Network mapper, abbreviated as Nmap, is an open-source network scanning tool that scans remote hosts and probes for a wealth of information such as open ports, OS versions, and versions of services listening on the open ports.
Depending on the arguments used, Nmap also reveals underlying system vulnerabilities associated with outdated vulnerabilities based on CVSS (Common Vulnerability Scanning System).
For this reason, Nmap is a valuable reconnaissance tool for penetration testing and revealing loopholes that can be exploited by hackers.
Basically, it comes pre-installed in Kali and Parrot OS which are operating systems dedicated to penetration testing and digital forensics.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform Security auditing.
In this context, we shall look into some of the useful Nmap commands that help you gather useful information about remote hosts.
1. Create a complete computer network map.
2. Find remote IP addresses of any hosts.
3. Get the OS system and software details.
4. Detect open ports on local and remote systems.
5. Audit server security standards.
6. Find vulnerabilities on remote and local hosts.
Nmap is pretty easy to use if you're familiar with command-line interfaces. As it's already installed on most Linux/Unix-based distributions, you just have to execute the 'nmap' command from any terminal, and that's it. It will display several options for you.
Advanced users will also be able to use Nmap along with other system scripts and automated tasks in order to maximize the powers of this tool.
One of the most basic scans available is the nmap port scan command:
$ nmap -p 80 X.X.X.X
That's how you use Nmap.
What happens if your operating system doesn't include Nmap? No worries, let's see how to install it. While the installation process can differ a bit depending on the OS you are using, in most cases (MacOS and Windows) our recommendation is to get the latest release from the Nmap website's download page .
Open the terminal and run the following commands to get Nmap installed:
CentOS/Fedora: $ sudo dnf install nmap
Ubuntu/Debian: $ sudo apt-get install nmap
That's it. Nmap is now installed on Linux.
Once you download the installer, execute it and install it. The automated installer should take care of configuring Nmap for you in mere seconds.
Mac users also have a full automated installer. Just run Nmap-mpkg file to begin the installation. After a few seconds, Nmap will be ready on your MacOS.
The most basic Nmap command involves scanning a single host and requires only the IP address or the hostname of the remote target as the argument:
$ nmap hostname
Or
$ nmap remote-host-ip
Moving forward, let's look into some Nmap use cases. In this guide, we will scan remote hosts using Kali Linux.
Scanning a single host is pretty straightforward. All you need is to pass the remote host IP address or domain name as the argument.
For example,
$ nmap X.X.X.X
Where X.X.X.X should be replaced by your actual IP address.
The Nmap scan report includes details such as the open ports, state of the port, and the services listening on the ports.
In a scenario where you have multiple remote hosts, simply pass their IP addresses on a single line as shown:
$ nmap 192.168.2.103 192.168.2.1
If you wish to scan consecutive remote host IP address, simply suffix the address as follows:
$ nmap 192.168.2.1,2,3,4
The command above scans the remote hosts 192.168.2.1, 192.168.2.2, 192.168.2.3, and 192.168.2.4.
If you have remote hosts in a range of IP addresses, you can specify the range separated by a hyphen:
$ nmap 192.168.2.100-105
This will scan all the remote hosts from 192.168.2.100 to 192.168.2.105 range.
You can scan an entire subnet by making use of the CIDR notation. For instance, the command below scans all the remote hosts in the 192.168.2.0 subnet:
$ nmap 192.168.2.0/24
You can instruct Nmap to explicitly scan open ports on a target host using the -p flag followed by the port number.
Here, we are scanning for port 80 on the remote host:
$ nmap -p 80 192.168.2.100
To specify multiple ports, you can list them using commas as shown below:
$ nmap -p 80,135,139 192.168.2.100
To scan all open ports on a target, use the –open flag.
Here, we are scanning Metasploitable Linux which is an intentionally vulnerable virtual instance for penetration testing:
$ nmap --open 192.168.2.107
If you just want to know which remote hosts are alive in your subnet, pass the -sn flag as shown. The output will be nothing fancy, just a brief summary of the active hosts:
$ nmap -sn 192.168.2.0/24
The -O flag enables you to even detect the host's operating system to a certain degree.
However, this does not give you the exact version of the target's OS. In the example below, we are scanning a host that runs on Windows 10, but the OS guesses suggest that the remote host is likely to be Windows XP SP2 or Windows Server 2008 / 2008 R2.
# nmap -O 192.168.2.103
You can get down to the nitty-gritty of the services listening on associated ports using the -sV flag. Common services include SSH ( port 22), HTTP ( port 80), and DNS ( port 53 ). Service detection is one of the most critical scanning tasks.
It helps in pointing out outdated service versions that may leave the system prone to exploits and attacks.
$ nmap -sV 192.168.2.107
A stealth scan, also abbreviated as SYN scan, is an unobtrusive kind of scan that quickly scans multiple ports within the shortest time possible. A SYN packet is sent to the remote target and when the response is received, Nmap is able to report on whether the port is open, filtered, or closed:
$ nmap -sS 192.168.2.107
The -A flag performs a deep inspection of the remote target's ports and gives finer details about the version of running services and also points out any vulnerabilities with the service:
$ nmap -A 192.168.2.107
The Nmap can also perform firewall identification to check if the ports are filtered or not. The -sA option checks whether the firewall is enabled and needs to be combined with the -p flag and port number. 'Unfiltered' implies that the port is not behind a firewall while 'filtered' means it's opened on a firewall that is enabled:
$ nmap -sA 192.168.2.107 -p 21
If you want to scan TCP ports only, use the -sT flag as shown:
$ nmap -sT 192.168.2.107
If you choose to scan to reveal UDP protocols only, use the -sT option:
# nmap -sU 192.168.2.107
Nmap Scripting Engine, abbreviated as NSE, provides Nmap scripts that extend Nmap's functionalities. Nmap scripts are mostly used in probing vulnerability and malware detection. These scripts come preinstalled on Kali Linux and are located in the /usr/share/nmap/scripts path.
They have a unique .nse file extension.
For example, to check if a remote host can be brute-forced using SSH use the Nmap script below:
$ nmap --script=ssh-brute.nse 192.168.2.107
If you are in a hurry and want to save the results of a Nmap scan for later review, you can use the redirection greater than sign > as shown:
$ nmap -sT 192.168.2.103 > myscans.txt
Alternatively, you can scan your remote hosts which are defined in a text file. To read the file, use the –iL option:
$ nmap -A iL hosts.txt
This article covers Nmap commands that you can use to get started with scanning your remote hosts. There are hundreds upon hundreds of Nmap commands and Nmap scripts that are used for scanning hosts and probing for any vulnerabilities.
Nmap, or Network Mapper, is an open source Linux command line tool for network exploration and security auditing. With Nmap, server administrators can quickly reveal hosts and services, search for security issues, and scan for open ports.
The Nmap tool can audit and discover local and remote open ports, as well as network information and hosts.
With the right Nmap commands, you can quickly find out information about ports, routes, and firewalls.