Network mapper, abbreviated as Nmap, is an open-source network scanning tool that scans remote hosts and probes for a wealth of information such as open ports, OS versions, and versions of services listening on the open ports.
Depending on the arguments used, Nmap also reveals underlying system vulnerabilities associated with outdated vulnerabilities based on CVSS (Common Vulnerability Scanning System).
For this reason, Nmap is a valuable reconnaissance tool for penetration testing and revealing loopholes that can be exploited by hackers.
Basically, it comes pre-installed in Kali and Parrot OS which are operating systems dedicated to penetration testing and digital forensics.
In this context, we shall look into some of the useful Nmap commands that help you gather useful information about remote hosts.
Importance of Nmap:
1. Create a complete computer network map.
2. Find remote IP addresses of any hosts.
3. Get the OS system and software details.
4. Detect open ports on local and remote systems.
5. Audit server security standards.
6. Find vulnerabilities on remote and local hosts.
How To Use Nmap ?
Nmap is pretty easy to use if you're familiar with command-line interfaces. As it's already installed on most Linux/Unix-based distributions, you just have to execute the 'nmap' command from any terminal, and that's it. It will display several options for you.
Advanced users will also be able to use Nmap along with other system scripts and automated tasks in order to maximize the powers of this tool.
Nmap port scan command
One of the most basic scans available is the nmap port scan command:
$ nmap -p 80 X.X.X.X
That's how you use Nmap.
How To Install Nmap on Linux, Windows and Mac ?
What happens if your operating system doesn't include Nmap? No worries, let's see how to install it. While the installation process can differ a bit depending on the OS you are using, in most cases (MacOS and Windows) our recommendation is to get the latest release from the Nmap website's download page .
To Install Nmap on Linux.
Open the terminal and run the following commands to get Nmap installed:
CentOS/Fedora: $ sudo dnf install nmap
Ubuntu/Debian: $ sudo apt-get install nmap
That's it. Nmap is now installed on Linux.
To install Nmap on Windows.
Once you download the installer, execute it and install it. The automated installer should take care of configuring Nmap for you in mere seconds.
To install Nmap on MacOS.
Mac users also have a full automated installer. Just run Nmap-mpkg file to begin the installation. After a few seconds, Nmap will be ready on your MacOS.
Basic Nmap syntax
The most basic Nmap command involves scanning a single host and requires only the IP address or the hostname of the remote target as the argument:
$ nmap hostname
$ nmap remote-host-ip
Moving forward, let's look into some Nmap use cases. In this guide, we will scan remote hosts using Kali Linux.
1. Scan a single remote host
Scanning a single host is pretty straightforward. All you need is to pass the remote host IP address or domain name as the argument.
$ nmap X.X.X.X
Where X.X.X.X should be replaced by your actual IP address.
The Nmap scan report includes details such as the open ports, state of the port, and the services listening on the ports.
2. Scan multiple remote hosts
In a scenario where you have multiple remote hosts, simply pass their IP addresses on a single line as shown:
$ nmap 192.168.2.103 192.168.2.1
If you wish to scan consecutive remote host IP address, simply suffix the address as follows:
$ nmap 192.168.2.1,2,3,4
The command above scans the remote hosts 192.168.2.1, 192.168.2.2, 192.168.2.3, and 192.168.2.4.
3. Scan a range of remote hosts
If you have remote hosts in a range of IP addresses, you can specify the range separated by a hyphen:
$ nmap 192.168.2.100-105
This will scan all the remote hosts from 192.168.2.100 to 192.168.2.105 range.
4. Scan a subnet
You can scan an entire subnet by making use of the CIDR notation. For instance, the command below scans all the remote hosts in the 192.168.2.0 subnet:
$ nmap 192.168.2.0/24
5. Port scanning using Nmap
You can instruct Nmap to explicitly scan open ports on a target host using the -p flag followed by the port number.
Here, we are scanning for port 80 on the remote host:
$ nmap -p 80 192.168.2.100
To specify multiple ports, you can list them using commas as shown below:
$ nmap -p 80,135,139 192.168.2.100
To scan all open ports on a target, use the –open flag.
Here, we are scanning Metasploitable Linux which is an intentionally vulnerable virtual instance for penetration testing:
$ nmap --open 192.168.2.107
6. Scan for active remote hosts
If you just want to know which remote hosts are alive in your subnet, pass the -sn flag as shown. The output will be nothing fancy, just a brief summary of the active hosts:
$ nmap -sn 192.168.2.0/24
7. OS fingerprinting
The -O flag enables you to even detect the host's operating system to a certain degree.
However, this does not give you the exact version of the target's OS. In the example below, we are scanning a host that runs on Windows 10, but the OS guesses suggest that the remote host is likely to be Windows XP SP2 or Windows Server 2008 / 2008 R2.
# nmap -O 192.168.2.103
8. Service detection
You can get down to the nitty-gritty of the services listening on associated ports using the -sV flag. Common services include SSH ( port 22), HTTP ( port 80), and DNS ( port 53 ). Service detection is one of the most critical scanning tasks.
It helps in pointing out outdated service versions that may leave the system prone to exploits and attacks.
$ nmap -sV 192.168.2.107
9. Perform a stealth scan using Nmap
A stealth scan, also abbreviated as SYN scan, is an unobtrusive kind of scan that quickly scans multiple ports within the shortest time possible. A SYN packet is sent to the remote target and when the response is received, Nmap is able to report on whether the port is open, filtered, or closed:
$ nmap -sS 192.168.2.107
10. Perform a detailed scan
The -A flag performs a deep inspection of the remote target's ports and gives finer details about the version of running services and also points out any vulnerabilities with the service:
$ nmap -A 192.168.2.107
11. Perform firewall identification
The Nmap can also perform firewall identification to check if the ports are filtered or not. The -sA option checks whether the firewall is enabled and needs to be combined with the -p flag and port number. 'Unfiltered' implies that the port is not behind a firewall while 'filtered' means it's opened on a firewall that is enabled:
$ nmap -sA 192.168.2.107 -p 21
12. Scan TCP or UDP protocols
If you want to scan TCP ports only, use the -sT flag as shown:
$ nmap -sT 192.168.2.107
If you choose to scan to reveal UDP protocols only, use the -sT option:
# nmap -sU 192.168.2.107
13. Using Nmap scripts to scan vulnerabilities
Nmap Scripting Engine, abbreviated as NSE, provides Nmap scripts that extend Nmap's functionalities. Nmap scripts are mostly used in probing vulnerability and malware detection. These scripts come preinstalled on Kali Linux and are located in the /usr/share/nmap/scripts path.
They have a unique .nse file extension.
For example, to check if a remote host can be brute-forced using SSH use the Nmap script below:
$ nmap --script=ssh-brute.nse 192.168.2.107
14. Save Nmap scan results
If you are in a hurry and want to save the results of a Nmap scan for later review, you can use the redirection greater than sign > as shown:
$ nmap -sT 192.168.2.103 > myscans.txt
15. Scan hosts from a text file
Alternatively, you can scan your remote hosts which are defined in a text file. To read the file, use the –iL option:
$ nmap -A iL hosts.txt