Nmap, short for Network Mapper, is one of the most used portmapper and network scanning tools. While it is possible to run some of Nmap’s basic functions as an unprivileged/normal user, using most of its advanced features requires root or sudo privileges.
For example, some advanced port scanning features like NULL, Stealth SYN Scan, and many others can only work with root privileges because Nmap needs to access raw packet data to give you adequate/usable results.
Whenever you try to run such advanced features without sudo privileges, the tool will prompt you with the “requires root privileges” message.
Unfortunately, having to use sudo to run Nmap can be problematic, especially if you are not in the sudo group.
Fortunately, you can use capabilities to run Nmap without root or sudo privileges.
What are capabilities?
Linux capabilities are Linux kernel attributes that allow programs and processes to utilize privileges otherwise reserved for the root user.
In essence, Linux capabilities share root user powers or privileges, making it possible for unprivileged processes to run as privileged ones, which means they don’t undergo permission checks.
There are numerous Linux capabilities. You can learn more about Linux capabilities in the man pages.
The essence of this guide is to show you how to use three capabilities: CAP_NET_RAW, CAP_NET_ADMIN, and CAP_NET_BIND_SERVICE to give Nmap the privileges it needs to run without checking for root user permissions.
Note: be cautious when setting elevated capabilities, as a malicious user can exploit the Nmap’s Scripting Engine to get access to full sudo privileges and use scripts to exploit local host vulnerabilities. Therefore, use these settings carefully or restrict Nmap’s access to specific groups.
The following are Linux capabilities we grant to Nmap to remove the need for sudo and root permissions.
- CAP_NET_RAW: setting this capability allows a process to access and use raw packet data and sockets.
- CAP_NET_ADMIN: this capability gives the process the capacity to perform various network activities like IP firewall administration, interface configuration, set service type of TOS, change routing tables, etc.
- CAP_NET_BIND_SERVICE: This capability binds a socket to Internet domain privileged ports.
Linux capabilities are assigned in sets of “effective,” “inheritable,” “permitted,” and “ambient” for threads and files, respectively. To give Nmap the capabilities it needs to run without root or sudo privileges, we are using
eip, thus allowing Nmap to use these capabilities irrespective of which user runs it.
Step 1: Install libcap
To set Linux capabilities, you need to install the libcap package. This package allows you to use the setcap command. Use the command:
Now that we have libcap installed, we can use the
setcap command to modify Linux capabilities.
Step 2: Set Nmap capabilities
To set the Nmap capabilities that will allow it to run without root user privileges, execute the command:
Once you set the capabilities, you can verify they have been applied by using the
Note: it’s imperative to specify the full path to your Nmap installation folder.
Step 3: Run Nmap with the privilege flag
Now that we have these three capabilities set, we can run Nmap without sudo privileges by using the privilege flag to let Nmap know that it has these capabilities. To do that, execute:
Note: You have to use the
--privileged option, otherwise Nmap won’t know that it has these privileges.
If you want to save the time it takes to type in the
nmap --privilegedflag every time, you can set NMAP_PRIVILEGED environmental variable permanently by adding the export line to:
- ~/.xsessionrc: this works with most desktop/graphical environments and is inheritable by shells and terminals.
- ~/.profile: this works for shells that require login
- ~/.bashrc: works for bash
- ~/.gnomerc: only works for GNOME
Most Nmap port scanning and host discovery methods require root or sudo privileges. As discussed in the tutorial, you can override this functionality and run Nmap without being a root or in the sudoers group. Check out some of the best Linux port scanners you can use.