Posted: March 31, 2020 | | by Valentin Bajrami (Sudoer alumni)
Image
Nmap, which stands for "Network Mapper," is an open source tool that lets you perform scans on local and remote networks. Nmapis very powerful when it comes to discovering network protocols, scanning open ports, detecting operating systems running on remote machines, etc. The tool is used by network administrators to inventory network devices, monitor remote host status, save the scan results for later use, and so on.
[ Just getting started with networking? Check out the Linux networking cheat sheet. ]
The Nmap suite includes an advanced graphical user interface and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Skip to bottom of list
Why use Nmap?
Besides being free, Nmap is very flexible, portable, well-documented, and easy to use. In the following post, we'll walk you through on how to install Nmap, use it, and, most important, get more to know about your network.
Installing Nmap
To install Nmap on Red Hat Enterprise Linux 8 or Fedora, you'd run:
# dnf -y install nmapSubstitute dnf for yum if you are on Red Hat Enterprise Linux7 or newer. After installing Nmap, you can run the nmap command without arguments to display all of its options. You also should consult the Nmap man page by running man nmap.
Using Nmap
Let's assume your local network is 192.168.0.0/24, and you want to run a scan on this network. Running a scan without any argument except the network address yields the following:
# nmap 192.168.0.0/24Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 21:00 CETNmap scan report for Archer.lan (192.168.0.1)Host is up (0.0046s latency).Not shown: 995 closed portsPORT STATE SERVICE22/tcp open ssh53/tcp open domain80/tcp open http1900/tcp open upnp20005/tcp open btxMAC Address: 50:ff:BF:ff:ff:AC (Tp-link Technologies)Nmap scan report for Lyric-1111C2.lan (192.168.0.101)Host is up (0.013s latency).Not shown: 999 closed portsPORT STATE SERVICE080/tcp open httpMAC Address: B8:dd:A0:dd:dd:C2 (Resideo)Multiple networks can be scanned at once. For examplenmap 192.168.0.0/24 10.80.0.0/24Multiple networks can be scanned at once. For example:
# nmap 192.168.0.0/24 10.80.0.0/24If we want to run a quick scan of machines in our network without trying to see if any port is open, we run:
# nmap -sn 192.168.0.0/24The output of the above command produces something like:
# nmap -sn 192.168.0.0/24Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 21:24 CETNmap scan report for Archer.lan (192.168.0.1)Host is up (0.016s latency).MAC Address: 50:C7:FF:FF:15:FF (Tp-link Technologies)Nmap scan report for Lyric-1111C2.lan (192.168.0.101)Host is up (0.96s latency).MAC Address: B8:FF:FF:11:FF:C2 (Resideo)MAC Address: 88:DD:EA:DD:CE:37 (Texas Instruments)Nmap scan report for SoundTouch-Kitchen.lan (192.168.0.160)Host is up (0.39s latency).MAC Address: 5C:DD:DD:FF:FF:B5 (Texas Instruments)Nmap scan report for 192.168.0.181Host is up (0.60s latency).MAC Address: 40:DD:DD:8F:FF:F5 (Asustek Computer)Nmap scan report for TL-WPA4220.lan (192.168.0.225)Host is up (0.61s latency).MAC Address: 50:DD:FF:AA:DD:BA (Tp-link Technologies)Nmap scan report for f3d0r4.lan (192.168.0.165)Host is up.Nmap done: 256 IP addresses (7 hosts up) scanned in 9.11 secondsMind you that -sn was known as -sP in the previous versions of Nmap. The use of -sP is still backward compatible and should work in the recent versions of Nmap.
[ Free eBook: Manage your Linux environment for success. ]
While Nmap man pages are well-written and provide many examples, there are specific things you won't find in the man pages. For example, what if we wanted to store IP addresses from the above output to a file? This is something specific and does not belong in the man pages of Nmap. We have to parse the output ourselves and extract IP addresses only.
For example:
# nmap -sn 192.168.0.0/24 | awk '/Nmap scan/{gsub(/[()]/,"",$NF); print $NF > "nmap_scanned_ips"}'Nmap offers many other options to save the scan output to different formats.
For example:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
So running:
# nmap -sn 192.168.0.0/24 -oG nmap_outputproduces the following output:
# cat nmap_output# Nmap 7.80 scan initiated Fri Mar 6 22:01:57 2020 as: nmap -sn -oG nmap_output 192.168.0.0/24Host: 192.168.0.1 (Archer.lan) Status: UpHost: 192.168.0.101 (Lyric-1111C2.lan) Status: UpHost: 192.168.0.151 (SoundTouch-VW-benee.lan) Status: UpHost: 192.168.0.160 (SoundTouch-VW-keuken.lan) Status: UpHost: 192.168.0.181 () Status: UpHost: 192.168.0.225 (TL-WPA4220.lan) Status: UpHost: 192.168.0.165 (f3d0r4.lan) Status: Up# Nmap done at Fri Mar 6 22:02:06 2020 -- 256 IP addresses (7 hosts up) scanned in 9.45 secondsScanning specific ports
Nmap has the option to scan specific ports on specific targets. If we were interested in checking the state of ports 22 and 443 (which by default use the TCP protocol), we'd run the following:
# nmap -sV -p 22,443 192.168.0.0/24If you are unsure what -sV does, just run:
# nmap | grep -- -sVThe above command displays the ports regardless of their state: open, closed, filtered, etc. Most of the time, we're interested in open ports, and so we can add the –open flag to achieve this. We'll slightly modify the above command and run:
# nmap -sV -p 22,443 192.168.0.0/24 –openInstead of using a comma to specify a port, it is also possible to use a range of ports, which is much more flexible and easier to read. For example:
# nmap -p 54-111 192.168.0.0/24[Cheat sheet: Old Linux commands and their modern replacements ]
Advanced Nmap scanning
Now we know the basics of Nmap and its capabilities. Let's move to a more advanced approach to scanning targets, getting more information from a target, and using packet-tracing.
Tracing a packet on a single IP
At the moment of writing, I am connected to my server via SSH. To demonstrate how packet tracing is done using Nmap and what the output of such a trace looks like we are going to use the following Nmap syntax to produce the following output:
# nmap -vv -n -sn -PE -T4 --packet-trace 192.168.2.3Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 23:14 CETInitiating Ping Scan at 23:14Scanning 192.168.2.3 [1 port]SENT (0.0282s) ICMP [192.168.0.165 > 192.168.2.3 Echo request (type=8/code=0) id=8524 seq=0] IP [ttl=43 id=25141 iplen=28 ]RCVD (0.0336s) ICMP [192.168.2.3 > 192.168.0.165 Echo reply (type=0/code=0) id=8524 seq=0] IP [ttl=63 id=27840 iplen=28 ]Completed Ping Scan at 23:14, 0.03s elapsed (1 total hosts)Nmap scan report for 192.168.2.3Host is up, received echo-reply ttl 63 (0.0055s latency).Read data files from: /usr/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 0.06 seconds Raw packets sent: 1 (28B) | Rcvd: 1 (28B)The above flags have the following meanings:
-vv(Increase verbosity)-n(No DNS resolution. This speeds up our scan!)-sn(No port scan)-PE(Use ICMP echo request queries. This is what is displayed in the output above)-T4(prohibits the dynamic scan delay from exceeding 10 ms for TCP ports. Seeman nmap).--packet-trace(Trace sent and received packets)
Using recursive DNS proxies for a stealth scan on a target
By default, Nmap runs an rDNS (reverse-DNS) resolution on any responsive host. Let's see if we can gather some information about a specific network and remain anonymous. The anonymous part is because we'll use public DNS servers, namely 8.8.4.4 and 8.8.8.8, to perform the recursive query.
[ Network getting out of control? Check out Network automation for everyone, a free eBook from Red Hat. ]
First, we resolve redhat.com using Google's public DNS server, which results in the following:
# host redhat.com 8.8.8.8Using domain server:Name: 8.8.8.8Address: 8.8.8.8#53Aliases:redhat.com has address 209.132.183.105redhat.com mail is handled by 10 us-smtp-inbound-2.mimecast.com.redhat.com mail is handled by 10 us-smtp-inbound-1.mimecast.com.Second, let's run a stealth list scan -sL on the IP address 209.132.183.105.
# nmap --dns-servers 8.8.4.4,8.8.8.8 -sL 209.132.183.105/24Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 00:22 CETNmap scan report for network (209.132.183.0)Nmap scan report for elvis.redhat.com (209.132.183.1)Nmap scan report for ns2.redhat.com (209.132.183.2)Nmap scan report for ovpn-phx2.redhat.com (209.132.183.3)Nmap scan report for mimecast-mx01.redhat.com (209.132.183.4)Nmap scan report for selfservice.redhat.com (209.132.183.5)Nmap scan report for unused (209.132.183.6)Nmap scan report for unused (209.132.183.7)Nmap scan report for siperimeter.redhat.com (209.132.183.8)< –----- >< –----- >< –----- >We're able to obtain a lot of information about specific networks by using just a few simple techniques.
NSE scripts
As mentioned earlier, Nmap is equipped with many advanced features, one of which is NSE (Nmap Scripting Engine) scripts. Using NSE scripts with Nmap allows you to scan different hosts and find vulnerabilities in services running on the host and possibly log in by brute-forcing these services.
The use of NSE script syntax is as follows:
# nmap --script="name_of_script" --script-args="argument=arg" targetNow, you are probably wondering where to find these NSE scripts and how to know what script uses what arguments. Start by running man nmap. You can also jump straight away to the right section, i.e.:
# PAGER='less "+/NMAP SCRIPTING ENGINE"' man nmapThe available NSE scripts you can pass to Nmap are located at:
/usr/share/nmap/scripts/
You can also locate the NSE scripts by running:
# dnf -y install mlocate ; updatedb ; locate nmap/scriptsNow that we know where NSE scripts are located let's see how we can use these scripts to get some information about a target that's running a web server.
See if a WAF protects a website
A Web Application Firewall (WAF) is specifically designed to protect websites from SQL injection, cross-site scripting, malformed HTTP packets, etc. Using Nmap, we can detect if a website is protected by such a WAF. The following displays the usage of an NSE script and its arguments:
# nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" www.slimmer.aiStarting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:38 CETNmap scan report for www.slimmer.ai (172.104.131.188)Host is up (0.023s latency).rDNS record for 172.104.131.188: li1647-188.members.linode.comPORT STATE SERVICE443/tcp open https| http-waf-detect: IDS/IPS/WAF detected:|_www.slimmer.ai:443/?p4yl04d=id;uname%20-aNmap done: 1 IP address (1 host up) scanned in 1.37 secondsAs shown above, a Web Application Firewall protects the target website.
More NSE scripts
Once again, Nmap is often used by system administrators to inventory their environment, discover weaknesses in their network, and so protect their systems from intruders. Intruders, on the other hand, can do the same to explore a remote system and try to gather as much information as possible about such a system.
Assume that some unauthorized person has scanned your network and found a few open ports/services. This person could then pass some NSE scripts to Nmap and see if these services are vulnerable. Here is what is going to happen:
# nmap -Pn -sV --script=vulners 37.xx.xx.xxStarting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:41 CETNmap scan report for some.domain.nl (37.xx.xx.xx)Host is up (0.016s latency).Not shown: 998 filtered portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4 (protocol 2.0)| vulners:| cpe:/a:openbsd:openssh:7.4:| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919|_ CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-1590625/tcp open smtp Postfix smtpdService Info: Host: some.domain.nlService detection performed. Please report any incorrect results at https://nmap.org/submit/Nmap done: 1 IP address (1 host up) scanned in 18.20 secondsWe can see that the remote system is running OpenSSH 7.4. Nmap queried public vulnerability databases and found the known CVE's.
Wrap up
Nmap is a very powerful system inventory and port scanning tool that can be used for good and bad purposes. It depends on which hat you are wearing. The best way to learn Nmap is to read man pages, use examples shown in the man pages, and experiment with the NSE scripts. Also, try Zenmap. If you are interested in knowing more about port scanning and the science behind it, see the Nmap documentation.
Topics: Networking Linux Troubleshooting
