Nmap, which stands for “Network Mapper,” is an open-source tool that allows you to perform scans on local and remote networks. Nmap is very powerful when it comes to discovering network protocols, scanning open ports, detecting operating systems running on remote machines, etc. Network administrators use the tool to inventory network devices, monitor the status of the remote host, save scan results for later use, and so on.
[ Just getting started with networking? Check out the Linux networking cheat sheet. ]
The Nmap
suite includes an advanced graphical user interface and results viewer (Zenmap), a flexible data transfer, redirection and cleansing tool (Ncat), a utility for comparing analysis results (Ndiff) and a packet generation and response analysis (Nping) tool.
Great Linux Resources
Linux
- Advanced Command Cheat Sheet
- Download RHEL 9 free of charge through the Red Hat Developer program
- A Guide to Installing Applications on
- System Administration Skills Assessment
- How well do you know Linux? Take a quiz and get a badge
Linux Linux
Why
use Nmap?
In addition to being free, Nmap is very flexible, portable, well-documented, and easy to use. In the next post, we’ll walk you on how to install Nmap, use it, and most importantly, learn more about your network.
Installing Nmap To install Nmap on Red Hat Enterprise Linux 8 or
Fedora, you’d run:
# dnf -y install
nmap
Replace dnf with yum if you are on Red Hat Enterprise Linux 7 or later. After installing Nmap, you can run the nmap command with no arguments to display all your options. You should also refer to the Nmap man page by running man nmap.
Using Nmap
Suppose your local network is 192.168.0.0/24, and you want to run a scan on this network. Running a scan without any arguments except the network address produces the following
: # nmap 192.168.0.0/24 As of Nmap 7.80 ( https://nmap.org ) on 2020-03-06 21:00 CET Nmap Scan Report for Archer.lan (192.168.0.1) The host is active (0.0046s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/TCP Open SSH 53/TCP Open Domain 80/TCP Open HTTP 1900/Open TCP UPnp 20005/Open TCP BTX MAC Address: 50:ff:BF:ff:ff:AC (Tp-link Technologies) Nmap Scan Report for Lyric-1111C2.lan (192.168.0.101) The host is active (0.013s latency). Not shown: 999 closed ports PORT STATE SERVICE0 80/tcp open http MAC address: B8:dd:A0:dd:dd:C2 (Resideo) Multiple networks can be scanned at once. For example, nmap 192.168.0.0/24 10.80.0.0/24
Multiple networks can be scanned at once. For example
: # nmap 192.168.0.0/24 10.80.0.0/24 If we want to run
a quick scan of the machines on our network without trying to see if any ports are open, we run
: # nmap -sn 192.168.0.0/24 The
output of the above command produces something like
: # nmap -sn 192.168.0.0/24 Starting Nmap 7.80 ( https://nmap.org ) on 2020-03-06 21:24 CET Nmap Scan Report for Archer.lan (192.168.0.1) The host is active (latency of 0.016s). MAC Address: 50:C7:FF:FF:15:FF (Tp-link Technologies) Nmap Scan Report for Lyric-1111C2.lan (192.168.0.101) The host is active (0.96s latency). MAC Address: B8:FF:FF:11:FF:C2 (Resideo) MAC Address: 88:DD:EA:DD:CE:37 (Texas Instruments) Nmap Scan Report for SoundTouch-Kitchen.lan (192.168.0.160) The host is active (0.39s latency). MAC address: 5C:DD:DD:FF:FF:B5 (Texas Instruments) Nmap scan report for 192.168.0.181 The host is active (0.60s latency). MAC Address: 40:DD:DD:8F:FF:F5 (Asustek Computer) Nmap Scan Report for TL-WPA4220.lan (192.168.0.225) The host is active (0.61s latency). MAC Address: 50:DD:FF:AA:DD:BA (Tp-link Technologies) Nmap Scan Report for f3d0r4.lan (192.168.0.165) The host is active. Nmap done: 256 IP addresses (7 hosts up) scanned in 9.11 seconds
Mind you, -sn was known as -sP in previous versions of Nmap. Using -sP is still backward compatible and should work on recent versions of Nmap.
[ Free eBook: Manage Your Linux Environment for Success. ]
While
Nmap man pages are well written and provide many examples, there are specific things you won’t find in the manual pages. For example, what if we wanted to store IP addresses from the previous output in a file? This is something specific and does not belong in the Nmap man pages. We have to analyze the output ourselves and extract only the IP addresses.
For example:
# nmap -sn 192.168.0.0/24 | awk ‘/Nmap scan/{gsub(/[()]/,””,$NF); print $NF > “nmap_scanned_ips”}’
Nmap offers many other options to save the scan output in different formats
.
For example
: -oN/-oX/-oS/-oG <file
>: Output scan in normal format, XML, s|<rIpt kIddi3 and Grepable, respectively, to the given file name
.
So running
: # nmap -sn 192.168.0.0/24 -oG
nmap_output produces the following output
: # cat nmap_output # Nmap 7.0 80 scan started Fri Mar 6 22:01:57 2020 as: nmap -sn -oG nmap_output 192.168.0.0/24 Host: 192..168.0.0/24 Host: 192..168.0.0/24 Host: 192..192..168.0.1 (Archer.lan) Status: Up Host: 192.168.0.101 (Lyric-1111C2.lan) Status: Up Host: 192.168.0.151 (SoundTouch-VW-benee.lan) Status: Up Host: 192.168.0.160 (SoundTouch-VW-keuken.lan) Status: Up Host: 192.168.0.181 () Status: Up Host: 192.168.0.225 (TL-WPA4220.lan) Status: Up Host: 192.168.0.165 (f3d0r4.lan) Status: Up#Nmap made on Fri Mar 6 22:02:06 2020 – 256 IP Addresses (7 hosts up) scanned in 9.45 seconds
Specific Port Analysis
Nmap has the option to scan specific ports on specific targets. If we were interested in checking the status of ports 22 and 443 (which by default use the TCP protocol), we would run the following
: # nmap -sV -p 22,443 192.168.0.0/24
If you are not sure what -sV does, just run:
# nmap | grep – -sV
The above command displays ports regardless of their status: open, closed, filtered, etc. Most of the time, we are interested in open ports, so we can add the -open flag to achieve this. We will slightly modify the previous command and execute:
# nmap -sV -p 22,443 192.168.0.0/24 -open
Instead of using a comma to specify a port, it is also possible to use a range of ports, which is much more flexible and easy to read. For example
: # nmap -p 54-111 192.168.0.0/24
[Cheat sheet: Old Linux commands and their modern replacements ]
Advanced
Nmap scanning
We now know the basics of Nmap and its capabilities. Let’s move on to a more advanced approach to scanning targets, getting more information from a target, and using packet tracking.
Sniffing a packet on a single IP
At the time of writing, I am connected to my server via SSH. To demonstrate how packet tracking is performed using Nmap and what the output of such tracing looks like, we will use the following Nmap syntax to produce the following output
: # nmap -vv -n -sn -PE -T4 -packet-trace 192.168.2.3 Starting Nmap 7.80 ( https://nmap.org ) on 2020-03-06 23:14 CET Start ping scanning at 23:14 Scan 192.168.2.3 [1 port] SENT (0.0282s) ICMP [192.168.0.165 > 192.168.2.3 Echo request (type=8/code=0) id=8524 seq=0] IP [ttl= 43 id=25141 iplen=28 ] RCVD (0.0336s) ICMP [192.168.2.3 > 192.168.0.165 Echo response (type=0/code=0) id=8524 seq=0] IP [ttl=63 id=27840 iplen=28 ] Ping Scan completed at 23:14, 0.03s elapsed (1 host total) Nmap scan report for 192.168.2.3 The host is active, received echo-response ttl 63 (latency of 0.0055s). Read data files from: /usr/bin/.. /share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
The above indicators have the following meanings:
–
- vv (Increase verbosity
- DNS resolution. This speeds up our scanning!)
- sn (No port scanning) –
- PE (Use ICMP echo request queries. This is what is shown in the output above)
- -T4 (prohibits dynamic scan delay from exceeding 10ms for TCP ports. See man nmap).
- packet-trace Using
) -n (No
–
–
recursive DNS proxies for stealth scanning at a destination
By default, Nmap executes rDNS (reverse DNS) resolution on any responsive host. Let’s see if we can collect any information about a specific network and remain anonymous. The anonymous part is because we will use public DNS servers, namely 8.8.4.4 and 8.8.8.8, to perform the recursive query.
[ Does the network get out of control? See Network Automation for Everyone, a free eBook from Red Hat. ] First
,
we resolve redhat.com using Google’s public DNS server, resulting in the following
: # host redhat.com 8.8.8.8 Domain Server Usage: Name: 8.8.8.8 Address: 8.8.8.8#53 Alias: redhat.com has the address 209.132.183.105 redhat.com mail is handled by 10 us-smtp-inbound-2.mimecast.com. redhat.com mail is handled by 10 us-smtp-inbound-1.mimecast.com.
Secondly, we are going to run a stealth list scan -sL on the IP address 209.132.183.105.
# nmap -dns-servers 8.8.4.4,8.8.8.8 -sL 209.132.183.105/24 Starting Nmap 7.80 ( https://nmap.org ) on 2020-03-07 00:22 CET Network Nmap Scan Report (209.132.183.0) Nmap Scan Report for elvis.redhat.com (209.132.183.1) Nmap Scan Report for ns2.redhat.com (209.132.183.2) Nmap Scan Report for ovpn-phx2.redhat.com (209.132.183.3) Nmap Scan Report for mimecast-mx01.redhat.com (209.132.183.4) Nmap Scan Report for selfservice.redhat.com (209.132.183.5) Nmap Scan Report Not to Use (209.132.183.6) Nmap Analysis Report for Unused (209.132.183.7) Nmap Analysis Report for siperimeter.redhat.com (209.132.183.8) < – > < – > < – >
We are able to obtain a wealth of information about specific networks by using only a few simple techniques.
NSE Scripting As mentioned above, Nmap is equipped with many advanced features, one of which is
NSE
(Nmap Scripting Engine) scripts. Using NSE scripts with Nmap allows you to scan different hosts and find vulnerabilities in services running on the host and possibly log in by forcing these services.
The use of NSE script syntax is as follows:
# nmap -script=”name_of_script” -script-args=”argument=arg” target
Now, you’re probably wondering where to find these NSE scripts and how to know which script uses which arguments. Start by running man nmap. You can also jump directly to the right section, i.e.
: # PAGER=’less “+/NMAP SCRIPTING ENGINE”‘ man nmap The available NSE scripts
that you can pass to Nmap are located at
: /
usr/share/nmap/scripts/
You can also locate the NSE scripts by running:
# dnf -y install mlocate ; updatedb ; Locate nmap/scripts Now that we
know where NSE scripts are located, let’s see how we can use these scripts to get information about a target that a web server is running.
See if a WAF protects a website
A web application firewall (WAF) is specifically designed to protect websites from SQL injection, cross-site scripting, malformed HTTP packets, etc. Using Nmap, we can detect if a website is protected by such WAF. Below is the use of an NSE script and its arguments
: # nmap -p443 -script http-waf-detect -script-args=”http-waf-detect.aggro,http-waf-detect.detectBodyChanges” www.slimmer.ai Starting Nmap 7.80 ( https://nmap.org ) on 2020-03-09 22:38 CET Nmap Scan Report for www.slimmer.ai (172.104.131.188) The host is active (0.023s latency). rDNS record for 172.104.131.188: li1647-188.members.linode.com PORT STATE SERVICE 443/TCP Open https | http-waf-detect: IDS/IPS/WAF detected: |_www.slimmer.ai:443/?p4yl04d=id;uname%20-a Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
As shown above, a web application firewall protects the target website
.
More NSE scripts
Again, Nmap is often used by system administrators to inventory their environment, discover weaknesses in their network, and thus protect their systems from intruders. Intruders, on the other hand, can do the same thing to scan a remote system and try to gather as much information as possible about said system.
Suppose some unauthorized person has scanned your network and found some open ports/services. This person could pass some NSE scripts to Nmap and see if these services are vulnerable. Here’s what’s going to happen
: # nmap -Pn -sV -script=vulners 37.xx.xx.xx Starting Nmap 7.80 ( https://nmap.org ) on 2020-03-09 22:41 CET Nmap Scan Report for some.domain.nl (37.xx.xx.xx) The host is active (0.016s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/TCP Open SSH OpenSSH 7.4 (protocol 2.0) | Vulnerabilities: | cpe:/a:openbsd:openssh:7.4: | CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919 |_ CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 25/tcp Open SMTP Postfix smtpd Service Information: Host: some.domain.nlService detection performed. Please report any incorrect results in https://nmap.org/submit/ Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds
We can see that the remote system is running OpenSSH 7.4. Nmap queried public vulnerability databases and found known CVEs.
Wrap up
Nmap is a very powerful port scanning and system inventory tool that can be used for both good and bad purposes. It depends on the hat you are wearing. The best way to learn Nmap is to read man pages, use examples shown in man pages, and experiment with NSE scripts. Also, try Zenmap. If you’re interested in knowing more about port scanning and the science behind it, check out the Nmap documentation.