Nmap (Network Mapper) is popularly known as the sysadmin’s Swiss Army knife. Since things in a corporate network don’t go as smoothly as desired, those debug/"Save me" tickets can pile up in your work log. Show
Nmap comes to your rescue. In this article, I explore six practical use cases for Nmap. Using NmapNmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what's connected, what services each host is operating, and so on. It allows a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. It also offers a wide variety of scan types, including Proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas, SYN sweep, IP Protocol, and Null scan. See the man page's Scan Techniques section for more details. Nmap also offers a number of advanced features such as operating system (OS) detection via TCP/IP fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel scanning, detection of down hosts via parallel pings, decoy scanning, port filtering detection, direct (non-portmapper) RPC scanning, fragmentation scanning, and flexible target and port specification. Let's explore some of the practical use cases that can help you deal with your network. Use case oneThe Nmap syntax outlined in the man page is as follows: nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }There are many switch options that can be used along with Nmap, but let's focus on the practical one. For this use case, scan the hostname with the nmap <hostname> command like this:
Use case twoIf you have more than one host you need to scan, list all the hosts in a hosts.txt file. Then, use the command nmap -iL <file containing host names>, like so:
Use case threeWhen using Nmap, it is possible to identify a host's operating system (OS), which is useful for an inventory sweep of your network. Use the -A switch to determine the OS for a remote system. For example, running: $ nmap -A localhost.example.comresulted in:
Use case fourNmap can help you gain a deeper understanding of your network's security concerns. To determine whether a remote host has a firewall enabled, and which ports are filtered, use -sA. The word filtered in the output below suggests that this host is enabled with a firewall:
Use case fiveWhenever we want to check the weak points of a host we need to first analyze the open ports (well-known), to give us an idea of which services are enabled on that host. Using the -p switch, Nmap scans the range of ports specified, as shown below:
Use case sixTo perform a stealth scan for TCP information, use the -sT option. This type of scan is handy when you can't use the -sS (SYN) type scan, which is the default—and is stealthier than the TCP connect scan shown below:
Exploring furtherThese six use cases will start you in the right direction with Nmap. As you discover more of Nmap's power as a network discovery and inventory tool, you'll see that Nmap is an essential part of your sysadmin toolbox. Please exercise caution with Nmap, though. Either get permission to use it or inform your IT and security staff that you are performing network sweeps and probes so that your monitoring alerts don't trigger a security incident. Nmap is used by all shades of the hacker spectrum, so this warning should be taken seriously. As with any power tool in your toolbox, there is utility as well as danger.
To learn which ports are open and what those rules are, a program called Nmap can be used. This program scans the network that a computer is connected to and outputs a list of ports, device names, operating systems, and several other identifiers that help the user understand the details behind their connection status. Nmap can be used by hackers to gain access to uncontrolled ports on a system. All a hacker would need to do to successfully get into a targeted system would be to run Nmap on that system, look for vulnerabilities, and figure out how to exploit them. Hackers aren’t the only people who use the software platform, however. IT security companies often use it as a way to replicate the kinds of attacks that a system could potentially face. How Does it Work?Nmap works by checking a network for hosts and services. Once found, the software platform sends information to those hosts and services which then respond. Nmap reads and interprets the response that comes back and uses the information to create a map of the network. The map that is created includes detailed information on what each port is doing and who (or what) is using it, how the hosts are connecting, what is and is not making it through the firewall, and listing any security issues that come up.How is all of that accomplished? Nmap utilizes a complex system of scripts that communicate with every part of the network. The scripts act as communication tools between the network components and their human users. The scripts that Nmap uses are capable of vulnerability detection, backdoor detection, vulnerability exploitation, and network discovery. Nmap is an extremely powerful piece of software, but there does tend to be a good deal of background knowledge required to use it correctly. Internet security companies can use Nmap to scan a system and understand what weaknesses exist that a hacker could potentially exploit. As the program is open-source and free, it is one of the more common tools used for scanning networks for open ports and other weaknesses. At Holm Security, we use this technology in a very effective way, as we provide an excellent web-based security service, which ensures that the clients’ ports remain securely closed to those not granted permission. ConclusionWhether you are a private user with important information on your system, a major corporation or a government agency protecting a wealth of highly sensitive data, Nmap can provide the level of knowledge and pre-emptive thought required to keep things safe. Nmap is a network mapper that has emerged as one of the most popular, free network discovery tools on the market. Nmap is now one of the core tools used by network administrators to map their networks. The program can be used to find live hosts on a network, perform port scanning, ping sweeps, OS detection, and version detection. A number of recent cyberattacks have re-focused attention on the type of network auditing that Nmap provides. Analysts have pointed out that the recent Capital One hack, for instance, could have been detected sooner if system administrators had been monitoring connected devices. In this guide, we’ll look at what Nmap is, what it can do, and explain how to use the most common commands. Ideally, Nmap should be used as part of an integrated Data Security Platform. Once Nmap has been used to map a network, a platform such as Varonis’ Datadvantage can then be used to implement advanced access control.
What is Nmap?At its core, Nmap is a network scanning tool that uses IP packets to identify all the devices connected to a network and to provide information on the services and operating systems they are running. The program is most commonly used via a command-line interface (though GUI front-ends are also available) and is available for many different operating systems such as Linux, Free BSD, and Gentoo. Its popularity has also been bolstered by an active and enthusiastic user support community. Nmap was developed for enterprise-scale networks and can scan through thousands of connected devices. However, in recent years Nmap is being increasingly used by smaller companies. The rise of the IoT, in particular, now means that the networks used by these companies have become more complex and therefore harder to secure. This means that Nmap is now used in many website monitoring tools to audit the traffic between web servers and IoT devices. The recent emergence of IoT botnets, like Mirai, has also stimulated interest in Nmap, not least because of its ability to interrogate devices connected via the UPnP protocol and to highlight any devices that may be malicious. What Does Nmap Do?At a practical level, Nmap is used to provide detailed, real-time information on your networks, and on the devices connected to them. The primary uses of Nmap can be broken into three core processes. First, the program gives you detailed information on every IP active on your networks, and each IP can then be scanned. This allows administrators to check whether an IP is being used by a legitimate service, or by an external attacker. Secondly, Nmap provides information on your network as a whole. It can be used to provide a list of live hosts and open ports, as well as identifying the OS of every connected device. This makes it a valuable tool in ongoing system monitoring, as well as a critical part of pentesting. Nmap can be used alongside the Metasploit framework, for instance, to probe and then repair network vulnerabilities. Thirdly, Nmap has also become a valuable tool for users looking to protect personal and business websites. Using Nmap to scan your own web server, particularly if you are hosting your website from home, is essentially simulating the process that a hacker would use to attack your site. “Attacking” your own site in this way is a powerful way of identifying security vulnerabilities. How To Use NmapNmap is straightforward to use, and most of the tools it provides are familiar to system admins from other programs. The advantage of Nmap is that it brings a wide range of these tools into one program, rather than forcing you to skip between separate and discrete network monitoring tools. In order to use Nmap, you need to be familiar with command-line interfaces. Most advanced users are able to write scripts to automate common tasks, but this is not necessary for basic network monitoring. How To Install NmapThe process for installing Nmap is easy but varies according to your operating system. The Windows, Mac, and Linux versions of the program can be downloaded here.
Nmap Tutorial and ExamplesOnce you’ve installed Nmap, the best way of learning how to use it is to perform some basic network scans. How To Run a Ping ScanOne of the most basic functions of Nmap is to identify active hosts on your network. Nmap does this by using a ping scan. This identifies all of the IP addresses that are currently online without sending any packets to these hosts. To run a ping scan, run the following command: # nmap -sp 192.100.1.1/24This command then returns a list of hosts on your network and the total number of assigned IP addresses. If you spot any hosts or IP addresses on this list that you cannot account for, you can then run further commands (see below) to investigate them further. How To Run A Host ScanA more powerful way to scan your networks is to use Nmap to perform a host scan. Unlike a ping scan, a host scan actively sends ARP request packets to all the hosts connected to your network. Each host then responds to this packet with another ARP packet containing its status and MAC address. To run a host scan, use the following command: # nmap -sp <target IP range>This returns information on every host, their latency, their MAC address, and also any description associated with this address. This can be a powerful way of spotting suspicious hosts connected to your network. If you see anything unusual in this list, you can then run a DNS query on a specific host, by using: # namp -sL <IP address>This returns a list of names associated with the scanned IP. This description provides information on what the IP is actually for. How To Use Nmap in Kali LinuxUsing Nmap in Kali Linux can be done in an identical way to running the program on any other flavor of Linux. That said, there are advantages to using Kali when running Nmap scans. Most modern distros of Kali now come with a fully-features Nmap suite, which includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping). Nmap CommandsMost of the common functions of Nmap can be executed using a single command, and the program also uses a number of ‘shortcut’ commands that can be used to automate common tasks. Here is a quick run-down: 1. Ping ScanningAs mentioned above, a ping scan returns information on every active IP on your network. You can execute a ping scan using this command: # nmap -sp 192.100.1.1/242. Port ScanningThere are several ways to execute port scanning using Nmap. The most commonly used are these: The major differences between these types of scans are whether they cover TCP or UDP ports and whether they execute a TCP connection. Here are the basic differences:
3. Host ScanningHost scanning returns more detailed information on a particular host or a range of IP addresses. As mentioned above, you can perform a host scan using the following command: # nmap -sp <target IP range>4. OS ScanningOS scanning is one of the most powerful features of Nmap. When using this type of scan, Nmap sends TCP and UDP packets to a particular port, and then analyze its response. It compares this response to a database of 2600 operating systems, and return information on the OS (and version) of a host. To run an OS scan, use the following command: # nmap -O <target IP>5. Scan The Most Popular PortsIf you are running Nmap on a home server, this command is very useful. It automatically scans a number of the most ‘popular’ ports for a host. You can run this command using: nmap --top-ports 20 192.168.1.106Replace the “20” with the number of ports to scan, and Nmap quickly scans that many ports. It returns a concise output that details the status of the most common ports, and this lets you quickly see whether you have any unnecessarily open ports. 6. Output to a FileIf you want to output the results of your Nmap scans to a file, you can add an extension to your commands to do that. Simply add: -oN output.txtTo your command to output the results to a text file, or: -oX output.xmlTo output to an XML. 7. Disable DNS Name ResolutionFinally, you can speed up your Nmap scans by using the -n parameter to disable reverse DNS resolution. This can be extremely useful if you want to scan a large network. For example, to turn off DNS resolution for the basic ping scan mentioned above, add -n: # nmap -sp -n 192.100.1.1/24Nmap FAQThe commands above cover most of the basic functionality of Nmap. You might still have some questions though, so let’s run through the most common ones. Q: What Are Some Nmap Alternatives?There are some alternatives to Nmap, but most of them are focused on providing specific, niche functionality that the average system administrator does not need frequently. MASSCAN, for instance, is much faster than Nmap but provides less detail. Umit, by contrast, allows you to run several scans at once. In reality, however, Nmap provides all the functionality and speed that the average user requires, especially when used alongside other similarly popular tools like NetCat (which can be used to manage and control network traffic) and ZenMap (which provides a GUI for Nmap) Q: How Does Nmap Work?Nmap builds on previous network auditing tools to provide quick, detailed scans of network traffic. It works by using IP packets to identify the hosts and IPs active on a network and then analyze these packets to provide information on each host and IP, as well as the operating systems they are running. Q: Is Nmap Legal?Yes. If used properly, Nmap helps protect your network from hackers, because it allows you to quickly spot any security vulnerabilities in your systems. Whether port scanning on external servers is legal is another issue. The legislation in this area is complex and varies by territory. Using Nmap to scan external ports can lead to you being banned by your ISP, so make sure you research the legal implications of using the program before you start using it more widely. The Bottom LineTaking the time to learn Nmap can dramatically increase the security of your networks because the program offers a quick, efficient way of auditing your systems. Even the basic features offered by the program – such as the ability to perform port scanning – quickly reveal any suspicious devices that are active on your network. Using Nmap to perform frequent network audits can help you avoid becoming easy prey for hackers, whilst also improving your knowledge of your own network. In addition, Nmap provides functionality that complements more fully-featured data security platforms such as that offered by Varonis, and when used alongside these tools can dramatically improve your cybersecurity. |