Nmap (or “network mapper”) is one of the most popular free network discovery tools on the market. Over the past decade or so the program has emerged as a core program for network administrators looking to map out their networks and conduct extensive network inventories. It allows the user to find live hosts on their network as well as scanning for open ports and operating systems.
Nmap runs centered around a command line similar to Windows Command Prompt, but a GUI interface is available for more experienced users. When using nmap, the user simply enters commands and runs scripts via the text-driven interface. They can navigate through firewalls, routers, IP filters and other systems. At its core, Nmap was designed for enterprise-scale networks and can scan through thousands of connected devices.
Some of Nmap’s main uses include port scanning, ping sweeps, OS detection, and version detection. The program works by using IP packets to identify available hosts on a network as well as what services and operating systems they run. Nmap is available on many different operating systems from Linux to Free BSD and Gentoo. Nmap also has an extremely active and vibrant user support community. In this article, we break down the fundamentals of Nmap to help you hit the ground running.
Why do I Need a Network Analyzer like Nmap?
Network analyzers like Nmap are essential to network security for a number of reasons. They can identify attackers and to test for vulnerabilities within a network. When it comes to cybersecurity, the more you know about your packet traffic, the better prepared you are for an attack. Actively scanning your network is the only way to ensure that you stay prepared for potential attacks.
As a network analyzer or packet sniffer, Nmap is extremely versatile. For example, it allows the user to scan any IP active on their network. If you spot an IP you haven’t seen before, you can run an IP scan to identify whether it is a legitimate service or an outside attack.
Nmap is the go-to network analyzer for many administrators because it offers a wide range of functions for free. For example you can use Nmap to:
- Identify live hosts on your network
- Identify open ports on your network
- Identify the operating system of services on your network
- Address vulnerabilities in your network infrastructure
How to Install Nmap
Before we get to how to use NMap, we’re going to look at how to install it. Windows, Linux and MacOS users can download Nmap here.
To install on Windows, use the Windows self-installer (referred to as nmap-<version>setup.exe) and the follow the onscreen instructions.
On Linux, things are a little trickier as you can choose between a source code install or a number of binary packages. Installing Nmap on Linux allows you to create your own commands and run custom scripts. To test whether you have nmap installed for Ubuntu, run the nmap –version command. If you receive a message stating that nmap isn’t currently installed, type sudo apt-get install nmap into the command prompt and click enter.
On Mac, nmap offers a dedicated installer. To install on Mac, double click the nmap-<version>.dmg file and open a file called nmap-<version>mpkg. Opening this will start the installation process. If you’re using OS X 10.8 or later, you might be blocked by your security preferences because nmap is considered an ‘unidentified developer’. To get around this, simply right click on the .mpkg file and select Open.
How to Run a Ping Scan
One of the basics of network administration is taking the time to identify active hosts on your network. On Nmap, this is achieved through the use of a ping scan. A ping scan (also referred to as a discover IP’s in a subnet command) allows the user to identify whether IP addresses are online. It can also be used as a method of host discovery. ARP ping scans are one of the best ways to detect hosts within LAN networks.
To run an ARP ping scan, type the following command into the command line:
# nmap -sp 220.127.116.11/24
This will return a list of hosts that responded to your ping requests along with a total number of IP addresses at the end. An example is shown below:
It is important to note that this search doesn’t send any packets to the listed hosts. However Nmap does run a reverse-DNS resolution on the listed hosts to identify their names.
When it comes to port scanning, you can use a variety of different techniques on Nmap. These are the main ones: –
- sS TCP SYN scan
- sT TCP connect scan
- sU UDP scans
- sY SCTP INIT scan
- sN TCP NULL
Newer users will attempt to solve most problems with SYN scans, but as your knowledge develops you’ll be able to incorporate some of these other techniques as well. It is important to note that you can only use one method of port scanning at a time (although you can combine an SCTP and TCP scan together).
sS TCP SYN Scan
The TCP SYN Scan is one of the quickest port scanning techniques at your disposal on Nmap. You can scan thousands of ports per second on any network that isn’t protected by a firewall. It is also a good scanning technique in terms of privacy because it doesn’t complete TCP connections that draw attention to your activity. It works by sending a SYN packet and then waiting for a response. An acknowledgement indicates an open port whereas no response denotes a filtered port. An RST or reset identifies non-listening ports.
sT TCP Connect Scan
A TCP connect scan is the main alternative TCP scan when the user is unable to run a SYN scan. Under TCP connect scan, the user issues a connect system call to establish a connection with the network. Instead of reading through packet responses, Nmap uses this call to pull information about each connection attempt. One of the biggest disadvantages of a TCP connect scan is that it takes longer to target open ports than a SYN scan.
sU UDP Scan
If you want to run port scanning on a UDP service, then UDP scans are your best course of action. UDP can be used to scan ports such as DNS, SNMP and DHCP on your network. These are particularly important because they are an area that attackers commonly exploit. When running a UDP scan, you can also run a SYN scan simultaneously. When you run a UDP scan, you’re sending a UDP packet to each targeted port. In most cases you’re sending an empty packet (besides ports like 53 and 161). If you don’t receive a response after the packets are transmitted, then the port is classified as open.
sY SCTP INIT Scan
The SCTP INIT port scan covers SS7 and SIGTRAN services and offers a combination of both TCP and UDP protocols. Like the Syn scan, the SCTP INIT Scan is incredibly fast, able to scan thousands of ports every second. It is also a good choice if you’re looking to maintain privacy because it doesn’t complete the SCTP process. This scan works by sending an INIT chunk and waiting for a response from the target. A response with another INIT-ACK chunk identifies an open port, whereas an ABORT chunk indicates a non-listening port. The port will be marked as filter if no response is received after multiple retransmissions.
sN TCP NULL Scan
A TCP NULL scan is one of the more crafty scanning techniques at your disposal. This works by exploiting a loophole in the TCP RFC that denotes open and closed ports. Essentially any packet that doesn’t contain SYN, RST or ACK bits will prompt a response with a returned RST if the port is closed and no response if the port is open. The biggest advantage of a TCP NULL scan is that you can navigate your way around router filters and firewalls. Even though these are a good choice for stealth, however, they can still be detected by intrusion detection systems (IDS).
If you want to identify active hosts on a network, then the host scan is the best way to do this. A host scan is used to send ARP request packets to all systems within a network. It will send an ARP request to a specific IP within an IP range and then active host will respond with an ARP packet sending its MAC address with a ‘host is up’ message. You will receive this message from all active hosts. To run a host scan, enter:
nmap -sP <target IP range>
This will raise a screen showing the following:
One of the simplest and most useful commands you can use is the -sL command, which tells nmap to run a DNS query on your IP of choice. By using this method, you can find hostnames for an IP without sending a single packet to the host. For example, input the following command:
nmap -sL 18.104.22.168/24
This returns a list of names relating to the IPs scanned, which can be incredibly useful for identifying what certain IP addresses are actually for (providing they have a related name!).
Another one of Nmap’s useful functions is OS detection. To detect the operating system of a device, Nmap sends TCP and UDP packets to a port and analyzes its response. Nmap then runs a variety of tests from TCP ISN sampling to IP ID sampling and compares it to its internal database of 2,600 operating systems. If it finds a match or fingerprint, it provides a summary consisting of the provider’s name, operating system, and version.
To detect the operating system of a host, enter the following command:
nmap -O 192.168.5.102
It is important to note that you require one open and one closed port in order to use the –O command.
Version detection is the name given to a command that allows you to find out what software version a computer is running. What sets it apart from most other scans is that the port isn’t the focus of its search. Instead it tries to detect what software a computer runs using the information given by an open port. You can use version detection by typing up the -sV command and selecting your IP of choice, for example:
#nmap -sV 192.168.1.1
When running any scan through Nmap, you might require more information. Entering the verbose command -v will provide you with additional details on what Nmap is doing. Nine levels of verbosity are available on Nmap, from -4 to 4:
- Level -4 – Provides no output (e.g. you won’t see response packets)
- Level -3 – Similar to -4 but also provides you with error messages to show you if an Nmap command has failed
- Level -2 – Does the above but also has warnings and additional error messages
- Level -1 – Shows run-time information like version, start time, and statistics
- Level 0 – The default verbosity level that displays sent and received packets as well as other information
- Level 1 – Same as level 0 but also provides detail on protocol details, flags and timing.
- Level 2 – Shows more extensive information on sent and received packets
- Level 3 – Show the complete raw transfer of sent and received packet
- Level 4 – Same as level 3 with more information
Increasing the verbosity is great for finding ways to optimize your scans. You increase the amount of information that you have access to and provide yourself with more information to make targeted improvements to your network infrastructure.
Nmap Scripting Engine
If you want to get the most out of Nmap, then you’re going to need to use the Nmap Scripting Engine (NSE). The NSE allows users to write scripts in Lua so they can automate various networking tasks. A number of different script categories can be created with the NSE. These are:
- auth – scripts that work with or bypass authentication credentials on a target system (such as x11-access).
- broadcast – scripts typically used to discover hosts by broadcasting on the local network
- brute – scripts that use brute force to gain access to a remote server (for example http-brute)
- default – scripts set by default on Nmap based on speed, usefulness, verbosity, reliability, intrusiveness, and privacy
- discovery – scripts that search public registries, directory services, and SNMP-enabled devices
- dos – scripts which can cause denial of service. Can be used to test or attack services.
- exploit – scripts designed to exploit network vulnerabilities (for example http-shellshock
- external – scripts that send data to external databases such as whois-ip
- fuzzer – scripts that send randomized fields within packets
- intrusive – scripts that risk crashing the targeted system and being interpreted as malicious by other administrators
- malware – scripts used to test whether a system has been infected by malware
- safe – scripts that aren’t considered intrusive, designed to exploit loopholes, or crash services
- version – used under the version detection feature but cannot be selected explicitly
- vuln – scripts designed to check for vulnerabilities and report them to the user
The NSE can be quite complicated to get your head around at first, but after the initial learning curve it becomes much easier to navigate. For example, entering the command -sC will allow you to use the common scripts native to the platform. If you want to run your own scripts, you can use the –script option instead. It is important to remember that any scripts you run could damage your system, so double check everything before deciding to run scripts.
As an alternative to the command line interface, NMap also offers a GUI called Zenmap. On Zenmap you can create and execute commands and scans. The GUI is much more user friendly than the command line interface, making it ideal for newer users. The GUI can also show graphical comparisons of service test results, for example:
If you want to write your own commands and scripts, then the GUI is far from ideal and you’re better off sticking with Nmap and the command line interface.
Nmap: An Essential Network Administration Tool
Ultimately, if you’re looking for a tool that allows you to target systems within your network and navigate around firewalls, then Nmap is the tool for you. Though it is not as glamorous as some of the other network analysis tools on the market, it remains a core part of most IT administrators’ toolkits. Ping scans and port scans are just the tip of the iceberg when talking about what this platform is capable of.
If you’d like to learn more about Nmap, an extensive community website is full of guides and information to help you get the most out of your experience. Once you get past the learning curve, you’ll not only have more transparency over your network, but you will be able to safeguard your systems against future threats. Just start out by learning the basics and you’ll do just fine with NMap.