Open in app

Sign in

Write

Sign in

Nmap: The Network Mapper

What is Nmap? Why you need this network mapper

Anjali Prakash
10 min readFeb 2, 2020

What is Nmap?

Nmap, short for Network Mapper, is a free, open-source tool for vulnerability scanning and network discovery. Network administrators use Nmap to identify what devices are running on their systems, discovering hosts that are available and the services they offer, finding open ports and detecting security risks.. So Nmap is a multipurpose tool, and it can be run on many different operating systems including Windows, Linux, BSD, and Mac. Nmap is a very powerful utility that can be used to:

  • Detect the live host on the network (host discovery)
  • Detect the open ports on the host (port discovery or enumeration)
  • Detect the software and the version to the respective port (service discovery)
  • Detect the operating system, hardware address, and the software version
  • Detect the vulnerability and security holes (Nmap scripts)

Nmap is a very common tool, and it is available for both the command line interface and the graphical user interface.

Various TCP/IP protocols

  1. Application layer : FTP, HTTP, SNMP, BOOTP, DHCP
  2. Transport layer : TCP, UDP, ICMP, IGMP
  3. Network layer : ARP, IP, RARP
  4. Data link layer : SLIP, PPP

NMAP Scan Types:

SYN SCAN
This is the default scan and is good for most purposes. It is quieter than a TCP Connect scan, that is, it won’t show up on most simple logs. It works by sending a single TCP SYN packet to each possible port. If it gets a SYN ACK packet back, then Nmap knows there is a service running there. If it doesn’t get a response, it assumes the port is closed. The SYN scan does not complete the TCP handshake by sending an ACK back to the machine; as far as the scanee is concerned, it never sees a valid connection. However, the remote system will hold this “half socket” open until it times out from not receiving a response.

TCP Connect
This works much like the SYN scan, except it completes the full TCP handshake and makes a full connection. This scan is not only noisy but also puts more load on the machines being scanned and the network. However, if stealth or bandwidth is not an issue, a Connect scan is sometimes more accurate than the SYN scan. Also, if you don’t have administrator or root privileges on the Nmap machine, you won’t be able to run anything other than a Connect scan because the specially crafted packets for other scans require low-level OS access.

UDP Scan
This scan checks to see if there are any UDP ports listening. Since UDP does not respond with a positive acknowledgment like TCP and only responds to an incoming UDP packet when the port is closed, this type of scan can sometimes show false positives. However, it can also reveal Trojan horses running on high UDP ports and hidden RPC services. It may be quite slow, since some machines intentionally slow down responses to this kind of traffic to avoid being overwhelmed. Machines running Windows OS, however, do not implement this slowdown feature, so you should be able to use UDP to scan Windows hosts normally.

NULL Scan
Another very stealthy scan that sets all the TCP header flags to off or null. This is not normally a valid packet and some hosts will not know what to do with this. Windows operating systems are in this group, and scanning them with NULL scans will produce unreliable results. However, for non-Windows servers protected by a firewall, this can be a way to get through.

XMAS Scan
Similar to the NULL scan except all the flags in the TCP header are set to on. Windows machines won’t respond to this due to the way their TCP stack is implemented.Xmas scans derive their name from the set of flags that are turned on within a packet. These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header.

Bounce Scan
This tricky scan uses a loophole in the FTP protocol to “bounce” the scan packets off an FTP server and onto an internal network that would normally not be accessible. If you have the IP address of an FTP server that is attached to the local LAN, you may be able to breach the firewall and scan internal machines. It’s a good idea to test to see if your network is vulnerable to this exploit. Most current FTP servers have fixed this security hole. Note: You must input a valid FTP server that would have access to the network in addition to the IP addresses to be scanned.

Windows Scan
This scan relies on an anomaly in the responses to ACK packets in some operating systems to reveal ports that are supposed to be filtered. Operating systems that are known to be vulnerable to this kind of scan include some versions of AIX, Amiga, BeOS, BSDI, Cray, DG/UX, Digital UNIX, FreeBSD, HP/UX, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, OpenVMS, OS/2, QNX, Rhapsody, SunOS 4.X, Tru64 UNIX, Ultrix, VAX, and VxWorks.

Idle Scan
This type of scan is a new feature for Nmap version 3.0. It is a super stealthy method whereby the scan packets are bounced off an external host. You don’t need to have control over the other host but it does have to setup and meet certain requirements. You must input the IP address of our “zombie” host and what port number to use.It is one of the more controversial options in Nmap since it really only has a use for malicious attacks.

1. Nmap Command to Scan for Open Ports

When scanning hosts, Nmap commands can use server names, IPV4 addresses or IPV6 addresses. A basic Nmap command will produce information about the given host.

nmap subdomain.server.com​

Without flags, as written above, Nmap reveals open services and ports on the given host or hosts.

nmap 192.168.0.1

Nmap can reveal open services and ports by IP address as well as by domain name.

nmap -F 192.168.0.1

If you need to perform a scan quickly, you can use the “-F” flag. The “-F” flag will list ports on the nmap-services files. Because the -F “Fast Scan” flag does not scan as many ports, it isn’t as thorough.

2. Scan Multiple Hosts

Nmap can scan multiple locations at once rather than scanning a single host at a time. This is useful for more extensive network infrastructures. There are several ways to scan numerous locations at once, depending on how many locations you need to examine.

nmap 192.168.0.1 192.168.0.2 192.168.0.3

Add multiple domains or multiple IP addresses in a row to scan multiple hosts at the same time.

nmap 192.168.0.*

Use the * wildcard to scan an entire subnet at once.

nmap 192.168.0.1,2,3

Separate different address endings with commas rather than typing out the entire IP address.

nmap 192.168.0.1-4

Use a hyphen to scan a range of IP addresses.

3. Excluding Hosts from Search

When scanning a network, you may want to select an entire group (such as a whole subnet) while excluding a single host.

nmap 192.168.0.* --exclude 192.168.0.2

You can exclude certain hosts from your search using the –exclude flag.

nmap 192.168.0.* --excludefile /file.txt

You can also exclude a list of hosts from your search using the –exclude flag and linking to a specific file. This is the easiest way to exclude multiple hosts from your search.

4. Scan to Find out OS Information

In addition to general information, Nmap can also provide operating system detection, script scanning, traceroute, and version detection. It’s important to note that Nmap will do its best to identify things like operating systems and versions, but it may not always be entirely accurate.

nmap -A 192.168.0.1

Add in the -A flag on your Nmap command, you can discover the operating system information of the hosts that are mapped. The -A flag can be used in combination with other Nmap commands.

nmap -O 192.168.0.1

Using the -O flag on your Nmap command will reveal further operating system information of the mapped hosts. The -O flag enables OS detection. Additional tags include –osscan-limit and -osscan-guess.

The “–osscan-limit” command will only guess easy operating system targets. The “-osscan-guess” command will be more aggressive about guessing operating systems. Again, operating systems are detected based on certain hallmarks: it isn’t a certainty that the information is accurate.

5. Scan to Detect Firewall Settings

Detecting firewall settings can be useful during penetration testing and vulnerability scans. Several functions can be used to detect firewall settings across the given hosts, but the -sA flag is the most common.

nmap -sA 192.168.0.1

Using the sA flag will let you know whether a firewall is active on the host. This uses an ACK scan to receive the information.

6. Find Information About Service Versions

At times, you may need to detect service and version information from open ports. This is useful for troubleshooting, scanning for vulnerabilities, or locating services that need to be updated.

nmap -sV 192.168.0.1

This will give you the necessary information regarding the services across the given host.

You can use –version-intensity “level” from 0 to 9 to determine the intensity level of this search. You can also use –version-trace to show more detailed information of the scan if the scan does not come out with the results that you would ordinarily expect.

7. Scan for Ports

Port scanning is one of the basic utilities that Nmap offers and consequently, there are a few ways that this command can be customized.

nmap -p 444 192.168.0.1

With the “-p” flag followed by a port, you can scan for information regarding a specific port on a host.

nmap -p T:8888,443 192.168.0.1

By adding a type of port before the port itself, you can scan for information regarding a specific type of connection.

nmap -p 80,443 192.168.0.1

You can scan for multiple ports with the -p flag by separating them with a comma.

nmap -p 80-443 192.168.0.1

You can also scan for multiple ports with the -p flag by marking a range with the hyphen. To scan ports in order rather than randomly, add the flag “-r” to the command.

You can also use the command “–top-ports” followed by a number to find the most common ports, up to that amount.

8. Complete a Scan in Stealth Mode

If it is necessary to complete a stealthy scan, use the Nmap command:

nmap -sS 192.168.0.1

Using the “-sS” flag will initiate a stealth scan with TCP SYN. The “-sS” flag can be used in conjunction with other types of Nmap commands. However, this type of scan is slower and may not be as aggressive as other options.

9. Identify Host names

There are a few ways you can implement host discovery through Nmap. The most common of which is through -sL. For example:

nmap -sL 192.168.0.1

The “-sL” flag will find the hostnames for the given host, completing a DNS query for each one. Additionally, the “-n” command can be used to skip DNS resolution, while the “-R” command can be used to always resolve DNS. The “-Pn” flag will skip host discovery entirely, instead of treating hosts as though they are online regardless.

10. Scan from a File

If you have a long list of addresses that you need to scan, you can import a file directly through the command line.

nmap -iL /file.txt

This will produce a scan for the given IP addresses. In addition to scanning those IP addresses, you can also add other commands and flags. This is useful if there is a set of hosts that you often need to reference.

11. Get More Information with Verbose

Verbose output generally gives you far more information regarding a command. Sometimes this output is unnecessary. However, if you’re debugging a particularly tricky situation or you want more information, you can set the given command to verbose mode.

nmap -v 192.168.0.1

The “-v” flag will provide additional information about a completed scan. It can be added to most commands to give more information. Without the “-v” flag, Nmap will generally return only the critical information available.

12. Scan IPv6 Addresses

IPv6 is becoming more commonplace, and Nmap supports it just as it supports domains and older IP addresses. IPv6 works with any of the available Nmap commands. But, a flag is required to tell Nmap that an IPv6 address is being referenced.

nmap -6 ::ffff:c0a8:1

Use the -6 command with other flags and commands to perform more complicated Nmap functions with IPv6.

13. Scan to See Which Servers are Active

One of the most simple abilities for Nmap is the ability to ping active machines. The “-sP” command locates machines, make sure that machines are responding, or identifies unexpected machines across a network.

nmap -sP 192.168.0.0/24

The “-sP” command will produce a list of which machines are active and available.

14. Find Host Interfaces, Routes, and Packets

It may become necessary to find host interfaces, print interfaces, and routes to debug.

To do this, use the iflist command:

nmap --iflist

The “–iflist” command will produce a list of the relevant interfaces and routes.

nmap --packet-trace

Similarly, “–packet-trace” will show packets sent and received, providing similar value for debugging.

15. Aggressive Scans and Timings

Sometimes you may need to scan more aggressively or want to run a quick scan. You can control this through the use of the timing mechanisms. In NMAP, timing controls both the speed and the depth of the scan.

nmap -T5 192.168.0.1

An aggressive scan is going to be faster, but it also could be more disruptive and also inaccurate. There are other options such as T1, T2, T3, and T4 scans. For most scans, T3 and T4 timings will be sufficient.

16. Get Some Help

If you have any questions about Nmap or any of the given commands, you can use a tag to get context-based information.

nmap -h

The -h tag will show the help screen for Nmap commands, including giving information regarding the available flags.

17. Create Decoys While Scanning

Nmap can also be used to create decoys, which are intended to fool firewalls. While decoys can be used for nefarious purposes, it’s generally used to debug.

nmap -D 192.168.0.1,192.168.0.2,...

When using the -D command, you can follow the command with a list of decoy addresses. These decoy addresses will also show as though they are scanning the network, to obfuscate the scan that is actually being done.

Similarly, it’s possible to use commands such as “–spoof-mac” to spoof an Nmap MAC address, as well as the command “-S” to spoof a source address.

Key Takeaways

With the right Nmap commands, you can quickly find out information about ports, routes, and firewalls.

Nmap has several settings and flags for a system administrator to explore. In addition to being able to run in a cloaked mode, initiate decoys, and aggressively and quickly scan for potential vulnerabilities

That’s it.

Thanks for reading.

Hope you like it , If you have any queries.

Feel free to contact me through Linkedin :) :)

Nmap

--

--

Anjali Prakash

Written by Anjali Prakash

10 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams