Linux for Network Engineers: How to Use nmap

By January 2, 2019Linux

NMAP

nmap, the Network Mapper is a utility that helps map networks. Duh…it was first released in 1998 and it supports Windows, Mac OS and several flavors of Linux. It’s a very handy utility to have at your disposal. Some common use cases are the following:

  • Build network inventory
  • Detect the OS and version of an unknown host
  • Security testing

Let’s see how we can use nmap in each one of these cases.

If you type just type “nmap”, you will get a pretty extensive (yet simple to understand) help message about the most common use cases of nmap. This is in contrast with the manual page (man nmap) that is a very long and detailed explanation of every option and nitty-gritty detail. It’s easy to get lost within the latter.

Network Inventory

If you want to do a quick scan to find all hosts in a network that respond to ping requests, the simplest scan you can do is the following:

netbeez.net$ nmap -sP 172.31.0.1/24
Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-17 21:17 EST
Nmap scan report for 172.31.0.1
Host is up (0.0011s latency).
Nmap scan report for 172.31.0.14
Host is up (0.00016s latency).
Nmap scan report for 172.31.0.16
Host is up (0.0019s latency).
Nmap scan report for 172.31.0.17
Host is up (0.00036s latency).
Nmap scan report for 172.31.0.18
Host is up (0.0010s latency).
Nmap scan report for 172.31.0.25
Host is up (0.00044s latency).
Nmap scan report for 172.31.0.85
Host is up (0.00079s latency).
Nmap scan report for 172.31.0.121
Host is up (0.00074s latency).
Nmap scan report for 172.31.0.134
Host is up (0.00083s latency).
Nmap scan report for 172.31.0.149
Host is up (0.00076s latency).
Nmap done: 256 IP addresses (10 hosts up) scanned in 2.34 seconds

This is called a “ping sweep” and returns all of the hosts that it can detect in the specific subnet. You can scan more than one subnet at the same time with a command like this “nmap -sP 172.31.0.1/24 172.30.0.1/24”

If you use the “-v” option, you will get a more verbose output. Try it out!

OS Detection

Now, let’s say you did a ping sweep and you find an unknown host in your network, and you’d like to receive more information about it. nmap has the ability to query a host and extract as much information as possible about it. Here is how this works:

netbeez.net$ sudo nmap -O 172.31.0.1

Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-18 00:58 EST
Nmap scan report for 172.31.0.1
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
111/tcp open  rpcbind
MAC Address: 00:01:C0:15:A3:32 (CompuLab)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.2
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.51 seconds

As you can see nmap detected that the host 172.31.0.1:

  • Has ports 22 (ssh) 25 (smtp), and 111 (rpcbind) open
  • Is manufactured by CompuLab (based on the MAC Organizationally Unique Identifier)
  • Is running Linux with versions between 2.6.38-3.2

You may also notice the message “OS detection performed. Please report any incorrect results at http://nmap.org/submit/ ,” which tells you that nmap did its best to detect the OS and its version, but if you know the results are incorrect you should report them here http://nmap.org/submit/. This helps nmap become better at detecting OS version with every new release.

An option that goes one step further and gives you more information about the services running on a specific host is ‘-A’. Here’s an example:

netbeez.net$ sudo nmap -A 172.31.0.1

Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-18 01:16 EST
Nmap scan report for 172.31.0.1
Host is up (0.00048s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (protocol 2.0)
| ssh-hostkey: 1024 00:7d:84:36:36:23:e5:0f:6f:1c:1b:ed:88:30:54:b9 (DSA)
|_2048 70:5b:16:fc:7f:00:fb:ff:62:50:3b:01:63:31:0a:53 (RSA)
25/tcp  open  smtp    Postfix smtpd
| ssl-cert: Subject: commonName=devel
| Not valid before: 2013-11-05 14:11:09
|_Not valid after:  2023-11-03 14:11:09
|_smtp-commands: utilite-desktop, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
111/tcp open  rpcbind
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          44444/udp  status
|_  100024  1          46057/tcp  status
MAC Address: 00:01:C0:15:A3:32 (CompuLab)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.2
Network Distance: 1 hop
Service Info: Host:  utilite-desktop; OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms 172.31.0.1

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.71 seconds

nmap did some additional scanning on the host’s open ports and returned information about the services and their versions.

Security

nmap has a group of options that allow you to craft packets with specific fields. This can be used to test for security vulnerabilities.

For example, it allows you to spoof the MAC address (–spoof-mac) or the IP (-S) of the host if you want to test for traffic coming from a specific host. You can set a bad sum for a packet (–badsum) and the source port of the packet (–packet-port).

All these options make nmap a tool that you can use as a white-hat hacker to test your firewall rules and other vulnerabilities.

Here is an interesting example on how to spoof your IP address while scanning Google’s DNS server 8.8.8.8

netbeez.net$ sudo nmap  8.8.8.8 -e eth0  -S 10.10.10.10
WARNING:  If -S is being used to fake your source address, you may also have to use -e <interface> and -Pn .  If you are using it to specify your real source address, you can ignore this warning.

Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-18 13:22 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.34 seconds

Seemingly, in this case, nmap sent packets that were reporting as source IP address 10.10.10.10 and it concluded that the host 8.8.8.8 was down and unresponsive. However, that was not the case; it looks like Google was able to detect that the request had a spoofed IP address and rejected it. I confirmed that 8.8.8.8 was working fine by running the same command but without the spoofed IP address:

netbeez.net$ sudo nmap  8.8.8.8 -e eth0

Starting Nmap 6.00 ( http://nmap.org ) at 2018-12-18 13:24 EST
Nmap scan report for google-public-dns-a.google.com (8.8.8.8)
Host is up (0.013s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.07 seconds

Conclusions

nmap is one of those utilities that has so many options and capabilities, it can actually be overwhelming. As is the case with those type of utilities, you will end up using only a fraction of its capabilities to help get a specific job done. If you want to use it at its full potential, you’re in for a lot of trial and error and some hands-on experience with real networks. 

If you want to learn more about nmap, read the follow-up blog post on using nmap scripts