Subscribe to the feed

Nmap, which stands for "Network Mapper," is an open source tool that lets you perform scans on local and remote networks. Nmap is very powerful when it comes to discovering network protocols, scanning open ports, detecting operating systems running on remote machines, etc. The tool is used by network administrators to inventory network devices, monitor remote host status, save the scan results for later use, and so on.

[ Just getting started with networking? Check out the Linux networking cheat sheet. ]

The Nmap suite includes an advanced graphical user interface and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Why use Nmap?

Besides being free, Nmap is very flexible, portable, well-documented, and easy to use. In the following post, we'll walk you through on how to install Nmap, use it, and, most important, get more to know about your network.

Installing Nmap

To install Nmap on Red Hat Enterprise Linux 8 or Fedora, you'd run:

# dnf -y install nmap

Substitute dnf for yum if you are on Red Hat Enterprise Linux 7 or newer. After installing Nmap, you can run the nmap command without arguments to display all of its options. You also should consult the Nmap man page by running man nmap.

Using Nmap

Let's assume your local network is 192.168.0.0/24, and you want to run a scan on this network. Running a scan without any argument except the network address yields the following:

# nmap 192.168.0.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 21:00 CET
Nmap scan report for Archer.lan (192.168.0.1)
Host is up (0.0046s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
1900/tcp  open  upnp
20005/tcp open  btx
MAC Address: 50:ff:BF:ff:ff:AC (Tp-link Technologies)

Nmap scan report for Lyric-1111C2.lan (192.168.0.101)
Host is up (0.013s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE0
80/tcp open  http
MAC Address: B8:dd:A0:dd:dd:C2 (Resideo)
Multiple networks can be scanned at once. For example
nmap 192.168.0.0/24 10.80.0.0/24

Multiple networks can be scanned at once. For example:

# nmap 192.168.0.0/24 10.80.0.0/24

If we want to run a quick scan of machines in our network without trying to see if any port is open, we run:

# nmap -sn 192.168.0.0/24

The output of the above command produces something like:

# nmap -sn 192.168.0.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 21:24 CET
Nmap scan report for Archer.lan (192.168.0.1)
Host is up (0.016s latency).
MAC Address: 50:C7:FF:FF:15:FF (Tp-link Technologies)
Nmap scan report for Lyric-1111C2.lan (192.168.0.101)
Host is up (0.96s latency).
MAC Address: B8:FF:FF:11:FF:C2 (Resideo)
MAC Address: 88:DD:EA:DD:CE:37 (Texas Instruments)
Nmap scan report for SoundTouch-Kitchen.lan (192.168.0.160)
Host is up (0.39s latency).
MAC Address: 5C:DD:DD:FF:FF:B5 (Texas Instruments)
Nmap scan report for 192.168.0.181
Host is up (0.60s latency).
MAC Address: 40:DD:DD:8F:FF:F5 (Asustek Computer)
Nmap scan report for TL-WPA4220.lan (192.168.0.225)
Host is up (0.61s latency).
MAC Address: 50:DD:FF:AA:DD:BA (Tp-link Technologies)
Nmap scan report for f3d0r4.lan (192.168.0.165)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 9.11 seconds

Mind you that -sn was known as -sP in the previous versions of Nmap. The use of -sP is still backward compatible and should work in the recent versions of Nmap.

[ Free eBook: Manage your Linux environment for success. ]

While Nmap man pages are well-written and provide many examples, there are specific things you won't find in the man pages. For example, what if we wanted to store IP addresses from the above output to a file? This is something specific and does not belong in the man pages of Nmap. We have to parse the output ourselves and extract IP addresses only.

For example:

# nmap -sn 192.168.0.0/24 | awk '/Nmap scan/{gsub(/[()]/,"",$NF); print $NF > "nmap_scanned_ips"}'

Nmap offers many other options to save the scan output to different formats.

For example:

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,  and Grepable format, respectively, to the given filename.

So running:

# nmap -sn 192.168.0.0/24 -oG nmap_output

produces the following output:

# cat nmap_output
# Nmap 7.80 scan initiated Fri Mar  6 22:01:57 2020 as: nmap -sn -oG nmap_output 192.168.0.0/24
Host: 192.168.0.1 (Archer.lan)    Status: Up
Host: 192.168.0.101 (Lyric-1111C2.lan)    Status: Up
Host: 192.168.0.151 (SoundTouch-VW-benee.lan)    Status: Up
Host: 192.168.0.160 (SoundTouch-VW-keuken.lan)    Status: Up
Host: 192.168.0.181 ()    Status: Up
Host: 192.168.0.225 (TL-WPA4220.lan)    Status: Up
Host: 192.168.0.165 (f3d0r4.lan)    Status: Up
# Nmap done at Fri Mar  6 22:02:06 2020 -- 256 IP addresses (7 hosts up) scanned in 9.45 seconds

Scanning specific ports

Nmap has the option to scan specific ports on specific targets. If we were interested in checking the state of ports 22 and 443 (which by default use the TCP protocol), we'd run the following:

# nmap -sV -p 22,443 192.168.0.0/24

If you are unsure what -sV does, just run:

# nmap | grep -- -sV

The above command displays the ports regardless of their state: open, closed, filtered, etc. Most of the time, we're interested in open ports, and so we can add the –open flag to achieve this. We'll slightly modify the above command and run:

# nmap -sV -p 22,443 192.168.0.0/24 –open

Instead of using a comma to specify a port, it is also possible to use a range of ports, which is much more flexible and easier to read. For example:

# nmap -p 54-111 192.168.0.0/24

[Cheat sheet: Old Linux commands and their modern replacements ]

Advanced Nmap scanning

Now we know the basics of Nmap and its capabilities. Let's move to a more advanced approach to scanning targets, getting more information from a target, and using packet-tracing.

Tracing a packet on a single IP

At the moment of writing, I am connected to my server via SSH. To demonstrate how packet tracing is done using Nmap and what the output of such a trace looks like we are going to use the following Nmap syntax to produce the following output:

# nmap -vv -n -sn -PE -T4 --packet-trace 192.168.2.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 23:14 CET
Initiating Ping Scan at 23:14
Scanning 192.168.2.3 [1 port]
SENT (0.0282s) ICMP [192.168.0.165 > 192.168.2.3 Echo request (type=8/code=0) id=8524 seq=0] IP [ttl=43 id=25141 iplen=28 ]
RCVD (0.0336s) ICMP [192.168.2.3 > 192.168.0.165 Echo reply (type=0/code=0) id=8524 seq=0] IP [ttl=63 id=27840 iplen=28 ]
Completed Ping Scan at 23:14, 0.03s elapsed (1 total hosts)
Nmap scan report for 192.168.2.3
Host is up, received echo-reply ttl 63 (0.0055s latency).
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)

The above flags have the following meanings:

  • -vv (Increase verbosity)
  • -n (No DNS resolution. This speeds up our scan!)
  • -sn (No port scan)
  • -PE (Use ICMP echo request queries. This is what is displayed in the output above)
  • -T4 (prohibits the dynamic scan delay from exceeding 10 ms for TCP ports. See man nmap).
  • --packet-trace (Trace sent and received packets)

Using recursive DNS proxies for a stealth scan on a target

By default, Nmap runs an rDNS (reverse-DNS) resolution on any responsive host. Let's see if we can gather some information about a specific network and remain anonymous. The anonymous part is because we'll use public DNS servers, namely 8.8.4.4 and 8.8.8.8, to perform the recursive query.

[ Network getting out of control? Check out Network automation for everyone, a free eBook from Red Hat. ]

First, we resolve redhat.com using Google's public DNS server, which results in the following:

# host redhat.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

redhat.com has address 209.132.183.105
redhat.com mail is handled by 10 us-smtp-inbound-2.mimecast.com.
redhat.com mail is handled by 10 us-smtp-inbound-1.mimecast.com.

Second, let's run a stealth list scan -sL on the IP address 209.132.183.105.

# nmap --dns-servers 8.8.4.4,8.8.8.8 -sL 209.132.183.105/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 00:22 CET
Nmap scan report for network (209.132.183.0)
Nmap scan report for elvis.redhat.com (209.132.183.1)
Nmap scan report for ns2.redhat.com (209.132.183.2)
Nmap scan report for ovpn-phx2.redhat.com (209.132.183.3)
Nmap scan report for mimecast-mx01.redhat.com (209.132.183.4)
Nmap scan report for selfservice.redhat.com (209.132.183.5)
Nmap scan report for unused (209.132.183.6)
Nmap scan report for unused (209.132.183.7)
Nmap scan report for siperimeter.redhat.com (209.132.183.8)
< –----- >
< –----- >
< –----- >

We're able to obtain a lot of information about specific networks by using just a few simple techniques.

NSE scripts

As mentioned earlier, Nmap is equipped with many advanced features, one of which is NSE (Nmap Scripting Engine) scripts.  Using NSE scripts with Nmap allows you to scan different hosts and find vulnerabilities in services running on the host and possibly log in by brute-forcing these services.

The use of NSE script syntax is as follows:

# nmap --script="name_of_script" --script-args="argument=arg" target

Now, you are probably wondering where to find these NSE scripts and how to know what script uses what arguments. Start by running man nmap. You can also jump straight away to the right section, i.e.:

# PAGER='less "+/NMAP SCRIPTING ENGINE"' man nmap

The available NSE scripts you can pass to Nmap are located at:

/usr/share/nmap/scripts/

You can also locate the NSE scripts by running:

# dnf -y install mlocate ; updatedb ; locate nmap/scripts

Now that we know where NSE scripts are located let's see how we can use these scripts to get some information about a target that's running a web server.

See if a WAF protects a website

A Web Application Firewall (WAF) is specifically designed to protect websites from SQL injection, cross-site scripting, malformed HTTP packets, etc. Using Nmap, we can detect if a website is protected by such a WAF.  The following displays the usage of an NSE script and its arguments:

# nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" www.slimmer.ai
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:38 CET
Nmap scan report for www.slimmer.ai (172.104.131.188)
Host is up (0.023s latency).
rDNS record for 172.104.131.188: li1647-188.members.linode.com

PORT    STATE SERVICE
443/tcp open  https
| http-waf-detect: IDS/IPS/WAF detected:
|_www.slimmer.ai:443/?p4yl04d=id;uname%20-a

Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds

As shown above, a Web Application Firewall protects the target website.

More NSE scripts

Once again, Nmap is often used by system administrators to inventory their environment, discover weaknesses in their network, and so protect their systems from intruders. Intruders, on the other hand, can do the same to explore a remote system and try to gather as much information as possible about such a system.

Assume that some unauthorized person has scanned your network and found a few open ports/services. This person could then pass some NSE scripts to Nmap and see if these services are vulnerable. Here is what is going to happen:

# nmap -Pn -sV --script=vulners 37.xx.xx.xx
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:41 CET
Nmap scan report for some.domain.nl (37.xx.xx.xx)
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| vulners:
|   cpe:/a:openbsd:openssh:7.4:
|         CVE-2018-15919    5.0    https://vulners.com/cve/CVE-2018-15919
|_        CVE-2017-15906    5.0    https://vulners.com/cve/CVE-2017-15906
25/tcp open  smtp    Postfix smtpd
Service Info: Host: some.domain.nlService detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds

We can see that the remote system is running OpenSSH 7.4. Nmap queried public vulnerability databases and found the known CVE's.

Wrap up

Nmap is a very powerful system inventory and port scanning tool that can be used for good and bad purposes. It depends on which hat you are wearing. The best way to learn Nmap is to read man pages, use examples shown in the man pages, and experiment with the NSE scripts. Also, try Zenmap. If you are interested in knowing more about port scanning and the science behind it, see the Nmap documentation.


About the author

Valentin is a system engineer with more than six years of experience in networking, storage, high-performing clusters, and automation.

He is involved in different open source projects like bash, Fedora, Ceph, FreeBSD and is a member of Red Hat Accelerators.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Browse by channel

automation icon

Automation

The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon

Security

The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon

Infrastructure

The latest on the world’s leading enterprise Linux platform

application development icon

Applications

Inside our solutions to the toughest application challenges

Original series icon

Original shows

Entertaining stories from the makers and leaders in enterprise tech