Nmap is a network mapping tool which is one of the most popular free network discovery tools. Nmap is one of the main tools used by network administrators to create a map of their networks. It can be used to find active hosts on a network, perform port scanning, operating system detection, and version detection. In this guide, we’ll see what Nmap is, what it can do, and explain how to use the most common options.
Why nmap?
We have already mentioned that nmap is a network discovery tool. So what is network discovery? Simply put, network discovery is the process of discovering devices that are on the network. Network discovery is often used in large networks to discover their inner workings and connections. It also plays a crucial role in cybersecurity. Why is network discovery important in security? A malicious hacker will always start with a phase of information gathering about a target network or system. Their goal is to discover:
- What devices are in the network?
- Which ports are open to the outside?
- What programs/services are running on these open ports?
- Which program has a vulnerability that the hacker can exploit?
How are we going to defend our system against such threats? By playing the hackers game against them.
Nmap Commands
You can find a complete installation guide for each operating system at nmap.org. Once you’ve installed Nmap, the best way to learn how to use it is to perform some basic network scans.
Running a simple Nmap help command will show you the basic structures and all available options:
$ nmap -h
One of Nmap’s most basic functions is to identify active hosts on a network. Nmap does this by running a ping scan. This identifies all IP addresses that are currently online. To run a ping scan, run the following command:
$ nmap -sn 192.168.0.1/24
Like host discovery, Nmap offers many options for scanning ports. This is the next step in the network discovery process. This is the most crucial stage of reconnaissance. Let’s look at some examples:
$ nmap -p 21,22,80,443 scanme.nmap.org
You can have Nmap automatically scan a number of the most “popular” ports for a host. You can run this using the following command:
$ nmap --top-ports 10 scanme.nmap.org
Replace the “10” with the number of ports to scan, and Nmap quickly scans that number of ports. It returns a concise output that details the status of the most common ports, allowing you to quickly see if you have unnecessarily open ports.
We can find out more about services running on ports with Nmap’s service detection option. Service detection is enabled by the -sV flag. We know that scanme.nmap.org has port 22 open and is running ssh service. We will try to detect the ssh version:
$ nmap -sV -p 22 scanme.nmap.org
A special feature of Nmap is that it can analyze the TCP/IP stack and cross-reference the fingerprint with its database of different operating systems. Operating system detection can provide useful information about the system to be attacked with hidden identity and many more.
Let’s run an OS detection with the flag -O on scanme.nmap.org:
$ nmap -O scanme.nmap.org
The output shows some of Nmap’s guesses and their possibility of being true.
If you want to save the results of your Nmap scans to a file, you can add an option to your commands. Just add:
-oN output.txt
To your command to output the results to a text file, or:
-oX output.xml
To output to an XML, or:
-oG output.txt
To output to a grep friendly format.
Conclusion
The above commands cover most basic Nmap functionality. Taking the time to learn Nmap can dramatically increase the security of your networks. The program offers a quick and efficient way to audit your systems. Even the basic features offered by the program - such as the ability to perform a port scan - can help quickly reveal any suspicious devices active on your network.
Using Nmap to perform frequent network audits can help you avoid becoming easy prey for hackers, while improving your knowledge of your own network.