nmap, the Network Mapper is a utility that helps map networks. Duh…it was first released in 1998 and it supports Windows, Mac OS and several flavors of Linux. It’s a very handy utility to have at your disposal. Some common use cases are the following:
- Build network inventory
- Detect the OS and version of an unknown host
- Security testing
Let’s see how we can use nmap in each one of these cases.
If you type just type “nmap”, you will get a pretty extensive (yet simple to understand) help message about the most common use cases of nmap. This is in contrast with the manual page (man nmap) that is a very long and detailed explanation of every option and nitty-gritty detail. It’s easy to get lost within the latter.
If you want to do a quick scan to find all hosts in a network that respond to ping requests, the simplest scan you can do is the following:
netbeez.net$ nmap -sP 172.31.0.1/24 Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-17 21:17 EST Nmap scan report for 172.31.0.1 Host is up (0.0011s latency). Nmap scan report for 172.31.0.14 Host is up (0.00016s latency). Nmap scan report for 172.31.0.16 Host is up (0.0019s latency). Nmap scan report for 172.31.0.17 Host is up (0.00036s latency). Nmap scan report for 172.31.0.18 Host is up (0.0010s latency). Nmap scan report for 172.31.0.25 Host is up (0.00044s latency). Nmap scan report for 172.31.0.85 Host is up (0.00079s latency). Nmap scan report for 172.31.0.121 Host is up (0.00074s latency). Nmap scan report for 172.31.0.134 Host is up (0.00083s latency). Nmap scan report for 172.31.0.149 Host is up (0.00076s latency). Nmap done: 256 IP addresses (10 hosts up) scanned in 2.34 seconds
This is called a “ping sweep” and returns all of the hosts that it can detect in the specific subnet. You can scan more than one subnet at the same time with a command like this “nmap -sP 172.31.0.1/24 172.30.0.1/24”
If you use the “-v” option, you will get a more verbose output. Try it out!
Now, let’s say you did a ping sweep and you find an unknown host in your network, and you’d like to receive more information about it. nmap has the ability to query a host and extract as much information as possible about it. Here is how this works:
netbeez.net$ sudo nmap -O 172.31.0.1 Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-18 00:58 EST Nmap scan report for 172.31.0.1 Host is up (0.00039s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind MAC Address: 00:01:C0:15:A3:32 (CompuLab) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.2 Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 4.51 seconds
As you can see nmap detected that the host 172.31.0.1:
- Has ports 22 (ssh) 25 (smtp), and 111 (rpcbind) open
- Is manufactured by CompuLab (based on the MAC Organizationally Unique Identifier)
- Is running Linux with versions between 2.6.38-3.2
You may also notice the message “OS detection performed. Please report any incorrect results at http://nmap.org/submit/ ,” which tells you that nmap did its best to detect the OS and its version, but if you know the results are incorrect you should report them here http://nmap.org/submit/. This helps nmap become better at detecting OS version with every new release.
An option that goes one step further and gives you more information about the services running on a specific host is ‘-A’. Here’s an example:
netbeez.net$ sudo nmap -A 172.31.0.1 Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-18 01:16 EST Nmap scan report for 172.31.0.1 Host is up (0.00048s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (protocol 2.0) | ssh-hostkey: 1024 00:7d:84:36:36:23:e5:0f:6f:1c:1b:ed:88:30:54:b9 (DSA) |_2048 70:5b:16:fc:7f:00:fb:ff:62:50:3b:01:63:31:0a:53 (RSA) 25/tcp open smtp Postfix smtpd | ssl-cert: Subject: commonName=devel | Not valid before: 2013-11-05 14:11:09 |_Not valid after: 2023-11-03 14:11:09 |_smtp-commands: utilite-desktop, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 111/tcp open rpcbind | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 44444/udp status |_ 100024 1 46057/tcp status MAC Address: 00:01:C0:15:A3:32 (CompuLab) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.2 Network Distance: 1 hop Service Info: Host: utilite-desktop; OS: Linux; CPE: cpe:/o:linux:kernel TRACEROUTE HOP RTT ADDRESS 1 0.48 ms 172.31.0.1 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.71 seconds
nmap did some additional scanning on the host’s open ports and returned information about the services and their versions.
nmap has a group of options that allow you to craft packets with specific fields. This can be used to test for security vulnerabilities.
For example, it allows you to spoof the MAC address (–spoof-mac) or the IP (-S) of the host if you want to test for traffic coming from a specific host. You can set a bad sum for a packet (–badsum) and the source port of the packet (–packet-port).
All these options make nmap a tool that you can use as a white-hat hacker to test your firewall rules and other vulnerabilities.
Here is an interesting example on how to spoof your IP address while scanning Google’s DNS server 22.214.171.124
netbeez.net$ sudo nmap 126.96.36.199 -e eth0 -S 10.10.10.10 WARNING: If -S is being used to fake your source address, you may also have to use -e <interface> and -Pn . If you are using it to specify your real source address, you can ignore this warning. Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-18 13:22 EST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.34 seconds
Seemingly, in this case, nmap sent packets that were reporting as source IP address 10.10.10.10 and it concluded that the host 188.8.131.52 was down and unresponsive. However, that was not the case; it looks like Google was able to detect that the request had a spoofed IP address and rejected it. I confirmed that 184.108.40.206 was working fine by running the same command but without the spoofed IP address:
netbeez.net$ sudo nmap 220.127.116.11 -e eth0 Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-18 13:24 EST Nmap scan report for google-public-dns-a.google.com (18.104.22.168) Host is up (0.013s latency). Not shown: 998 filtered ports PORT STATE SERVICE 53/tcp open domain 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 5.07 seconds
nmap is one of those utilities that has so many options and capabilities, it can actually be overwhelming. As is the case with those type of utilities, you will end up using only a fraction of its capabilities to help get a specific job done. If you want to use it at its full potential, you’re in for a lot of trial and error and some hands-on experience with real networks.
If you want to learn more about nmap, read the follow-up blog post on using nmap scripts.