Nmap is one of the most popular and powerful tools for network scanning and security auditing. It can help you discover hosts, services, vulnerabilities, and other information about your network. In this article, we will show you how to install and use Nmap on different operating systems, how to perform various types of scans with Nmap, and how to use Nmap for some common scenarios.

What is Nmap and why use it?

Nmap stands for Network Mapper. It is an open-source command-line tool that can scan IP addresses and ports in a network and detect installed applications. Nmap can also provide information about the operating system and the services running on the target hosts.

Nmap is widely used by network administrators, security professionals, and ethical hackers for various purposes, such as:

• Network mapping: Nmap can help you identify all the devices connected to your network, such as servers, routers, switches, firewalls, printers, IoT devices, etc. You can also use Nmap to find out their IP addresses, hostnames, MAC addresses, and other details.
• Network security: Nmap can help you audit the security of your network by finding open ports, running services, and potential vulnerabilities. You can also use Nmap to test your firewall rules, IDS/IPS systems, and other security measures.
• Network troubleshooting: Nmap can help you diagnose network problems by checking the connectivity, latency, bandwidth, and performance of your network devices. You can also use Nmap to monitor the availability and uptime of your network services.

Nmap has many features and options that allow you to customize your scans according to your needs. You can also use Nmap with other tools and scripts to automate your tasks and enhance your results.

Installing Nmap on different operating systems

Nmap is available for many operating systems, such as Linux, Windows, Mac OS X, BSD, Solaris, etc. You can download the latest version of Nmap from its official website: https://nmap.org/download.html

Installing Nmap on Linux

Nmap is usually included in the repositories of most Linux distributions. You can install it using your package manager. For example, on Debian-based systems like Ubuntu, you can run:

sudo apt update
sudo apt install nmap

On Red Hat-based systems like CentOS or Fedora, you can run:

sudo yum update
sudo yum install nmap

On Arch-based systems like Manjaro or Parabola, you can run:

sudo pacman -Syu
sudo pacman -S nmap

To verify that Nmap is installed correctly, you can run:

nmap --version

Installing Nmap on Windows

Nmap is also available for Windows as a self-installer executable file. You can download it from here. After downloading the file, run it and follow the instructions to complete the installation process. You can also choose to install Zenmap, which is a graphical user interface (GUI) for Nmap. Zenmap can help you create, save, and run Nmap scans with a few clicks.

To verify that Nmap is installed correctly, open a command prompt and run:

nmap --version

You should see something like this:

Nmap version 7.91 ( https://nmap.org )
Platform: i686-pc-windows-windows
Compiled with: liblua-5.3.5 openssl-1.1.1h libpcre-8.44 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: iocp poll select

Installing Nmap on Mac OS X

Nmap is also available for Mac OS X as a disk image file. You can download it from here. After downloading the file, mount it and drag the Nmap application to your Applications folder. You can also choose to install Zenmap, which is a graphical user interface (GUI) for Nmap. Zenmap can help you create, save, and run Nmap scans with a few clicks.

To verify that Nmap is installed correctly, open a terminal and run:

nmap --version

You should see something like this:

Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-apple-darwin19.6.0
Compiled with: liblua-5.3.5 openssl-1.1.1h libpcre-8.44 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: kqueue poll select

Utilizing Nmap commands and options

Nmap is typically used to audit network security, network mapping, identify open ports, and search for online devices.

The simplified syntax of the nmap command is as follows:

nmap [Options] [Target...]

The target can be a single IP address, a hostname, a range of IP addresses, or a subnet. The options can be used to specify the type of scan, the ports to scan, the output format, and other parameters.

Basic scans with Nmap

The most basic example of using Nmap is to scan a single target as a standard user without specifying any options:

nmap scanme.nmap.org

This will perform a TCP connect scan on the target host, which will try to establish a connection with each port in the default range of 1-1000.

The output will look something like this:

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 16:20 GMT+06:59
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.20s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

The output shows the IP address of the target host, the state of each port (open, closed, filtered), and the service running on each port.

You can also scan multiple targets by specifying them as a list separated by spaces:

nmap scanme.nmap.org example.com 192.x.x.x

Or by specifying them as a range using hyphens or commas:

nmap 192.x.x.x-10
nmap 192.x.x.x,11,12,13

Or by specifying them as a subnet using CIDR notation:

nmap 192.x.x.x/24

You can also use wildcards to scan hosts with similar names:

nmap *.example.com

Or use a text file that contains a list of targets:

nmap -iL targets.txt

Stealth scans with Nmap

A TCP connect scan is not very stealthy because it completes the three-way handshake with each port and leaves traces in the target’s logs. A stealthier way to scan ports is to use an SYN scan, which only sends an SYN packet and analyzes the response. If SYN/ACK is received, it means the port is open and you can open a TCP connection. However, an SYN scan never completes the three-way handshake, which makes it harder for the target to detect the scanning system.

To perform an SYN scan, you need to use the -sS option and run Nmap as root or administrator:

sudo nmap -sS scanme.nmap.org

The output will look something like this:

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 16:21 GMT+06:59
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.20s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 2.34 seconds

The output is similar to the TCP connect scan, but the scan is faster and less noisy.

You can also use other types of stealth scans with Nmap, such as:

• UDP scan -sU: Scans UDP ports by sending an empty UDP packet and analyzing the response. If an ICMP port unreachable message is received, it means the port is closed. If no response is received, it means the port is open or filtered.
• FIN scan -sF: Scans TCP ports by sending a FIN packet and analyzing the response. If an RST packet is received, it means the port is closed. If no response is received, it means the port is open or filtered.
• Xmas scan -sX: Scans TCP ports by sending a packet with the FIN, PSH, and URG flags set and analyzing the response. If an RST packet is received, it means the port is closed. If no response is received, it means the port is open or filtered.
• Null scan -sN: Scans TCP ports by sending a packet with no flags set and analyzing the response. If an RST packet is received, it means the port is closed. If no response is received, it means the port is open or filtered.

These types of scans can bypass some firewalls and IDS/IPS systems that do not monitor these types of packets. However, they may not work on some operating systems that do not follow the RFC standards for TCP/IP.

OS and service detection with Nmap

Nmap can also detect the operating system and the service version of the target hosts by using various techniques, such as:

• TCP/IP fingerprinting: Nmap sends a series of specially crafted packets to the target host and analyzes the responses to determine the OS type and version.
• Service banner grabbing: Nmap sends a request to each open port and analyzes the banner or response to determine the service name and version.

To perform OS and service detection with Nmap, you need to use the -O and -sV options and run Nmap as root or administrator:

sudo nmap -O -sV scanme.nmap.org

The output will look something like this:

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 16:22 GMT+06:59
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.20s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
9929/tcp open nping-echo Nping echo

Service Info: Host: scanme.nmap.org; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS details: Linux 3.11 - 4.1 Network Distance: 10 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.36 seconds

The output shows the OS details, the service name and version for each open port, and some additional information such as CPE (Common Platform Enumeration) and network distance.

You can also use other options to improve or customize your OS and service detection with Nmap, such as:

• --osscan-limit: Limits OS detection to hosts that are up and have at least one open and one closed port.
• --osscan-guess: Enables more aggressive OS guessing when Nmap is not sure about the OS type or version.
• -A: Enables OS detection, version detection, script scanning, and traceroute in one option.
• -T4: Increases the speed of scanning by using more aggressive timing parameters.

Nmap usage and examples

In this section, we will show you some common scenarios and examples of how to use Nmap for different purposes.

Scanning a single host or a range of hosts

To scan a single host, you can simply specify its IP address or hostname as the target:

nmap 192.x.x.x
nmap scanme.nmap.org

To scan a range of hosts, you can use different methods, such as:

• Specifying a range of IP addresses using hyphens or commas:

  nmap 192.x.x.x-10 nmap 192.x.x.x,11,12,13

• Specifying a subnet using CIDR notation:

  nmap 192.x.x.x/24

• Specifying a list of hosts using wildcards:

  nmap *.example.com

• Specifying a text file that contains a list of targets:

  nmap -iL targets.txt

Scanning a network for open ports and services

To scan a network for open ports and services, you can use different options, such as:

• -p: Specifies the ports to scan. You can use a single port, a range of ports, or a comma-separated list of ports. You can also use the keywords all or default to scan all ports or the 1000 most common ports.

  nmap -p 80 scanme.nmap.org nmap -p 1-1000 example.com nmap -p 22,80,443 192.x.x.x nmap -p all scanme.nmap.org nmap -p default example.com

• -sV: Enables service version detection. This will try to identify the service name and version running on each open port.

  nmap -sV scanme.nmap.org

• --top-ports: Scans the top n most common ports according to the nmap-services file.

  nmap —top-ports 10 scanme.nmap.org

• --open: Shows only open ports and skips closed and filtered ports.

  nmap —open scanme.nmap.org

Scanning a network for vulnerabilities and exploits

To scan a network for vulnerabilities and exploits, you can use the Nmap Scripting Engine (NSE), which is a powerful feature that allows you to run scripts written in Lua to perform various tasks. To use NSE, you need to use the -sC or --script options and specify the scripts or categories of scripts to run.

Nmap comes with hundreds of scripts that are organized into different categories, such as:

• default: The most basic and safe scripts that are run by default when using -sC.
• discovery: Scripts that are used to discover more information about the network.
• safe: Scripts that are not intrusive and do not affect the target.
• intrusive: Scripts that are intrusive and may affect the target.
• vuln: Scripts that are used to check for vulnerabilities.
• exploit: Scripts that are used to exploit vulnerabilities.

You can also use your own custom scripts or download more scripts from online sources.

To run NSE scripts, you can use commands like:

nmap -sC scanme.nmap.org # Runs default scripts
nmap --script discovery scanme.nmap.org # Runs discovery scripts
nmap --script safe,vuln example.com # Runs safe and vuln scripts
nmap --script http-vuln-cve2014-3704.nse 192.x.x.x # Runs a specific script by name

The output will show the results of the scripts along with the regular Nmap output.

Conclusion

Nmap is a powerful and versatile tool that can help you discover hosts, services, vulnerabilities, and other information about your network. You can also use Nmap with other tools and scripts to automate your tasks and enhance your results.

Here are some key takeaways from this article:

• Nmap is an open-source command-line tool that can scan IP addresses and ports in a network and detect installed applications.
• Nmap can also provide information about the operating system and the services running on the target hosts.
• Nmap is widely used by network administrators, security professionals, and ethical hackers for various purposes, such as network mapping, network security, and network troubleshooting.
• Nmap has many features and options that allow you to customize your scans according to your needs.
• Nmap supports different types of scans, such as TCP connect scan, SYN scan, UDP scan, FIN scan, Xmas scan, Null scan, OS detection scan.

We hope this article has helped you understand the basics of Nmap and how to use it effectively.