and use the command below – Example of host file –

Exclude hosts from search

You could exclude a few hosts from a group search if you want. You could also exclude hosts from your search using the –excludefile flag

Nmap Port Selection

To scan specific ports on a system, instead of the default top 1000 commonly used ports, you could use -p parameter.  The above command will scan only for ports 22, 80, and 443 on the IP addresses mentioned. The above command will scan for ports 1 to 500 on the host mentioned. Using -p- will scan all 65535 ports.

Redirecting output to a file

By default, Nmap prints the output on the terminal, but when scanning a large network, it is better to save the results in a file for better analysis. You can save the results of its scans in different file formats.

Normal output format [-oN]

Normal mode will give you the output as you see it on your screen.

XML output format [-oX]

We could export the results in XML format. It is one of the most used file formats as most programming languages have libraries for XML parsing.

Grepable Output format [-oG]

We get the output in a format that is very easily used with the grep command. The output could later be fed to command-line utilities like – awk, grep, sed to perform additional operations as required.

Script kiddie output [-oS]

It uses the “leet”, replacing letters with their visually alike number representations. This output format is not useful for any particular case and was included only as a joke.

Various Nmap scan types

TCP Connect Scan [-sT]

This is the basic form of TCP scanning and involves no stealth. It attempts to establish a complete connection with the range ports specified with a complete three-way handshake exchange (SYN -> SYN/ACK -> ACK). A successful connection indicates an open port. This is the default scan type Nmap uses when executed by an unprivileged user.

TCP SYN Scan [-sS]

Also known as a half-open scan, it is stealthier than TCP connect scan as it never establishes a complete connection. TCP SYN scan is the default scan type when executed as a privileged user, and unprivileged users will not have the permission to run this scan as it requires privileges to raw socket / raw packet. As we could see in the example above, an SYN scan could not be executed with non-privileged users.

UDP scan [-sU]

If no flag is specified, by default, Nmap scans for TCP ports. To scan for UDP port we have to use the -sU flag, as shown below.

Ping Scan [-sn]

This is highly useful when you only need to know whether the host is alive or not and do not need information about open ports on the hosts. This is often referred to as ‘Ping sweep’. In previously released versions of Nmap, -sn was known as -sP. In the above example, we could see, in the specified target subnet, out of 256 IP addresses scanned, only three hosts are up. -sn –> Ping scan. -n –> Ignore the DNS resolution and speed up the scan. -v –> Add verbose to get more information of scan. -oG –> Provides the output in grepable format.

  • –> Hyphen redirects the grepable output to standard output, which is then piped to grep. -iv –> Ignore the lines having the word ‘down’. We could see only four hosts are alive out of 256 IP addresses scanned in the subnet.

OS and Service Version Detection

OS Scanning

In addition to port scanning and host discovery, Nmap could also provide information about the underlying operating system. Nmap has one of the largest operating system fingerprint databases and can identify operating systems by analyzing their response to TCP/IP probes. It could be enabled with the -O flag. Below is the command –

Version Scanning

Nmap also helps scanning services running and their version information from open ports. This is helpful in scanning services running on vulnerable versions and could be updated to mitigate the risk. It could be enabled with -sV

Aggressive Scan

Nmap performs an aggressive and advanced scan as well that enables OS detection -O, script scanning -sC, version scanning -sV, and traceroute –traceroute. We could pass -A argument to perform an aggressive scan.

It is always advisable to get written authorization/permission from the owner of the target network before initializing any scan. For example –  http://scanme.nmap.org/ has authorized itself to be scanned. You could read in detail on the official website. What’s next? Check out how to install Nmap on Windows.