Beginner’s Guide to Using nmap

nmap is a network scanning tool which can be used for a whole variety of network discovery tasks including port scanning, service enumeration and OS fingerprinting.

To install nmap on Ubuntu or Raspbian use:

sudo apt-get install nmap

For Linux versions that use yum, like Fedora, run this as root:

yum install nmap

The simplest invocation is just to supply a hostname or IP address of a machine that you want to scan. nmap will then scan the machine to see which ports are open. For example:

nmap 192.168.1.101

All TCP/IP connections use a port number to uniquely identify each network service. For example, web browser connections are made on port 80; emails are sent on port 25 and downloaded on port 110; secure shell connections are made on port 22; and so on. When nmap does a port scan, it shows which ports are open and able to receive connections. In turn, this indicates which services are running on the remote machine.

From a security point of view, the less services which are running on a host, the more secure it is. This is because there are less “holes” that an attacker can use to try and access the machine. It is also a useful way to perform a preliminary check to see if a service is running (and accepting connections). A quick scan of my Ubuntu server looks like this:

nmap-simple-scan

To discover which software is providing the server behind each of the open ports use the -sV option:

nmap -sV 192.168.1.101

Here are the results from a Raspberry Pi:

nmap-sV

nmap has correctly discovered that the OpenSSH server is being used to provide a SSH service on the Pi. The tool also notes that the Pi is running Linux!

nmap is able to perform advanced operating system detection using the -O option. For operating system detection, nmap needs to be run with root privileges. For Ubuntu and Raspbian:

sudo nmap -O 192.168.1.43

Here is the output from a scan performed against a Windows XP machine:

nmap-os-scan

If you want to scan more than one host at a time, nmap allows you to specify multiple addresses or use address ranges. To scan more than one host just add extra addresses to the parameter list (with each one separated by a SPACE). For example to scan for open ports on 192.168.1.1, 192.168.1.4 and 192.168.1.43, use:

nmap 192.168.1.1 192.168.1.4 192.168.1.43

To specify an address range use the dash symbol. For example to scan the first five hosts on your network you could use:

nmap 192.168.1.1-5

The output would look something like this:

nmap-range-scan

The first host found is the router supplied by my Internet Service Provider (on address 192.168.1.1) and the second one is my Raspberry Pi (on 192.168.1.4).

Although nmap is simple to use, it offers a range of advanced features. The next part in this series will touch on some of the more advanced uses, but in closing here is a short list of other commands you might find useful:

To check if a specific port is open use -p followed by the port number or the port name, for example:

nmap -p ssh 192.168.1.4

It can be combined with the -sV flag to determine the version of the software attached to that port:

nmap -p ssh -sV 192.168.1.4

To discover which hosts are alive on your network use the -sn flag. This will just ping the hosts specified in the address range. For example:

nmap -sn 192.168.1.1-254

As a closing word of warning, don’t run scans against hosts that you don’t control or have permission to scan. Excessive scanning can be interpreted as an attack or could disrupt services unnecessarily.

Image credit: fiber Network Server by BigStockPhoto