Running a quick NMAP scan to inventory my network
Nmap
, which stands for “Network Mapper,” is an open source tool that lets you perform scans on local and remote networks. Nmap
is very powerful when it comes to discovering network protocols, scanning open ports, detecting operating systems running on remote machines, etc. The tool is used by network administrators to inventory network devices, monitor remote host status, save the scan results for later use, and so on.
[ Just getting started with networking? Check out the Linux networking cheat sheet. ]
The Nmap
suite includes an advanced graphical user interface and results viewer (Zenmap
), a flexible data transfer, redirection, and debugging tool (Ncat
), a utility for comparing scan results (Ndiff
), and a packet generation and response analysis tool (Nping
).
Why use Nmap?
Besides being free, Nmap
is very flexible, portable, well-documented, and easy to use. In the following post, we’ll walk you through on how to install Nmap
, use it, and, most important, get more to know about your network.
Installing Nmap
To install Nmap
on Red Hat Enterprise Linux 8 or Fedora, you’d run:
# dnf -y install nmap
Substitute dnf
for yum
if you are on Red Hat Enterprise Linux 7 or newer. After installing Nmap
, you can run the nmap
command without arguments to display all of its options. You also should consult the Nmap
man
page by running man nmap
.
Using Nmap
Let’s assume your local network is 192.168.0.0/24, and you want to run a scan on this network. Running a scan without any argument except the network address yields the following:
# nmap 192.168.0.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 21:00 CET
Nmap scan report for Archer.lan (192.168.0.1)
Host is up (0.0046s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1900/tcp open upnp
20005/tcp open btx
MAC Address: 50:ff:BF:ff:ff:AC (Tp-link Technologies)
Nmap scan report for Lyric-1111C2.lan (192.168.0.101)
Host is up (0.013s latency).
Not shown: 999 closed ports
PORT STATE SERVICE0
80/tcp open http
MAC Address: B8:dd:A0:dd:dd:C2 (Resideo)
Multiple networks can be scanned at once. For example
nmap 192.168.0.0/24 10.80.0.0/24
Multiple networks can be scanned at once. For example:
# nmap 192.168.0.0/24 10.80.0.0/24
If we want to run a quick scan of machines in our network without trying to see if any port is open, we run:
# nmap -sn 192.168.0.0/24
The output of the above command produces something like:
# nmap -sn 192.168.0.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 21:24 CET
Nmap scan report for Archer.lan (192.168.0.1)
Host is up (0.016s latency).
MAC Address: 50:C7:FF:FF:15:FF (Tp-link Technologies)
Nmap scan report for Lyric-1111C2.lan (192.168.0.101)
Host is up (0.96s latency).
MAC Address: B8:FF:FF:11:FF:C2 (Resideo)
MAC Address: 88:DD:EA:DD:CE:37 (Texas Instruments)
Nmap scan report for SoundTouch-Kitchen.lan (192.168.0.160)
Host is up (0.39s latency).
MAC Address: 5C:DD:DD:FF:FF:B5 (Texas Instruments)
Nmap scan report for 192.168.0.181
Host is up (0.60s latency).
MAC Address: 40:DD:DD:8F:FF:F5 (Asustek Computer)
Nmap scan report for TL-WPA4220.lan (192.168.0.225)
Host is up (0.61s latency).
MAC Address: 50:DD:FF:AA:DD:BA (Tp-link Technologies)
Nmap scan report for f3d0r4.lan (192.168.0.165)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 9.11 seconds
Mind you that -sn
was known as -sP
in the previous versions of Nmap
. The use of -sP
is still backward compatible and should work in the recent versions of Nmap
.
[ Free eBook: Manage your Linux environment for success. ]
While Nmap
man
pages are well-written and provide many examples, there are specific things you won’t find in the man
pages. For example, what if we wanted to store IP addresses from the above output to a file? This is something specific and does not belong in the man
pages of Nmap
. We have to parse the output ourselves and extract IP addresses only.
For example:
# nmap -sn 192.168.0.0/24 | awk '/Nmap scan/{gsub(/[()]/,"",$NF); print $NF > "nmap_scanned_ips"}'
Nmap
offers many other options to save the scan output to different formats.
For example:
-oN/-oX/-oS/-oG
<file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
So running:
# nmap -sn 192.168.0.0/24 -oG nmap_output
produces the following output:
# cat nmap_output
# Nmap 7.80 scan initiated Fri Mar 6 22:01:57 2020 as: nmap -sn -oG nmap_output 192.168.0.0/24
Host: 192.168.0.1 (Archer.lan) Status: Up
Host: 192.168.0.101 (Lyric-1111C2.lan) Status: Up
Host: 192.168.0.151 (SoundTouch-VW-benee.lan) Status: Up
Host: 192.168.0.160 (SoundTouch-VW-keuken.lan) Status: Up
Host: 192.168.0.181 () Status: Up
Host: 192.168.0.225 (TL-WPA4220.lan) Status: Up
Host: 192.168.0.165 (f3d0r4.lan) Status: Up
# Nmap done at Fri Mar 6 22:02:06 2020 -- 256 IP addresses (7 hosts up) scanned in 9.45 seconds
Scanning specific ports
Nmap
has the option to scan specific ports on specific targets. If we were interested in checking the state of ports 22
and 443
(which by default use the TCP protocol), we’d run the following:
# nmap -sV -p 22,443 192.168.0.0/24
If you are unsure what -sV
does, just run:
# nmap | grep -- -sV
The above command displays the ports regardless of their state: open, closed, filtered, etc. Most of the time, we’re interested in open ports, and so we can add the –open
flag to achieve this. We’ll slightly modify the above command and run:
# nmap -sV -p 22,443 192.168.0.0/24 –open
Instead of using a comma to specify a port, it is also possible to use a range of ports, which is much more flexible and easier to read. For example:
# nmap -p 54-111 192.168.0.0/24
[Cheat sheet: Old Linux commands and their modern replacements ]
Advanced Nmap scanning
Now we know the basics of Nmap
and its capabilities. Let’s move to a more advanced approach to scanning targets, getting more information from a target, and using packet-tracing.
Tracing a packet on a single IP
At the moment of writing, I am connected to my server via SSH. To demonstrate how packet tracing is done using Nmap
and what the output of such a trace looks like we are going to use the following Nmap
syntax to produce the following output:
# nmap -vv -n -sn -PE -T4 --packet-trace 192.168.2.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 23:14 CET
Initiating Ping Scan at 23:14
Scanning 192.168.2.3 [1 port]
SENT (0.0282s) ICMP [192.168.0.165 > 192.168.2.3 Echo request (type=8/code=0) id=8524 seq=0] IP [ttl=43 id=25141 iplen=28 ]
RCVD (0.0336s) ICMP [192.168.2.3 > 192.168.0.165 Echo reply (type=0/code=0) id=8524 seq=0] IP [ttl=63 id=27840 iplen=28 ]
Completed Ping Scan at 23:14, 0.03s elapsed (1 total hosts)
Nmap scan report for 192.168.2.3
Host is up, received echo-reply ttl 63 (0.0055s latency).
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
The above flags have the following meanings:
-vv
(Increase verbosity)-n
(No DNS resolution. This speeds up our scan!)-sn
(No port scan)-PE
(Use ICMP echo request queries. This is what is displayed in the output above)-T4
(prohibits the dynamic scan delay from exceeding 10 ms for TCP ports. Seeman nmap
).--packet-trace
(Trace sent and received packets)
Using recursive DNS proxies for a stealth scan on a target
By default, Nmap
runs an rDNS
(reverse-DNS) resolution on any responsive host. Let’s see if we can gather some information about a specific network and remain anonymous. The anonymous part is because we’ll use public DNS servers, namely 8.8.4.4 and 8.8.8.8, to perform the recursive query.
[ Network getting out of control? Check out Network automation for everyone, a free eBook from Red Hat. ]
First, we resolve redhat.com
using Google’s public DNS server, which results in the following:
# host redhat.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
redhat.com has address 209.132.183.105
redhat.com mail is handled by 10 us-smtp-inbound-2.mimecast.com.
redhat.com mail is handled by 10 us-smtp-inbound-1.mimecast.com.
Second, let’s run a stealth list scan -sL
on the IP address 209.132.183.105.
# nmap --dns-servers 8.8.4.4,8.8.8.8 -sL 209.132.183.105/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 00:22 CET
Nmap scan report for network (209.132.183.0)
Nmap scan report for elvis.redhat.com (209.132.183.1)
Nmap scan report for ns2.redhat.com (209.132.183.2)
Nmap scan report for ovpn-phx2.redhat.com (209.132.183.3)
Nmap scan report for mimecast-mx01.redhat.com (209.132.183.4)
Nmap scan report for selfservice.redhat.com (209.132.183.5)
Nmap scan report for unused (209.132.183.6)
Nmap scan report for unused (209.132.183.7)
Nmap scan report for siperimeter.redhat.com (209.132.183.8)
< –----- >
< –----- >
< –----- >
We’re able to obtain a lot of information about specific networks by using just a few simple techniques.
NSE scripts
As mentioned earlier, Nmap
is equipped with many advanced features, one of which is NSE (Nmap Scripting Engine) scripts. Using NSE scripts with Nmap
allows you to scan different hosts and find vulnerabilities in services running on the host and possibly log in by brute-forcing these services.
The use of NSE script syntax is as follows:
# nmap --script="name_of_script" --script-args="argument=arg" target
Now, you are probably wondering where to find these NSE scripts and how to know what script uses what arguments. Start by running man nmap
. You can also jump straight away to the right section, i.e.:
# PAGER='less "+/NMAP SCRIPTING ENGINE"' man nmap
The available NSE scripts you can pass to Nmap
are located at:
/usr/share/nmap/scripts/
You can also locate the NSE scripts by running:
# dnf -y install mlocate ; updatedb ; locate nmap/scripts
Now that we know where NSE scripts are located let’s see how we can use these scripts to get some information about a target that’s running a web server.
See if a WAF protects a website
A Web Application Firewall (WAF) is specifically designed to protect websites from SQL injection, cross-site scripting, malformed HTTP packets, etc. Using Nmap
, we can detect if a website is protected by such a WAF. The following displays the usage of an NSE script and its arguments:
# nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" www.slimmer.ai
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:38 CET
Nmap scan report for www.slimmer.ai (172.104.131.188)
Host is up (0.023s latency).
rDNS record for 172.104.131.188: li1647-188.members.linode.com
PORT STATE SERVICE
443/tcp open https
| http-waf-detect: IDS/IPS/WAF detected:
|_www.slimmer.ai:443/?p4yl04d=id;uname%20-a
Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
As shown above, a Web Application Firewall protects the target website.
More NSE scripts
Once again, Nmap
is often used by system administrators to inventory their environment, discover weaknesses in their network, and so protect their systems from intruders. Intruders, on the other hand, can do the same to explore a remote system and try to gather as much information as possible about such a system.
Assume that some unauthorized person has scanned your network and found a few open ports/services. This person could then pass some NSE scripts to Nmap
and see if these services are vulnerable. Here is what is going to happen:
# nmap -Pn -sV --script=vulners 37.xx.xx.xx
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 22:41 CET
Nmap scan report for some.domain.nl (37.xx.xx.xx)
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.4:
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
|_ CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
25/tcp open smtp Postfix smtpd
Service Info: Host: some.domain.nlService detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds
We can see that the remote system is running OpenSSH 7.4. Nmap
queried public vulnerability databases and found the known CVE’s.
Wrap up
Nmap
is a very powerful system inventory and port scanning tool that can be used for good and bad purposes. It depends on which hat you are wearing. The best way to learn Nmap
is to read man
pages, use examples shown in the man
pages, and experiment with the NSE scripts. Also, try Zenmap
. If you are interested in knowing more about port scanning and the science behind it, see the Nmap documentation.