Linux for Network Engineers: How to Use nmap

By January 2, 2019Linux

nmap, the Network Mapper is a utility that helps map networks. Duh…it was first released in 1998 and it supports Windows, Mac OS and several flavors of Linux. It’s a very handy utility to have at your disposal. Some common use cases are the following:

  • Build network inventory
  • Detect the OS and version of an unknown host
  • Security testing

Let’s see how we can use nmap in each one of these cases.

If you type just type “nmap”, you will get a pretty extensive (yet simple to understand) help message about the most common use cases of nmap. This is in contrast with the manual page (man nmap) that is a very long and detailed explanation of every option and nitty-gritty detail. It’s easy to get lost within the latter.

Network Inventory

If you want to do a quick scan to find all hosts in a network that respond to ping requests, the simplest scan you can do is the following:

This is called a “ping sweep” and returns all of the hosts that it can detect in the specific subnet. You can scan more than one subnet at the same time with a command like this “nmap -sP 172.31.0.1/24 172.30.0.1/24”

If you use the “-v” option, you will get a more verbose output. Try it out!

OS Detection

Now, let’s say you did a ping sweep and you find an unknown host in your network, and you’d like to receive more information about it. nmap has the ability to query a host and extract as much information as possible about it. Here is how this works:

As you can see nmap detected that the host 172.31.0.1:

  • Has ports 22 (ssh) 25 (smtp), and 111 (rpcbind) open
  • Is manufactured by CompuLab (based on the MAC Organizationally Unique Identifier)
  • Is running Linux with versions between 2.6.38-3.2

You may also notice the message “OS detection performed. Please report any incorrect results at http://nmap.org/submit/ ,” which tells you that nmap did its best to detect the OS and its version, but if you know the results are incorrect you should report them here http://nmap.org/submit/. This helps nmap become better at detecting OS version with every new release.

An option that goes one step further and gives you more information about the services running on a specific host is ‘-A’. Here’s an example:

nmap did some additional scanning on the host’s open ports and returned information about the services and their versions.

Security

nmap has a group of options that allow you to craft packets with specific fields. This can be used to test for security vulnerabilities.

For example, it allows you to spoof the MAC address (–spoof-mac) or the IP (-S) of the host if you want to test for traffic coming from a specific host. You can set a bad sum for a packet (–badsum) and the source port of the packet (–packet-port).

All these options make nmap a tool that you can use as a white-hat hacker to test your firewall rules and other vulnerabilities.

Here is an interesting example on how to spoof your IP address while scanning Google’s DNS server 8.8.8.8

Seemingly, in this case, nmap sent packets that were reporting as source IP address 10.10.10.10 and it concluded that the host 8.8.8.8 was down and unresponsive. However, that was not the case; it looks like Google was able to detect that the request had a spoofed IP address and rejected it. I confirmed that 8.8.8.8 was working fine by running the same command but without the spoofed IP address:

Conclusions

nmap is one of those utilities that has so many options and capabilities, it can actually be overwhelming. As is the case with those type of utilities, you will end up using only a fraction of its capabilities to help get a specific job done. If you want to use it at its full potential, you’re in for a lot of trial and error and some hands-on experience with real networks.