Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

The software provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap is also capable of adapting to network conditions including latency and congestion during a scan. Nmap is under development and refinement by its user community.

Nmap features include :

  • Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
  • Port scanning – Enumerating the open ports on target hosts.
  • Version detection – Interrogating network services on remote devices to determine application name and version number.
  • OS detection – Determining the operating system and hardware characteristics of network devices.
  • Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming language.
  • Nmap is available for most, if not, all linux distributions so in order to install it, use your distribution’s package manager to search and install the ‘nmap’ package.

    Example of Nmap commands

    Note that running nmap as an unprivileged user will considerably decrease its functionality. For best results, either run it as the root user or use sudo.

    Also, to increase verbosity level, use the -v option within every command or -vv for even higher verbosity. EX:

    nmap -v -sS hostname.com

    Simple network scan:

    nmap hostname.com
    nmap 192.168.1.1

    Scan multiple hosts:

    nmap 192.168.1.1 10.0.0.1 123.123.123.123
    nmap 192.168.1.1,2,3,4
    nmap 192.168.1.1-20
    nmap 192.168.1.* --exclude 192.168.1.5

    Scan specific or multiple ports:

    nmap -p 80 192.168.1.1
    nmap -p 80,443 192.168.1.1
    nmap -p 80-250 192.168.1.1

    Discover remote server OS information:

    nmap -A 80 192.168.1.1
    nmap -O --osscan-guess 192.168.1.1

    Scan remote server when protected by firewall:

    nmap -PN 192.168.1.1
    nmap -PS 192.168.1.1
    nmap -PA 192.168.1.1

    Perform a stealthy scan:

    nmap -sS 192.168.1.1

    Discover available services and their versions on the remote host:

    nmap -sV 192.168.1.1

    Discover running hosts on a network:

    nmap -sP 192.168.1.1

    Scan a IPv6 remote host

    nmap -6 FE80::0202:B3FF:FE1E:8426

    Show only open ports:

    nmap --open 192.168.1.1

    Perform a fast scan (only for 100 most common ports instead of 1000:

    nmap -F 192.168.1.1

    Perform an even faster scan (bandwidth consuming, detection by remote host guaranteed):

    nmap -T4 192.168.1.1
    nmap -T5 192.168.1.1

    Firewall / intrusion detection software evasion options

    The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

    nmap -f 192.168.1.1

    The -D option causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.

    nmap -n -D 10.0.0.1,172.0.0.1,1.2.3.4 192.168.1.1

    This options spoofs your MAC address:

    nmap --spoof-mac NEW.MAC.ADDR 192.168.1.1

    If you don’t feel comfortable with the command line, you can use Zenmap, the official nmap GUI.

    Nmap: Network Map Scanner Example Commands
    Tagged on: