nmap is a free, open source, and very powerful security scanner. It’s used to discover hosts on a network, provide information about what types of services might be running on those hosts and even what version of service software is running, provide operating system fingerprinting capabilities, and many other useful features. The primary features can be summarized as host discovery, port scanning, version detection, OS detection, and scriptable interaction via the nmap Scripting Engine (via Lua). nmap is available on many platforms, including Linux, Windows, Solaris, HP-UX, BSD, macOS, AmigaOS and even IRIX. nmap is included by default with Kali Linux, which is where I’ll be testing the commands provided in this guide.
Perform a Quick Ping Scan of a Network Subnet
A ping scan or ping sweep is the fastest way to determine what hosts are up on a network segment. Although it may not be 100% accurate (for example, some hosts could be set to ignore ICMP ping requests), it’s very quick and has very low overhead. Whole subnets can be specified with CIDR notation.
nmap -sP 10.0.0.0/24
Or, to scan a range of IPs, a range can be specified for the final octet in the IPv4 address.
nmap -sP 10.0.0.1-100
Perform a SYN Scan of a Network Subnet
A SYN scan was at one time considered a very “stealthy” scan, and was used to evade Intrusion Detection Systems (IDS). Modern IDS can typically detect SYN scans, but they’re still considered one of the stealthier ways to scan a subnet. During a SYN scan, nmap sends out a TCP SYN packet, expecting a SYN-ACK packet as a response. If nmap receives a SYN-ACK packet, it knows that the remote host is alive, and instead of responding with an ACK packet to complete the TCP connection, it responds with a RST packet and the 3-way TCP handshake is never established. This is considered a “stealthy” way to scan, thought being that if a TCP connection is never actually established, it won’t be logged by the remote machine.
The SYN scan is the default scan type for nmap, and unless another scan type is specified, the -sS parameter doesn’t need to be, but it’s shown here for completeness.
nmap -sS 10.0.0.0/24
There may be an instance where a remote machine is blocking ICMP packets. By default nmap will use ICMP to determine if a system exists or not so that it doesn’t waste time attempting to scan ports of a machine that doesn’t exist. If, however, a machine is blocking ICMP packets, nmap may pass over it and a scan may miss it. By adding the -Pn parameter to the command, nmap will assume every machine in the specified range is up and won’t perform the initial ICMP scan.
nmap -sS -Pn 10.0.0.0/24
Note that although this may find more machines than a simple ping scan, specifically those which block ICMP traffic, the scan may take drastically longer depending on the number of hosts within the scope of the scan. The SYN scan is also known as a half-open scan.
Perform a TCP Connect Scan of a Network Subnet
A TCP connect scan is like a SYN scan up until the point of the SYN-ACK receipt. At this point instead of sending an RST packet back, thus abandoning the 3-way TCP handshake, the TCP connect scan type will respond with an ACK packet, thus completing the handshake. The -sT parameter must be specified when performing this scan. It can also be paired with the -Pn parameter as described above.
nmap -sT -Pn 10.0.0.0/24
Note that compared to a SYN scan, the TCP connect scan may yield more accurate results, but at the same time a TCP connection is created and thus could be logged on the remote machine.
Scan a Specific Port, List of Ports, or Range of Ports on a Remote Host or Subnet
If looking for a specific open port, list of ports, or a range of ports on a remote host or subnet, both TCP and UDP ports can be specified either via separate commands or at the same time in a single command. If a range of ports is not specified, nmap will include the top 1000 most common ports in a scan by default. These ports include things like TCP port 80 for HTTP, TCP 443 for HTTPS, UDP port 53 for DNS, TCP port 21 for FTP, etc. This page outlines the top 1000 ports as defined by nmap authors.
To specify UDP ports to be scanned, the -sU parameter can be used and for TCP ports to be scanned, the -p parameter can be used. The following example shows a single port, list of ports, and range of TCP ports being scanned for a single host.
nmap -sS -p 80 192.168.1.50
nmap -sS -p 80,443 192.168.1.50
nmap -sS -p 21-1024 192.168.1.50
The same thing can be done for specific UDP ports:
nmap -sS -sU 53 192.168.1.50
nmap -sS -sU 53,161,137 192.168.1.50
nmap -sS -sU 53-1024 192.168.1.50
Both TCP and UDP ports can also be specified within a single command and run against a single host, range of hosts, or a whole subnet. The following example scans for TCP ports 80, 443, 21, and 22 and UDP ports 53 and 161 on all remote hosts within the IP address range 10.0.0.50 through 10.0.0.100.
nmap -sS -sU -p U:53,61,T:80,443,21,22 10.0.0.50-100
Note that the -sU parameter is in the command but a port or list of ports doesn’t immediately follow it. Rather, the list follows -p and breaks down UDP vs TCP with the U: and T: designations. The numbers that follow can be a single port, group of ports as shown above, or a range of ports. If the -sU command is left out of the command, the output for the status of UDP ports won’t be shown.
Optionally the -F parameter (fast scan) can be used in lieu of manually specifying ports, which will only scan the top 100 ports instead of the top 1000, which is the default behavior. This can speed up scans if the desired results are only for very common ports.
Banner Grabbing to Identify OS Version / Type and Service Version / Type
nmap has a built in flag which attempts to detect the type of remote operating system, and sometimes the version of the remote operating system being scanned by sending certain traffic to that device and then analyzing the format and types of responses it receives. Fingerprinting an operating system with nmap is very simple to do, but doesn’t always yield results that are correct.
nmap -O 192.168.1.50
Note that the flag is a capital letter O and not a zero. Also note that output from this command will also show the results of a TCP SYN scan even without specifying the TCP SYN parameter (-sS), and this is because a SYN scan happens by default. Typically, it’s desired to also fingerprint what specific services are running on each port, as well as product and version information while fingerprinting. This can be achieved by adding the -sV flag to the command.
nmap -O -sV 192.168.1.50
The results of this command from a fingerprinting perspective can be very powerful. This output is of a Metasploitable Linux VM, which obviously has a lot of common ports open, but it does illustrate the power of the tool.
In lieu of -sV and -O (both), -A can be specified, which tells nmap to not only fingerprint the operating system and version scanning, but to perform additional script scanning and traceroute as well. This provides much more information about each service. The same command as above with the -O and -sV flags having been replaced with only -A provides this specific output about the FTP server running on port 21 and the SSH server running on port 22:
This provides much more information. Not only does it show that the service that’s running is vsftpd version 2.3.4, it also shows that anonymous FTP login is allowed. OpenSSH 4.7p1 is again listed as the SSH service that’s running, but this time the output also shows the DSA and RSA host keys.
Speeding Up or Slowing Down Scans
Depending on thew work being performed, there may be a desire to speed up or slow down a scan. Slowing a scan may be desired when trying to avoid Intrusion Detection Systems, which monitor network traffic for activities like scans. Speeding up a scan may be desired when time is limited and there’s no real concern for throwing red flags to an IDS, or filling up logs with a quick succession of questionable data.
nmap provides 6 different speeds which can be specified when scanning, ranging from -T0 to -T5. The default speed is -T3. -T0 is the slowest scan speed and is used when trying to be “quiet” on the network, and -T5 will scan as fast as the machine can process the scan and/or network bandwidth allow. Some say that a faster, more aggressive scan, particularly at level -T5 may result in a loss of accuracy, though I haven’t experienced this personally.
Scanning and/or Excluding Hosts Listed in a File
There may be a list of hosts that, for whatever reason, shouldn’t be scanned. This could include a list of hosts that don’t fall within the context of the scan, or hosts that are particularly sensitive and which have been explicitly stated should not be included in a scan. Additionally, there may be a list of known hosts on a given subnet that should be scanned while ignoring all other hosts on the same subnet to save time. Inclusion and exception lists can be created as text files with a single IP address per line and used as either inclusion or exception contexts. This is particularly useful when scripting scans.
The -iL flag specifies a list of hosts to scan from a text file containing IP addresses, lists, or ranges, one per line. This command would then perform a SYN scan on all of the IP addresses specified in the file.
nmap -iL /home/root/ips_to_scan.txt
The –excludefile flag specifies a list of hosts to exclude from the scan in a similar way. Notice it takes two hyphens. This command would perform the same scan on a range of nodes from 10.0.0.1 to 10.0.0.254, excluding the IP addresses specified in the ips_to_exclude.txt file.
nmap --excludefile /home/root/ips_to_exclude.txt 10.0.0.1/24
Of course any of the above parameters can be added to these commands as well, so specific ports, port ranges, fingerprinting options and more could all be used.