Nmap, or Network Mapper, is an open-source security auditing and network scanning program created by Gordon Lyon. It is built in such a way that it can quickly diagnose massive networks and single hosts.
Network managers often use it to identify:
- The devices that are now running on the system,
- The port number to which the devices are connected, and
- The open and available ports.
What is Nmap?
Nmap stands for Network Mapper, is a free network discovery application and open-source vulnerability detection.
Network administrators use Nmap to determine:
- It can find the host that is connected to the network.
- It can detect open ports on the host.
- It can identify all services running on the target host and the operating system and version.
- It can detect some of the weaknesses or possible vulnerabilities in the network system.
Network administrators may use this tool to monitor single hosts and large networks with hundreds of thousands of devices and subnets.
Though it has grown and become incredibly versatile over the years, at its core, it is a port-scanner that gathers information by sending raw packets to system ports. It waits for answers and detects if ports are open, closed, or filtered in some way, such as by a firewall. Port scanning is also known as port discovery or enumeration.
How to download Nmap?
Installing in Linux
Firstly, Nmap is installed by default in Kali Linux and Parrot Security OS. You can download this tool in any Debian distribution with these steps. To see how to download, we use the Ubuntu operating system.
Step 1: First, we check to update the operating system’s repository by typing “sudo apt-get update” in the terminal. If there is any update available, it will update all packages.
Step 2: Now, it’s time to install Nmap the type “sudo apt-get install nmap” in the terminal.
Step 3: Nmap installed. To check if this tool is installed type “nmap –version”. It will show the latest version of Nmap.
Installing in Windows
Step 1: Navigate to the Nmap official website using any web browser and visit the downloads page. You can find the setup file called nmap-7.92-setup.exe. The file size of the executable file is 21.8 MB.
Step 2: Now run the downloaded executable file.
Step 3: After clicking the executable file, one prompt will ask you to confirm to make changes to your system. Click in Yes.
Step 4: Click on the I Agree button on the License Agreement.
Step 5: In the next screen, they will be asked to choose components, don’t change anything, click on the Next button.
Step 6: You can choose the installation location for Nmap. By default, it uses the C drive, but you can change it into another drive or folder. It requires 84.3 MB of memory space in the drive.
Step 7: After the installation process, it will take a few minutes to complete the installation.
Step 8: When the installation completes, the next step is to install Npcap. The license agreement appears. Click on I Agree.
Step 9: In the next screen, different installation options appears. Just click on the Install button.
Step 10: It will take a few minutes to complete the installation process.
Step 11: After completing the installation, click on the Next button.
Step 12: Click on the Finish button after the installation of Npcap.
Step 13: Now, the installation of Nmap completes. Click on the Next button.
Step 14: Now, just ask to create shortcuts in the start menu and Desktop. It’s a personal opinion to create or not.
Step 15: Final screen appears, saying installation is finished. Click on the Finish button.
Installing in macOS
Step 1: Navigate to the official Nmap website using any web browser and visit the downloads page. You can find the setup file called nmap-7.92.dmg. The file size of the executable file is 30.1 MB.
Step 2: After downloading the dmg file, open the file. Now macOS application installer box opens up.
Step 3: Double click on nmap-7.92.mpkg or drag it to the application’s icon.
Step 4: A security-related alert box appears asking to confirm to open it. Click on the Open button.
Step 5: The installer starts and asks to continue. Click on the continue button.
Step 6: In the installation type, you can change the location of installation of the software and click on Install. This will take up to 100.7 MB of space in the drive.
Step 7: Now, the installation will start, but in the middle, it asks the username and password of the computer to continue to install.
Step 8: A summary tab says, “The installation was successful”. Click on the Close button.
How does Nmap work?
Nmap searches a network for hosts and services. When a host or service is discovered, the software platform sends information to that host or service, responding. It receives and analyzes the answer and utilizes the data to generate a network map. The map provides specific information on what each port is doing and who or what is using it, how the hosts are connected, what is and is not passing through the firewall, and any security concerns.
It uses a comprehensive scripting framework that communicates with every network component. The scripts serve as a means of communication between network components and their human users. Nmap’s scripts can detect vulnerabilities, detect backdoors, exploit vulnerabilities, and discover networks. It is a really powerful piece of software. Still, it does take a lot of previous knowledge to utilize it effectively.
It may be used by cyber security businesses to scan a system and determine what vulnerabilities exist that a hacker might possibly exploit. Because the application is open-source and free. It is one of the most widely used tools for scanning networks for open ports and other vulnerabilities.
For a better understanding of how Nmap works, we will see a flowchart:
- The user will give the input host’s IP address and other parameters.
- Nmap will connect to the host with the help of the operating system kernel.
- First, It will check whether the host is alive or not.
- If the host is active, the host will respond. Otherwise, no connection will develop between them.
- After the response from the host, It will be asking all the details related to the host such as hostname, ports (including open, closed, and filtered), which operating system is activated, etc.
- After gathering all the details, this tool will generate a network map.
- In the end, Nmap shows the network map to the user.
Types of ports recognized by Nmap
There are six different types of ports recognized by Nmap:
- open
- closed
- filtered
- unfiltered
- open|filtered
- closed|filtered
Open ports: On this port, an application is actively accepting TCP connections, UDP datagrams, or SCTP associations. The primary purpose of port scanning is frequently to find them. Security-conscious individuals understand that each open port is a potential point of attack. Attackers and pen-testers exploit open ports, while administrators attempt to block or secure them using firewalls without interfering with legitimate users. Open ports are also helpful for non-security scanning since they reveal which services are available on the network.
Closed ports: Although a closed port is accessible (receives and responds to Nmap test packets), no application listens to it. They can be useful in determining if a host is responding to an IP address (host discovery or ping scanning) and in OS detection. Because blocked ports can be reached, it may be worthwhile to scan later if some open up. Administrators may wish to consider using a firewall to restrict such ports. They would then appear in the filtered state, which will be explored more below.
Filtered ports: Because packet filtering prevents Nmap scans from reaching the port, it cannot verify whether it is open. Filtering might be accomplished using a specialized firewall device, router rules, or host-based firewall software. Because they supply so little information, these ports frustrate attackers. Sometimes host answers with ICMP error messages like type 3 code 13. Still, filters are far more typical to simply delete scans without responding. This forces Nmap to attempt the probe numerous times if it was lost due to network congestion rather than filtering. This significantly slows down the scan.
Unfiltered ports: The unfiltered reflect the possibility that a port may be accessed, but it cannot determine if it is open or closed. These ports are only classified by the ACK scan, which is used to map firewall rulesets. Scan unfiltered ports using other scan types, such as Window scan, SYN scan, or FIN scan, to see if the port is open.
Open|Filtered ports: When Nmap cannot detect whether a port is open or filtered, it places it in this status. This is true for scan kinds when open ports produce no response. The absence of response might also indicate that the probe or any response it generated was discarded by a packet filter. As a result, It cannot determine if the port is open or being filtered. Ports are identified using UDP, IP protocol, FIN, NULL, and Xmas scanning.
Closed|Filtered ports: When Nmap cannot detect whether a port is closed or filtered, it enters this state. It’s just utilized for the idle IP ID scan.
What are Nmap commands or options?
Usage or syntax of the command: nmap [Scan Type(s)] [Options] {<target_ip_address> or <target_url>}
#1. Target Specification
Options under target specification ensure that the user has different ways to give the target IP address or URL.
-iL <inputfilename>: With this option, the user will give the path of a file that already stores different numbers of targets.
-iR <num hosts>: Choose random targets
–exclude <host1[,host2][,host3],…>: This option excludes or skips a particular target from that list.
–excludefile <exclude_file>: This option excludes the list from the file.
#2. Host Discovery
Options in the host discovery are used to discover whether the host or the target is active or not.
-sL: Simply list targets to scan. sL stands for List Scan.
-sn: It will disable port scan. sn stands for Ping Scan.
-Pn: It will skip host discovery. And if there is any target down, this option will treat as online.
-PS/PA/PU/PY[portlist]: It is used to discover details for any given port. Ports should be of a particular protocol, such as TCP SYN/ACK, UDP or SCTP.
-PE/PP/PM: ICMP (Internet Control Message Protocol) echo, timestamp, and netmask request discovery probes
-PO[protocol list]: This option is used to ping the target to check its reachability.
-n/-R: Never make DNS resolution/Always resolve [default: sometimes]
–dns-servers <serv1[,serv2],…>: Specify custom DNS servers
–system-dns: Use OS’s DNS resolver
–traceroute: Trace hop path to each host
#3. Scan Techniques:
These options define which type of technique you want to do with the target.
-sS/sT/sA/sW/sM: It scans TCP SYN/Connect()/ACK/Window/Maimon
-sU: It will initialize UDP scan
-sN/sF/sX: This option will scan TCP Null, FIN, and Xmas.
–scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
#4. Port Specification and Scan Order:
With these options, you have various ways to define the ports like a range of ports, particular ports, scan all ports, or exclude any specific port.
-p <port ranges>: Only scan specified ports. Ex: -p22; -p1-65535.
–exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode: This is the fast mode to scan a few and less than default ports.
-r: It will scan ports in the sequence.
–top-ports <number>: It will scan the most common and top ports.
–port-ratio <ratio>: It will scan ports more common than ratio.
#5. Service/Version Detection:
These options specify which version or service is running on the different ports.
-sV: It is used to get details of open ports such as service and version info.
–version-intensity <level>: It is used to set intensity to scan version from 0 (light) to 9 (try all probes).
–version-light: It will limit to most likely to check. The intensity level is 2.
–version-all: It will try every probe from 1 to 9 intensity.
–version-trace: It will show detailed version scan activity. It is handy for debugging.
#6. Script Scan:
Nmap provides some additional scripts to perform and extract more details related to the host. All the scripts are known as Nmap Script Engine (NSE). These options are optional based on user preference.
-sC: It is used to specify the default script. On behalf of -sC user can use –script=default.
–script=<Lua scripts>: It is a comma-separated list of directories, script files or script categories.
–script-args=<n1=v1,[n2=v2,…]>: It provides argument to scripts. Arguments are related to the target.
–script-args-file=filename: It provides NSE script args in a file
–script-trace: Show all data sent and received
–script-updatedb: Update the script database.
–script-help=<Lua scripts>: Show help about scripts. Lua script is a comma-separated list of script files or script categories.
#7. OS Detection:
With these options, you can find the target’s operating system type.
-O: Enable OS detection
–osscan-limit: Limit OS detection to promising targets
–osscan-guess: Guess OS more aggressively
#8. Timing and Performance:
With the help of these options, the user can set a time that helps scan to be faster or slower. Format of time <time> are in seconds, or append ‘ms’ (milliseconds), ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (For example, 30m).
-T<0-5>: It is used to set timing defines how fast or slow will be the scan.
–min-hostgroup/max-hostgroup <size>: It is used to define group sizes for Parallel host scan.
–min-parallelism/max-parallelism <numprobes>: It is used to probe parallelization.
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: The round trip time of the probe is specified with the help of this option.
–max-retries <tries>: The number of port scan probe retransmissions is limited. Set the maximum number of attempts.
–host-timeout <time>: It is used to give host timeout.
–scan-delay/–max-scan-delay <time>: It is used to adjust some delay between the probes.
–min-rate <number>: It is used to send packets no slower than the given number per second.
–max-rate <number>: It is used to send packets no faster than the given number per second.
#9. Firewall/IDS Evasion and Spoofing:
It is used to detect and spoof the firewall and IDS system by sending packets.
-f; –mtu <val>: It is used to send fragmented packets.
-D <decoy1,decoy2[,ME],…>: Decoys can be used to mask a scan.
-S <ip_address>: It is used to spoof source address
-e <iface>: Use specified interface
-g/–source-port <portnum>: It is used given port number.
–proxies <url1,[url2],[url3],…>: HTTP/SOCKS4 proxies are used to relay connections.
–data <hex string>: Append a custom payload to sent packets.
–data-string <string>: Append a custom ASCII string to send packets.
–data-length <num>: It is used to append random data to sent packets.
–ip-options <options>: It sends packets with specified IP options.
–ttl <val>: It is used to set IP time-to-live field
–spoof-mac <mac address/prefix/vendor name>: It is used to spoof your MAC address.
–badsum: It sends packets with a bogus TCP/UDP/SCTP checksum.
#10. Output:
It is used to save the result as it is in the terminal to a file.
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three significant formats at once
-v: It is used to increase verbosity level (use -vv or more for more significant effect)
-d: It is used to increase debugging level (use -dd or more for greater effect)
–reason: it displays the reason a port is in a particular state.
–open: It is used only to show open (or possibly open) ports.
–packet-trace: It will show all packets sent and received.
–iflist: Routes and host interfaces should be printed. It is handy for debugging.
–append-output: Rather than clobbering specified output files, append to them.
–resume <filename>: Resume an aborted scan
–stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
–webxml: For more portable XML, consult the official website to know more.
–no-stylesheet: Prevent XSL stylesheet from being associated with XML output.
#11. MISC:
These are some other miscellaneous options.
-6: It is used to enable IPv6 scanning.
-A: It is used to enable OS detection, version detection, script scanning, and traceroute
–datadir <dirname>: This option specify custom data file location.
–send-eth/–send-ip: This option will send using raw ethernet frames or IP packets.
–privileged: It is used when assuming that the user is fully privileged.
–unprivileged: It is used when assuming the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
How to scan UDP ports with Nmap?
Nmap testing UDP ports is quite similar to testing TCP ports. In fact, the syntax is nearly identical. The main difference is that the “scan type” option must be specified as “-sU” rather than “-sT” or “-sS.” For example, “nmap -sU scanme.nmap.org –top-ports 100 -vv” could scan the live webpage created by the Nmap team for beginners to practice in real-world targets. It will scan the top 100 most common UDP ports and report the results in doubly verbose output. If you don’t want to use the scanme web page, you can use 127.0.0.1 (loopback address).
One thing to keep in mind with a UDP scan is that it will take a long time. Because most queries do not obtain a response, the scan must wait for the request to run out. This causes scans to be much slower than TCP scans, which generally provide some type of answer even if a port is closed.
How to scan TCP ports with Nmap?
The scan type option for TCP ports is such as “-sS” or “-sT” rather than “-sU”.
For example, “nmap -sS scanme.nmap.org -vv” here we all know about scanme.nmap.org as mentioned in the above paragraph. It will scan the top 100 most common TCP ports and report the results in doubly verbose output.
TCP scan is way faster than the UDP scan.
Nmap Search Engine
By default, Nmap has pre-defined powerful scripts and is very flexible to use. These scripts and using it known as Nmap Seach Engine (NSE). All the NSE scripts are written in Lua programming language. These scripts can be used for discovery, DDoS, malware, exploitation, fuzzing, and vulnerability scanning.
Practical Video
Conclusion
Learning Nmap may significantly improve network security because the tool provides a rapid and effective technique for auditing your systems. Even the program’s essential functions, such as the ability to do port scanning, rapidly identify any suspicious devices operating on your network.
Performing periodic network audits with Nmap can help you avoid becoming an easy target for hackers while expanding your understanding of your own network. Furthermore, It delivers capability that supplements more comprehensive data security solutions.
Check this link for more articles.
