How to use NMAP

Nmap (or Nmapper) is a free and open-source network scanner used for analysis, security audits, and network exploration. You use it to discover hosts and services on a computer network by sending packets and analyzing the responses all in an easy-to-use manner. Let us take a look at how to use Nmap.

The Nmap port scanner can primarily determine:

  • Available hosts on the network
  • The operating system running on the hosts
  • Name and version of applications running on the hosts
  • Type of firewalls being used on the hosts
  • And much more
You may also want to read: Tools to scan for website problems.

How to install Nmap

Linux Installation

Run the following command to install it on Debian-based Linux distributions like Ubuntu, Linux Mint, and Kali Linux:

apt-get install nmap

Use the following command on Fedora-based distributions like CentOS and Red Hat Enterprise Linux (RHEL):

yum install nmap

Mac OS Installation

Run the following command to install it on Mac with Homebrew:

brew install nmap

Windows Installation

Download installer from the nmap website and run the downloaded .exe file to install it.

There are a lot of options that we can use with the Nmap command. So, the type and amount of information we get depends on the options we use.

How to Get Help With Nmap

We can get the list of all the options we can use with Nmap by running the following command:

nmap

Nmap will then print a list of the various command options:

Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

However, you can run the following command to get the complete documentation:

man nmap

Using Nmap Examples

A simple nmap command with no options can be run like this:

nmap 74.207.244.221

Or

nmap scanme.nmap.org

It is up to you whether you specify IP Address or Domain Name. The above command will show all the open ports for this IP Address.

See an example below:

me@server:~$ nmap scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-12 08:09 AEDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.17s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 20.01 seconds

PORT, STATE, SERVICE Table:

Most of the time, when you run the Nmap command, you will see a table in the output having three columns PORT, STATE, and SERVICE.

The PORT column shows the port number and the name of the protocol, e.g. TCP, UDP or any other.

The STATE column shows the PORT state whether open, closed, filtered, unfiltered, open|filtered, or closed|filtered.

The SERVICE column shows the name of the SERVICE running on that specific PORT. The service name could be SSH, HTTP, HTTPS, or any other service running in your system.

Scanning Range of IP Addresses or Host

You can also scan multiple IP Addresses by specifying a range:

nmap 74.207.244.1-15

As a result of this command, we will get information about all the 15 IP Addresses we have mentioned.

You can also specify multiple IP Addresses like this:

nmap 74.207.244.221 192.168.43.1 10.44.16.5

Do not forget to give a space after each IP Address.

Detecting all the Hosts Connected to a Network

Following command shows all the possible hosts for this network. It also shows those hosts that are up along with their hostnames.

nmap -sL 192.168.43.0/24

By using the number 24, we are specifying the subnet.

The following command shows only those hosts which are up along with their IP Addresses and hostnames.

nmap -sn 192.168.43.0/24

The -sn parameters specify a ping scan and are used to disable the port scan. So, using the sn option will not show the PORT, STATE, SERVICE table.

You can also run the same command using wildcards as:

nmap -sn 192.168.43.*

When scanning a network, you can also specify an IP Address that you do not want to scan:

nmap 192.168.43.* --exclude 192.168.43.1

So, because of this exclude option, the specified IP Address will not be scanned.

Detecting the Operating System

Following command guesses the Operating System being used on the target host:

nmap -O scanme.nmap.org

Where the option O stands for the Operating System.

We can also use the option –osscan-guess to guess the Operating System more aggressively:

nmap --osscan-guess scanme.nmap.org

Running the nmap command with A option detects the Operating System, version as well as traceroute and other information:

nmap -A scanme.nmap.org

You can also run the above command with the T4 option. This option is used for faster execution.

nmap -A -T4 scanme.nmap.org

Getting Traceroute for a Host

You can find the traceroute (route from your computer to the specified destination) by the following command:

sudo nmap --traceroute scanme.nmap.org

The command with the traceroute option will only work with sudo.

Scanning Fewer Ports for Quick Scan

As mentioned earlier, you can use the T4 option for faster execution. Moreover, you can scan the fewer ports for a quick scan using the F option.

nmap -F -T4 scanme.nmap.org

Here the F stands for β€œfast scan”

Scanning any Specific Ports

Instead of scanning all the ports of a host, you can also scan any specific ports.

Run the following command to scan port 80 e.g.

nmap -p80 scaneme.nmap.org

Here the p stands for the port.

Instead of scanning only one port, you can also scan multiple ports:

nmap -p80,8080 scaneme.nmap.org

You can further explore this tool by running the following command:

man nmap

Summary

You should now be able to install and know how to use Nmap. Let us know your favorite Nmap commands!

Want more? Why not watch this great YouTube clip explaining Nmap:



About the Authors

Each member of Anto's editorial team is a Cloud expert in their own right. Anto Online takes great pride in helping fellow Cloud enthusiasts. Let us know if you have an excellent idea for the next topic!

Support the Cause

Support Anto Online and buy us a coffee. Anything is possible with coffee and code.

Buy me a coffee



Leave a Reply

Your email address will not be published. Required fields are marked *