Nmap is a widely used free network discovery tool used by network administrators to map their networks. It can also be used to can be used to ping sweeps, perform port scanning, do OS detection and find live hosts on a network.
Nmap should ideally be used as part of an integrated Data Security because several new cyberattacks have seemed to focus attention on the type of network auditing that Nmap offers. This article will look at what Nmap is, what it can do, and explain how to use the most common commands.
What is Nmap?
Nmap is a network mapper that uses IP packets to provide detailed, real-time information on the devices connected to a network and the operating systems. Nmap is used primarily via a command-line interface and GUI and is available for several operating systems.
This scanning tool was developed for enterprise-scale networks and can scan thousands of connected devices on a network. In recent years Nmap is being used more by smaller companies.
With the rise of the IoT, Nmap is now used by these companies as a website monitoring tool to audit the traffic between web servers and IoT devices. Besides its ability to identify connected devices, it also highlights any potentially harmful devices. Now let us look into what exactly is it that Nmap does.
What Does Nmap Do?
Here are three primary uses of Nmap and the types of uses it has:
Nmap scans and provides you detailed information on every IP active on your networks. This allows system administrators to check the legitimacy of an IP
Nmap provides a list of live hosts, open ports, and the OS of every connected device. It gives information on your network as a whole. This makes it a valuable tool in pentesting to probe and repair network vulnerabilities.
Another thing Nmap does is protect personal and business websites. As a scanning tool, Nmap will discover versions of running services, operating systems, web servers, and more.
How To Use Nmap
Nmap is easy to use, and it brings a wide range of these tools into one program. To effectively use Nmap, you need to be familiar with command-line interfaces. Before we go into the Nmap commands and functions, let us understand how to install Nmap on different operating systems.
How To Install Nmap
The process for installing Nmap varies according to the operating system. Here is how to install Nmap for Windows, Mac, and Linux versions of the program.
How to install Nmap on windows
Here are the steps to install Nmap on Windows:
- Nmap has a custom installer:
Go to https://nmap.org/download.html and download the custom installer
download nmap windows
2.Run this installer: Run the downloaded .exe file.
A License Agreement window will open.
Click “I Agree.”
install nmap windows 1
3.Select components to install. The Zenmap GUI is installed for you by default
4. Select the Destination Folder and click Install:
5. You should complete the installation in minutes.
Nmap works on Windows 7 and newer. However, the Windows port is not as efficient as on Linux. Here are some reasons:
- You cannot scan your machine from itself using any of its registered IP addresses
- Only Ethernet interfaces are supported for raw packet scans.
- Scans like TCP connect scan are slower than on Linux.
How to install Nmap on Mac
On Mac, Nmap also has a dedicated installer. The easiest way to install Nmap and Zenmap on Mac OS X is to use the installer. To launch the installer, run the nmap-<version>mpkg file. Newer macOS versions will bring up a warning that Nmap is an “unidentified developer,” but you can ignore it.
Here are the steps to install Nmap on MacOS:
- Download the file nmap-<version>.dmg.
- Double-click the icon to open it, or it may open automatically
- Inside the disk image, you will see a meta-package file named nmap-<version>.mpkg.
- Open it to launch the installer.
- On OS X 10.8 version and later, you may see something like this:
Apple Gatekeeper block screen
6. Once you see this, right-click or control-click on the .mpkg file
7. Click the “Open” button as shown below:
Apple Gatekeeper Open menu
8. A similar screen will pop up but this time, it has the “Open” button. Click it to continue.
Apple Gatekeeper Open screen
9. Follow the instructions in the installer.
10. You will need to input your password as Nmap installs in a system directory.
11. Once the installer is finished, click “Eject” to eject the disk image.
Now Nmap has been installed.
Mac OS X 10.5 or later will install Nmap by the installer. However, earlier versions will need to use a third-party package.
Third-party packages install Nmap by using a system that packages Unix software for Mac OS X, such as Fink and MacPorts.
To install using Fink,
- run the command: fink install nmap
- Nmap will be installed as /sw/bin/nmap
- To uninstall, use the command:
fink remove nmap
To install using MacPorts,
- run sudo port install nmap.
- Nmap will be installed as /opt/local/bin/nmap.
- To uninstall, run:
sudo port uninstall nmap.
These systems install the nmap executable outside the global PATH. To enable Zenmap to find it, set the nmap_command_path variable in zenmap.conf to /sw/bin/nmap or /opt/local/bin/nmap
How to install Nmap on Linux
Linux users can either compile Nmap from the source or use their chosen package manager. You can run sudo apt-get install nmap to install it and nmap –version to check if installed and the version.
How to Install Nmap on Debian / Ubuntu:
- Type the following command:
sudo apt-get install nmap
- Confirm the installation by typing y.
Command to install nmap on ubuntu and debian
- After installation, confirm the version by entering:
Here, the nmap version is 7.60
How to Install Nmap on CentOS / RHEL
- Type the following command:
sudo yum install nmap
Command to install nmap on CentOS and RHEL based systems.
- Confirm the installation by typing y.
Confirming the installation of Nmap by selecting y
- Once completed, confirm the version of Nmap by entering:
Nmap version 6.40
Nmap Commands and Functions
Most Nmap functions can be executed using a single command, and there are also several ‘shortcut’ commands that advanced users use to automate tasks. Here are the Nmap commands:
1. Ping Scanning
A ping scan provides information on the active IP addresses on your network. It identifies all of the IP addresses currently online without sending any packets to these hosts.
How To Run a Ping Scan
To run a ping scan, run this command:
# nmap -sp 220.127.116.11/24
This returns a list of hosts and assigned IP addresses. If you spot any unfamiliar hosts or IP addresses on the list, you can then run further commands to probe them.
2. Port Scanning
Port scanning can be done through the following.
- TCP SYN scan
- TCP connect scan
- UDP scan
- SCTP INIT scan
- TCP NULL scan
The significant differences among these types of scans are whether they execute a TCP connection and cover UDP ports. We will cover these Nmap scan types in much detail later in the article. Keep reading.
3. Host Scanning
A host scan sends ARP request packets to all the hosts connected to your network, unlike a ping scan. The response then comes with another ARP packet containing its status and MAC address. Host scanning usually returns more detailed information on IP addresses than a ping scan.
How To Run A Host Scan
To run a host scan, use the below command:
# nmap -sp <target IP range>
This is a powerful way to detect suspicious hosts connected to your network. If you notice anything unusual, you can then run a DNS query on a specific host by using:
# namp -sL <IP address>
This returns the names of the scanned IP addresses and a description of what they are meant for.
4. OS Scanning
Here, Nmap sends TCP and UDP packets to a particular port and then analyzes its response. This response is analyzed against a database of 2600 operating systems, and then it returns information on the OS of a host.
To run an OS scan, use:
nmap -O <target IP>
5. Scan The Most Popular Ports
This command is useful when running Nmap on a home server. It scans a host’s most ‘popular’ ports. To run the command, use:
nmap –top-ports 20 192.168.1.106
Replace the “20” with the number of ports you want to scan. Nmap then returns a detailed output of the most common ports and any unnecessarily open ports.
6. Output to a File
To have the Nmap results in a file, you can add these extensions to your commands.
To output the results to a text file, use:
To output to an XML, use this:
7. Disable DNS Name Resolution
Disabling DNS Name Resolution helps to speed up Nmap scans. This can be very useful when scanning an extensive network. This is done by using the -n parameter.
The command will look something like this:
# nmap -sp -n 18.104.22.168/24
Nmap Scan Types
Here are the scan types that can be performed using Nmap.
TCP SYN SCAN
TCP SYN scan is the simplest of all, and this gives most users all the information they need. It doesn’t complete a TCP connection and scans thousands of ports per second without being detected.
A TCP scan checks the connection between you and a chosen target system. A TCP scan is easily detectable because the services can log the sender’s IP address, triggering the Intrusion Detection Systems (IDS).
This is a form of TCP scan, but Nmap creates a syn packet, which is first sent to establish a TCP connection, unlike a normal TCP scan. Nmap then analyzes the responses sent back to these syn packets to produce scan results. No real connection is formed.
TCP Connect SCAN
This is albeit a better alternative to SYN scan. It actively queries each host and requests a response. Though it takes longer than a SYN scan, it usually returns more reliable information.
The UDP scan works similarly to the TCP connect scan but uses UDP packets to scan DNS, SNMP, and DHCP ports. UDP scans are used to listen to and reveal compromised ports or even reveal hidden RPC services. Also, UDP scans are generally slow because machines, by default, slow down their responses to this type of traffic.
ACK scans check whether a particular port is filtered or not when probing firewalls. Simple packet filtering allows established connections (packets with the ACK bit set), while a more sophisticated firewall might not.
FIN SCAN is similar to the SYN scan but sends a TCP FIN packet instead. The FIN scan can show false negatives and positives as most computers will send an RST packet (reset packet) feedback.
RPC scans are used to discover devices that respond to Remote Procedure Call services (RPC). RPC service can run on several ports, so it’s difficult to determine from a routine scan whether RPC services are running or not. Therefore, it is advisable to run an RPC scan from time to time to determine where you have these services running.
SCTP INIT SCAN
The SCTP INIT scan avoids suspicion when scanning an external network because it doesn’t complete the whole SCTP process.
Null scans are extremely stealthy scans that set all the header fields to null. Generally, it can provide unreliable results on Windows OS when scanning with NULL. On the other hand, it is very effective on a non-Windows OS.
Like null scans, computers running on Windows OS will not respond to Xmas scans due to how their TCP stack is implemented. The scan gets its name from the flags turned on within the packet sent out for scanning.
The IDLE scan is the stealthiest and a very controversial option in Nmap as it is only used for malicious attacks.
What Are Some Nmap Alternatives?
Nmap alternatives mostly have niche-specific advantages.
MASSCAN: much faster than Nmap but provides minor detail.
Umit: lets you run multiple scans at once.
However, Nmap provides a complete package when used alongside tools like NetCat (to manage and control network traffic) and ZenMap, which we will discuss next.
Zenmap is the front-end GUI for Nmap that comes with the Nmap installation package. It is used to control Nmap from a user interface standpoint instead of running command lines.
One of the core uses of using Zenmap as the GUI front-end version is to save scanning profiles. With Zenmap, it is easy to configure profiles that will consist of performance options, scripts, ping options, scan targets, and of course, a profile to include customized scanning options.
You can create a new profile before starting a scan.
- Go to Profile> New Profile or Command.
You will see a default list of scan profiles. This is accompanied by the description and options for each selected Profile:
- Profile > Edit Selected Profile.
Zenmap Profile Editor
To launch the scan:
- Enter the target to be scanned.
- Select a scan profile
- Then, click ”Scan”.
The results will be shown in the ”Nmap Output’ tab once the scan is complete, with a further breakdown available in the other tabs: Scans, Host Details, Ports/Hosts, and Topology.
Zenmap Output Window
Go to the Ports/Hosts tab. You will find a detailed list of the target host of all the open ports.
Zenmap Ports Tab
Zenmap, as mentioned earlier, saves not just the scanning profile but also the history of your scans. This provides you the opportunity to compare and contrast two scans.
- To carry out this comparison, go to Tools > Compare Results.
Zenmap Compare Results
1. Is Nmap Legal?
When used appropriately, yes. Nmap protects your network from hackers because it allows you to spot open ports, outdated services and web server versions, and more in your information systems.
However, Using Nmap to scan external ports can lead to you being banned by your ISP, so do your research before doing anything on a large scale. I cannot stress this enough; you absolutely must have written permission from the site, system, or application owner before performing port scanning on those assets. Doing so will protect you from potential lawsuits and misuse of digital property and assets.
2. How do I install Zenmap on my Mac?
Here are the steps To Install Zenmap:
- Open Spotlight search using the “command + space” button and type “Terminal. “
- Then press the “return/enter” key.
- Now install Zenmap with the following command:
brew install –cask zenmap.
3. How does Nmap detect operating systems?
Nmap detects the operating system by sending a series of TCP and UDP packets to the remote host. The responses are examined with TCP ISN sampling, IP ID sampling, TCP options support, ordering, etc. Nmap analyzes the results to its nmap-os-db database and prints out the OS details if there is a match.
4. Is Nmap a vulnerability scanner?
Yes and no. Nmap is a tool mainly known for port scanning and OS discovery. It can however act as a lightweight vulnerability scanner using the scripting module built in. Network administrators and penetration testers use Nmap to get information about the devices running on their systems, finding open ports, and fishing out security risks, and recommending remediation for those risks.
Using Nmap protects you from hackers while also improving your knowledge of your network. Its functionality is also complemented when used alongside tools can dramatically improve your cybersecurity.