Expert troubleshooting skills are a must for sysadmins. Understanding how to identify and resolve problems that you come across is crucial to creating the best resolutions. Tools help you be successful in the quest for answers. Nmap is a helpful tool for security and IT professionals.
Without understanding what network ports are open, it would be impossible to assess a system's security. System administrators use Nmap to check if systems are online and help discover any problems in their network. You can also detect operating system versions, determine whether services are online, test embedded network stacks, and even identify aggressive network traffic.
[ Keep common tasks top of mind with this handy Linux commands cheat sheet. ]
Install Nmap
There are a few ways to install Nmap on Linux. With recent distributions, it is pretty simple to install. For example, on Red Hat Enterprise Linux, Fedora, and similar distributions, type:
$ sudo dnf install nmap
The most recent builds are always available from the source, which is available at Insecure.org, but many distros already have it installed and ready to use.
Next, I'll review some common ways system administrators use Nmap.
Run a default scan
Once you have Nmap installed and you've chosen your target, it's pretty straightforward from there. Here is a default scan:
$ nmap scanme.nmap.org
In the output you receive, the leftmost column displays the port number and protocol (for example, 22/tcp, 80/tcp, and so forth). This scan shows whether the port is open and what service is using it. Nmap can display more detailed information, such as the service version, but you must specify a service version scan to identify the actual service version.
Do a service version scan
Add the -sV
flag to run a service version scan. The output will provide more details, like the patch versions of the services. This information is incredibly helpful for security assessments. Vulnerabilities are found in specific software versions, so having these granular details is beneficial from a defensive standpoint.
It's important to note that Nmap does not show all closed and open ports; by default, it displays only the top 1,000 ports because the output gets cluttered. You can increase the verbosity of the scan to show these details. The top ports displayed are not necessarily the first 1,000 ports but rather the most commonly open ones.
Log scans
Viewing the scan output is helpful, but what about longer-term assessments? Or for crazy long scans? That's where logging comes in.
Nmap supports three different logging formats: .xml, .nmap, and .gmap. Gmap stands for grepable nmap. Each format has a different supporting flag, but you can simply use the -oA
flag to get all output. It will automatically save all three file extensions:
$ nmap scanme.nmap.org -oA logbase
$ cat logbase.nmap | grep open
Specify scan ranges
Many sysadmins run services on high ports so that they are not detected through normal scans. But security through obscurity isn't the best way to go about it. To detect hosts on particular ports, specify a port with the -p
flag.
For example, if you only want to scan port 80 on scanme.nmap.org, you can enter:
$ nmap -p 80 scanme.nmap.org
This flag works for port ranges as well. So, for example, if you want to scan all privileged ports (1- 1024), you can use:
$ nmap -p 1-1024 scanme.nmap.org
[ Free eBook: Manage your Linux environment for success. ]
Another choice to consider is the –reason
flag. You can use this to help determine how Nmap reached its conclusions. For example, it may show a SYN-ACK response to a SYN request. Since that service is attempting a three-way handshake, that verifies that something is listening.
Now that I've covered how to run Nmap on multiple ports, I'll discuss how to detect the host target using various methods, scan devices attempting to hide, and more.
Detect host targets
Because so many people attempt to hide their hosts from the internet, it's important to identify if hosts are online or offline. Nmap has several ways to determine this.
The easiest way is to run a ping sweep. You can run the ping
command; however, running a sweep with Nmap allows for greater efficiency by using a larger network scope. You can use the -sn
flag to run a ping-only sweep. Since it only runs ping
and not a full port scan, it will show which hosts are online or offline.
Sometimes you may need to take the scan a bit further. As mentioned previously, some system administrators hide their systems from the internet by ignoring ping
requests. Fortunately, Nmap supports an agnostic option for scanning systems, which the next section covers.
Run a ping agnostic scan
Normal Nmap scans run a ping sweep first and then check the specified ports (based on the ranges provided). If hosts do not respond to a ping
, those systems will not be fully scanned—even if they are online! You can skip the ping sweep with the -Pn
flag to run a full scan. This scan generally takes longer to run, but in the end, it's helpful to identify hosts that were missed originally. Run this scan with:
$ nmap -Pn -n scanme.net
It's also useful to use the -sL
flag, which runs a simple list to scan the target ranges. This can be useful for reverse DNS lookups and to identify what hosts are online in a specified range:
$ nmap 1.1.1.1 -sL
There is another useful feature of Nmap: a TCP SYN ping scan. In place of an ICMP ping, the TCP SYN ping can treat the target host as online if it responds to a SYN request on a specific port. For example, when scanning an IP block that normally runs web servers, using -PS 80
displays the hosts as online, so long as they respond on port 80.
Wrap up
Nmap is a powerful tool for most system administrators. Various ways to utilize the tool allow admins to work more quickly and efficiently. The better use you make of your troubleshooting skills, the quicker you will resolve issues effectively.
About the author
I currently work as a Cloud Support Supervisor for Acronis . I have worked with Linux and OpenSource tools for a decade, constantly wanting to make new resolutions for obstacles and always training others on improving systems as a systems administrator. I’ve helped manage and maintain elaborate servers and websites over the years. In my spare time, I enjoy spending time with my dogs, reading, and playing video games.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit