How to Use Nmap

If you’re looking for a free network discovery tool, you’ve probably heard of Nmap.

Nmap, short for Network Mapper, is a multi-purpose tool commonly used for penetration testing to give you a granular view of your network’s security.

Its capabilities extend to collecting information and enumeration and detect vulnerabilities and security loopholes. You can also use the tool to find live hosts on a network, perform operating system (OS) detection, traceroute, version detection, ping sweeps, and carry out port scanning. Precisely why Nmap is also known as the sysadmin’s Swiss Army knife.

To learn about what Nmap is and how to use it to secure your network, read on.

What is Nmap?

Nmap is a network scanning tool—an open source Linux command-line tool—used for network exploration, host discovery, and security auditing. Gordon Lyon (pseudonym Fyodor Vaskovich) created it to help map an entire network easily and find its open ports and services.

In other words, you can use Nmap to scan IP addresses, search for security loopholes, and scan for open ports on your computer network by sending packets and analyzing the responses.

Remember your favorite scene from The Matrix when Trinity managed to exploit a vulnerable SSH server? She used Nmap to work her magic.

What Does Nmap Do?

At its core, Nmap uses IP packets to give you detailed, real-time information on all your networks, as well as the devices (servers, routers, switches, mobile devices) connected to them.

Here’s a breakdown of the primary use of Nmap:

• Scan every active IP address. You can get detailed information on every IP active on your network to determine whether an IP has been compromised. Nmap will tell you whether a legitimate service or an external hacker is using the IP.
• Perform entire network scanning. You can get information on your network as a whole, including a list of live hosts and open ports and the OS of every connected device. Due to this, Nmap does a great job at monitoring your ongoing system and helping perform pen-testing.
• Identify server vulnerabilities. You can use the tool to scan your web server for any security gaps to protect personal and business websites. Nmap helps simulate the process a malicious agent would typically use to attack your website.
• Develop visual mappings. Nmap has a graphical user interface known as Zenmap. You can use it to create visual mappings of your network to facilitate better usability and reporting.
• Automate system and vulnerability scans. Nmap has an incredible feature known as “Nmap Scripting Engine” (NSE). It's a scripting engine that lets you use a predefined set of scripts and automate networking features. Alternatively, you can write your own NSE scripts using the Lua programming language to make conclusions about the target host/service.

Although Nmap was developed for enterprise-scale networks, smaller companies are using the tool to scan connected devices. The exceptional rise of the IoT, in particular, has accelerated the increasing adoption of the tool to ensure top-notch data security.

How To Use Nmap Effectively

Nmap uses diverse techniques to scan, such as TCP connect scan, TCP SYN scan, TCP reverse ident scan, FTP bounce scan, and so on. Each of these methods has its own benefits and drawbacks, and whether you should opt for simple scanning or advanced scanning depends on the target machine.

Before you get started with Nmap, the software needs to be installed.

The installation process is easy, but it may vary based on your operating system. Below, we’ve covered how to install an app for Windows, MacBook, and Linux versions.

• For Windows OS: Download and run the custom installer you get with Nmap (namp<version>setup.exe). This will automatically configure Nmap on your Microsoft system.
• For Mac OS: Run the Nmap-<version>mpkg file to start the dedicated installer (you get this with Nmap).
• For Linux OS: Run the following commands after opening the terminal to install Nmap
• CentOS/Fedora: sudo dnf install nmap
• Ubuntu/Debian: sudo apt-get install nmap

Understanding the Common Nmap Commands

We can't set up a Nmap tutorial without outlining its commands. Here's a quick rundown of some common functions of Nmap you can try:

1. Ping Scanning

A ping scan returns information on every IP active on your network.

You can use the following command to execute a ping scan:

> nmap -sp 192.168.1.1/24

Note: You can run a Scan a Single Host command to scan a single host for 1000 well-known ports—ports that are used by popular services like SQL, SNTP, and apache.

Here's how to run this command:

> nmap scanme.nmap.org

2. Port Scanning

There are tons of ways to execute a scan for ports. The main differences between the varying types of port scans are whether they cover TCP or UDP ports and if they run a TCP connection.

For instance, the TCP Connect scan actively queries every host and requests a response, while the UDP scan uses UDP packets to scan DNS, SNMP, and DHCP ports to do the same job.

Let's review the different port scanning types below.

• Using the -p param to run a single-port scan:

> nmap -p 973 192.164.0.1

• Using a TCP connection to scan information about a particular connection type—provided you specify the type of port:

> nmap -p T:7777, 973 192.164.0.1

• Using hyphens to separate a range of ports:

> nmap -p 76–973 192.164.0.1

• Using the -top-ports flag to specify the top n ports to scan:

> nmap --top-ports 10 scanme.nmap.org

3. Host Scanning

Host scanning gives you detailed information on a specific host or a range of IP addresses, including their latency, MAC address, and any description associated with that address. In turn, this will allow you to quickly identify and eliminate suspicious hosts connected to your network.

You can use the following commands to execute a host scan:

• Writing all the IP addresses in one row, allowing the tools to scan all of the hosts simultaneously:

> nmap 192.164.1.1 192.164.0.2 192.164.0.2

• Using the asterisk (*) to scan all of the subnets at one go:

> nmap 192.164.1.*

• Adding commas to separate the IP address endings instead of typing entire domains:

> nmap 192.164.0.1,2,3,4

• Using a hyphen to define a range of IP addresses:

> nmap 192.164.0.0–255

Note: If you want to scan a hostname, you simply have to replace the IP address for the host.

4. OS Scanning

Nmap can also provide operating system detection, script scanning, version detection, and traceroute. In fact, OS scanning is claimed as one of the most powerful features of the tool.

OS scanning involves Nmap sending TCP and UDP packets to a particular port before analyzing its response. This scan then compares the response to a 2600-strong operating systems database and returns information on a host’s OS (and version).

You can use the following command to execute an OS scan:

> nmap -sV scanme.nmap.org

Disclaimer: OS detection may not always be accurate. Still, it does a fairly good job at getting a pen tester closer to their target.

5. Stealth Scanning

Running a stealth scan involves analyzing the response after sending an SYN packet. If SYN or ACK is received, it indicates the port is open, and you can open a TCP connection.

Keep in mind that a stealth scan never completes the 3-way handshake, so the target may face difficulty determining the scanning system.

Use the following command to run a stealth scan:

> nmap -sS scanme.nmap.org

6. Scan the Most Popular Ports

As the name suggests, this command auto-scans several 'most popular' ports of a host. This can come in handy for users who run Nmap on a home server.

You can use the following to execute this Nmap command:

> nmap --top-ports n 192.168.1.106

Replace the ‘n’ in the above command for the number of ports you want to scan. Nmap will quickly scan that many ports.

7. Output to a File

You can add an extension to your commands if you want to output your Nmap scan results to a file.

Use the following command:

• If you want to output the results to a text file: -oN output.txt
• If you want to output the results to an XML file: -oX output.xml

8. Disable DNS Name Resolution

You can use this Nmap command to accelerate your Nmap scan using the -n parameter, which may disable reverse DNS resolution. We highly recommend this when starting Nmap scanning for a large network.

Let us explain how this Nmap command works using an example.

Suppose you want to turn off DNS resolution for the basic ping scan. To do this, you’ll have to add -n.

Here’s how you can run the command:

> nmap -sp -n 192.100.1.1/24

Concluding Thoughts

Learning Nmap can significantly amp up your network security, more so when used alongside other cybersecurity tools.

It assures you a quick, efficient way to perform frequent network audits that keeps hackers at bay while simultaneously improving your knowledge about your own network. You can also scan and uncover essential information concerning your host, ports, firewall, and OS, which can help network administrators do their job more effectively.

Take immediate steps to strengthen your network security posture as a whole. Click here for a free UpGuard trial today!