An introduction to using Zenmap on Linux

We have seen in the first two parts of this series (a beginner’s guide to using nmap and advanced uses for nmap) that nmap is a powerful, yet easy to use, tool for network discovery and service enumeration. However, like many command line tools, the wealth of information can sometimes be overwhelming and maybe difficult to interpret for the untrained eye. Thankfully there is also a graphical front-end for nmap called zenmap.

Zenmap is a cross-platform application which is available for Linux, Windows and OS X. Other than any Linux specific information, like the installation process, this tutorial applies equally to all of the supported platforms. Talking of the installation process, you can install it on Ubuntu using the Ubuntu Software Center (just search for “zenmap”) or from the command line using:

sudo apt-get install zenmap

The above command also works on the Raspberry Pi and probably most other Debian or Ubuntu derived distributions. For other distros that use yum, like Fedora, then use:

su -c "yum install nmap-frontend"

Although Zenmap can be launched via the desktop, it is however best to start it via the command line with root privileges, otherwise Zenmap can’t use some of nmap's functionality.

To start it on Ubuntu run:

sudo zenmap

There are two main ways to start nmap scan using Zenmap, either by entering a target address and selecting a scan type from the “Profile” drop-down list or by entering the command directly in the “Command” field. If you are familiar with nmap or you want to try out some of the commands from the previous articles, you can use the “Command” field directly.

The power of Zenmap is that it stores and sorts all the information from any scans performed and allows you to build up a picture of your network. The easiest thing to do is a Ping scan to see what devices are alive on your network. In the “Target” field enter 192.168.1.1/24 and select “Ping scan” from the Profile list. If you are using a different network range from 192.168.1.x then I will assume from here on that you know how to enter the correct range. For more details, please see the previous parts of this series.

Click “Scan”. The result will look something like this:

zenmap-ping-scan

Down the left side of the window, you will see a list of the devices (hosts) found on your network and on the right, the output from the nmap command. Above the output pane is a set of tabs: “Nmap Output”, “Ports/Hosts”, “Topology”, “Host Details” and “Scans”. Each one of these tabs shows more information about your network and the information presented is accumulative. This means the more scans you do, the more information is available.

After a Ping scan, there is no information about the open ports. If you select a host from the list on the left and then click on the “Ports/Hosts” tab, there will be no information. But if we start a port scan of that host, the “Ports/Hosts” tab will be populated with the new information.

Enter one of the hosts in your network into the “Target” field, select “Regular scan” from the Profile drop-down list and click “Scan”. Zenmap will scan the host for open ports and populate the “Ports/Hosts” tab:

zenmap-after-regular-scan

Run an Intense scan against 192.168.1.1/24 to discover all the open ports and operating system on each host. After the scan, the OS icons will change in the hosts list on the left and the Ports/Hosts tab plus the “Host Details” tab will offer more information about each host.

You can also see a graphic representation of your network, called a network topology. Click the “Topology” tab to see the overview of your entire network. Click the “Controls” button and use the Zoom functions to enlarge the picture if necessary.

zenmap-topolgy

Each circle on the diagram represents a host found on the network. If a host has less than three open ports, it will be green; more than three but less than six open ports, yellow; and more than six open ports, red. Hosts with filtered ports will have a yellow padlock symbol next to them.

As a further exercise try using some of the scans listed in the first two parts of this series by entering them directly into the “Command” field. Also if you want to permanently add these to the “Profile” drop-down list then use the built-in profile editor (under the Profile menu). The profile editor is also a good way to experiment with other scan parameters since the editor itself presents many of the nmap options as part of its user interface.