Nmap is Network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap has both gui and command line versions which can be used for network scanning. Nmap command line has powerful features and flexibility when compared to the Gui version of Nmap. We will explore some basic usage of nmap in this tutorial.
Install Nmap Network Security Scanner on linux
We will install nmap on CentOS, RHEL, Ubuntu, Debian, Arch , Fedora, OpenSUSE and snap in this tutorial . Nmap is now also available for windows.
[root@makeuseoflinux ~]# yum install nmap -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirrors.estointernet.in
* extras: centos.mirrors.estointernet.in
* updates: centos.mirrors.estointernet.in
Resolving Dependencies
--> Running transaction check
---> Package nmap.x86_64 2:6.40-19.el7 will be installed
--> Processing Dependency: nmap-ncat = 2:6.40-19.el7 for package: 2:nmap-6.40-19.el7.x86_64
--> Processing Dependency: libpcap.so.1()(64bit) for package: 2:nmap-6.40-19.el7.x86_64
--> Running transaction check
---> Package libpcap.x86_64 14:1.5.3-12.el7 will be installed
---> Package nmap-ncat.x86_64 2:6.40-19.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================================
Package Arch Version Repository Size
==============================================================================================
Installing:
nmap x86_64 2:6.40-19.el7 base 3.9 M
Installing for dependencies:
libpcap x86_64 14:1.5.3-12.el7 base 139 k
nmap-ncat x86_64 2:6.40-19.el7 base 206 k
Transaction Summary
==============================================================================================
Install 1 Package (+2 Dependent packages)
Total download size: 4.3 M
Installed size: 17 M
Downloading packages:
(1/3): libpcap-1.5.3-12.el7.x86_64.rpm | 139 kB 00:00:00
(2/3): nmap-ncat-6.40-19.el7.x86_64.rpm | 206 kB 00:00:00
(3/3): nmap-6.40-19.el7.x86_64.rpm | 3.9 MB 00:00:01
----------------------------------------------------------------------------------------------
Total 3.6 MB/s | 4.3 MB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 14:libpcap-1.5.3-12.el7.x86_64 1/3
Installing : 2:nmap-ncat-6.40-19.el7.x86_64 2/3
Installing : 2:nmap-6.40-19.el7.x86_64 3/3
Verifying : 2:nmap-ncat-6.40-19.el7.x86_64 1/3
Verifying : 14:libpcap-1.5.3-12.el7.x86_64 2/3
Verifying : 2:nmap-6.40-19.el7.x86_64 3/3
Installed:
nmap.x86_64 2:6.40-19.el7
Dependency Installed:
libpcap.x86_64 14:1.5.3-12.el7 nmap-ncat.x86_64 2:6.40-19.el7
Complete!
Install nmap on Ubuntu
$ sudo apt install nmap
Debian
$ sudo apt-get install nmap
Arch linux
$sudo pacman -S nmap
Fedora
$ sudo dnf install nmap
OpenSUSE
# zypper install nmap
Snap
$ sudo snap install nmap
Install Nmap from source code
# wget https://nmap.org/dist/nmap-7.92.tar.bz2
# bzip2 -cd nmap-7.92.tar.bz2 | tar xvf -
# cd nmap-7.92
#./configure
#make
#su root
#make install
Usage of nmap
[root@makeuseoflinux ~]# nmap --version
Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.2k libpcre-8.32 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
We can Scan IP range using nmap by specifying the IP range
[root@makeuseoflinux ~]# nmap 192.168.0.230-235
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 15:51 IST
Nmap done: 6 IP addresses (0 hosts up) scanned in 7.09 seconds
Entire subnet can be scanned using nmap to find the computers or devices available on the network.
[root@makeuseoflinux ~]# nmap 192.168.0.0/24
Ping Scan Only
[root@makeuseoflinux ~]# nmap -sP 192.168.0.233
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 15:57 IST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.01 seconds
TCP syn scan
[root@makeuseoflinux ~]# nmap -sS 192.168.0.233
UDP Scan
[root@makeuseoflinux ~]# nmap -sU 192.168.0.233
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 16:02 IST
Nmap scan report for 192.168.0.233
Host is up (0.00073s latency).
All 1000 scanned ports on 192.168.0.233 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 21.91 seconds
OS scan of the server
[root@makeuseoflinux ~]# nmap -O 192.168.0.233
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 16:04 IST
Nmap scan report for 192.168.0.233
Host is up (0.00080s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1042/tcp open afrog
1043/tcp open boinc
2179/tcp open vmrdp
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|XP
OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.00 seconds
[root@makeuseoflinux ~]# nmap -O --osscan-guess 192.168.0.233
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 16:05 IST
Nmap scan report for 192.168.0.233
Host is up (0.60s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
514/tcp filtered shell
902/tcp open iss-realsecure
912/tcp open apex-mesh
1042/tcp open afrog
1043/tcp open boinc
2179/tcp open vmrdp
Device type: general purpose
Running: Microsoft Windows 7|XP
OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 245.44 seconds
Aggressive check on the server
[root@makeuseoflinux ~]# nmap -A -T4 192.168.0.233
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 16:11 IST
Nmap scan report for 192.168.0.233
Host is up (0.0012s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| ssl-cert: Subject: commonName=VMware/countryName=US
| Not valid before: 2021-08-23T07:14:54+00:00
|_Not valid after: 2022-08-23T07:14:54+00:00
445/tcp open microsoft-ds?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1042/tcp open afrog?
1043/tcp open ssl/boinc?
| ssl-cert: Subject: commonName=ACC
| Not valid before: 2021-09-01T15:27:21+00:00
|_Not valid after: 2031-08-30T15:27:21+00:00
TCP scan Public IP
[root@makeuseoflinux ~]# nmap -sT 137.59.96.14
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 16:14 IST
Nmap scan report for 137.59.96.14
Host is up (0.00087s latency).
All 1000 scanned ports on 137.59.96.14 are filtered
Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds
Vulnerability DOS attack
[root@makeuseoflinux ~]# nmap --script vuln 192.168.0.233
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 16:15 IST
Nmap scan report for 192.168.0.233
Host is up (0.018s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
|_http-fileupload-exploiter:
|_http-frontpage-login: false
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: VULNERABLE
| Description:
| Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.
| It accomplishes this by opening connections to the target web server and sending a partial request. By doing
| so, it starves the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1042/tcp open afrog
1043/tcp open boinc
Host script results:
|_samba-vuln-cve-2012-1182: SMB: ERROR: Server disconnected the connection
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: SMB: ERROR: Server disconnected the connection
Nmap done: 1 IP address (1 host up) scanned in 119.12 seconds
Scan on specific port
[root@makeuseoflinux ~]# nmap -sT -p 8080 137.59.96.14
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 16:20 IST
Nmap scan report for 137.59.96.14
Host is up (0.00064s latency).
PORT STATE SERVICE
8080/tcp filtered http-proxy
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
Fast scan
[root@makeuseoflinux ~]# nmap -F 137.59.96.14
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 16:21 IST
Nmap scan report for 137.59.96.14
Host is up (0.00057s latency).
All 100 scanned ports on 137.59.96.14 are filtered
Nmap done: 1 IP address (1 host up) scanned in 12.36 seconds
Scan using Protocol
[root@makeuseoflinux ~]# nmap -p http,mysql,ftp 137.59.96.14
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-07 16:22 IST
Nmap scan report for 137.59.96.14
Host is up (0.00067s latency).
PORT STATE SERVICE
21/tcp filtered ftp
80/tcp filtered http
3306/tcp filtered mysql
8008/tcp filtered http
Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds
Conclusion
We have installed nmap network security scanner and have explore basic usage of nmap for securing our network and servers.