How to Use Nmap: Complete Guide with Examples

In the constantly changing cybersecurity landscape, staying one step ahead of malicious actors is crucial – and understanding the intricacies of your networks is an integral part of that. A tool that can help you do this has earned its reputation as a cybersecurity stalwart – Nmap. Nmap, short for Network Mapper, holds the keys to unlocking valuable insights in your network infrastructure. Whether you’re a cybersecurity professional hunting down vulnerabilities or a system administrator maintaining the health of your network, understanding how to use Nmap is crucial. 

What is Nmap?

Nmap is an open-source utility used for network scanning and security auditing. Thanks to its capabilities and versatility, this software has become a staple in the arsenal of cybersecurity pros, system admins, and ethical hackers. Nmap’s set of features extends beyond the realm of basic network scanning and includes:

• Host discovery: Nmap identifies active hosts on a network, laying the foundation for more in-depth exploration.
• Port scanning: Nmap discovers open ports and services, giving administrators an understanding of a network’s attack surface.
• Version detection: Nmap can identify service versions and help pinpoint potential vulnerabilities associated with specific versions.
• Scriptable interaction: Nmap’s NSE (Nmap Scripting Engine) allows users to create tailored scans and automate complex tasks.
• Operating system fingerprint: Nmap’s OS detection capabilities enable administrators to identify operating systems running on discovered hosts, helping with network inventory and security assessments.

Understanding Nmap: network scanning and security auditing

Network scanning systematically explores a computer network to identify its components, assess its topology, and uncover potential security weaknesses. When administrators know how a network is configured, they can make informed security decisions and tighten the digital perimeter.

With its diverse array of scanning techniques and customizability, Nmap is the leading tool for network scanning and security auditing. Here are some of the roles that it plays:

• Network inventory: Nmap can build a list of all the software and service assets on a network and create a “map” of a network with details that include IP addresses, ports, software or service versions, operating systems, and MAC addresses.
• Vulnerability detection: Nmap can scan a network for vulnerabilities by comparing the operating systems and versions of services running on a network against known vulnerabilities using the Nmap Scripting Engine (NSE).
• Network monitoring: Network monitoring can be achieved by automating scanning tasks with the Nmap Scripting Engine.

Getting started with Nmap

Installing Nmap

The first step for using Nmap is installing it on your machine. Below, we walk through the instructions for the top three operating systems. You can refer to the Nmap download page for each installation process to ensure you get the latest version of the software.

Installing Nmap on Linux

How you install Nmap on Linux depends upon which distribution you have. For RPM-based distributions like Red Hat, Mandrake, SUSE, and Fedora, run the following command:

yum install nmap

For Debian Linux and its derivatives like Ubuntu, run this command:

apt-get install nmap

On most Linux distributions, ZenMap, the official GUI for Nmap, must be installed separately.

Installing Nmap on Windows

Start by going to the Nmap download page and downloading the latest stable release of Nmap for Windows. Once downloaded, double-click the installation file. Click Yes when Windows asks if you want to allow the app to make changes to your device, and agree to the license.

You will be asked which components you want to install in the next menu. Everything you need will already be checked, including ZenMap if you would rather use a GUI. Click Next on this screen.

On the final screen of the Nmap setup, click Install.

After Nmap installs, the Npcap setup screen will appear. Npcap is the Windows version of the libpcap library, which supports packet capture and network analysis and is necessary for Nmap to function. Agree to this license, and click Install on the next screen. Then just follow the installation process steps, leaving the default settings as is. Once installation is complete, you will have a Zenmap link on your desktop and a start menu folder.

 

Installing Nmap on Mac

There are a couple of options for installing Nmap on a Mac computer. The first one is simple if you already have Homebrew installed. Just run the following command:

brew install nmap

You can also visit the Nmap download map, scroll down to the Mac OS X Binaries section, and download the latest stable release installer, a .dmg file. This version also comes with ZenMap. Just double-click the dmg file to start the installer and follow the instructions.

Basic Nmap commands and syntax

Now that you have Nmap installed, you can start learning some of the basic commands so you can get started with network scanning:

Help

To get help from Nmap, you don’t even have to use a parameter. Just execute nmap in a terminal.

nmap

Simple host discovery

The first step in network scanning is host discovery, revealing active devices on the network. Here is that command:

nmap <target>

In the command, <target> can be an IP address, hostname, or range of IP addresses. Here are examples of each:

#Single IP
nmap 127.0.0.1
#Hostname
nmap example.com
#Range of IPs
nmap 192.168.10.0/24

Ping scan

This command identifies active hosts on your network without sending any packets to the host. The syntax for this scan is:

nmap -sn <target>

Here, <target> can also be an IP address, hostname, or range of IP addresses.

Basic port scanning

You can use basic port scanning to probe open ports and services on a target. The command is as follows:

nmap -p <port-range> <target>

Replace <port-range> with a single port number or a range of ports (e.g. 80, 443, or 1-1024) and <target> with the IP address or hostname of the target.

Version detection

Learning the versions of services running on open ports is essential for vulnerability assessment. To enable version detection on a basic port scan, just modify the last command this way:

nmap -sV -p <port-range> <target>

The -sV flag tells Nmap to perform version detection on the specified ports.

Operating system fingerprinting

Nmap can also determine the operating system of a target host through OS fingerprinting when you use the -O flag. Here is that command:

nmap -O <target>

Here, <target> is an IP address or hostname.

Using Nmap for network scanning

Now that you know some of the basic Nmap commands and options, let’s put them to use. To follow along, you will need a range of IPs to scan. To find a range on your network, first, find the IP address of your device. For the purpose of this article, we will use 10.0.0.23, so for our IP range, we will be using 10.0.0.0/24, which is CIDR (Classless Inter-Domain Routing) notation representing the 256 addresses 10.0.0.0 – 10.0.0.255. You can also use scanme.nmap.org as your target for some of these scans, which was set up to help people to learn how to use Nmap.

Using a ping scan to identify live hosts

Ping scanning provides the basis of host discovery, allowing you to find active hosts with a network quickly. To ping scan the range of IP addresses on my network, run the following command:

nmap -sn 10.0.0.0/24

And here is the result, which shows five hosts on my network:

Exploring different port scanning techniques

There is more to Nmap than just ping scanning. A ping scan will tell us the IP addresses of the hosts, but that is the only data we gather from the scan. We’ll have to explore more scanning techniques for more information on the hosts.

TCP connect scanning

The TCP connect scan is the most straightforward scanning technique. Nmap establishes a full TCP three-way handshake with each target port to determine its status (open, closed, or filtered). Here is an example using an IP found in a ping scan:

nmap -sT 10.0.0.1

This scan gives a list of the ports on this host:

SYN scanning

SYN scan, a half-open or stealth scan, sends SYN packets to the target ports without completing the handshake. It evaluates the responses to determine port openness without fully connecting. This technique is faster than the TCP connect scan and less likely to be detected. Here is an example of a SYN scan on that same IP address:

sudo nmap -sS 10.0.0.1

You will notice that sudo was used with this command. Some Nmap commands require root privileges and will return this message: “You requested a scan type which requires root privileges.” This is because sending and receiving raw packets requires root access on a Unix or Mac system. On Windows, you will have to use an administrator account.

Here are the results of that scan:

UDP scanning

A UDP scan targets UDP ports on the target host. Since this is a connectionless protocol, determining the state of a UDP port requires interpreting the response or lack thereof. With this scan, Nmap detects rate limiting and slows down to avoid flooding. When this happens, the scan can take a long time, up to 18 hours, with a limit of one packet per second. For this reason, we used the -F option to scan only the top 100 ports rather than all 65,535.

Here is an example which also requires root privileges or an administrator account:

sudo nmap -sU 10.0.0.1 -F

And here is the result:

OS scanning

Knowing which operating systems are running on target hosts is important in understanding a network’s architecture. Here is an example, which again requires root privileges or an administrator account:

sudo nmap -O 10.0.0.0/24

We used a range of IP addresses again for this scan. Here are a couple of those results:

Using Nmap for security audits

The commands that you just learned will get you started with a security audit by listing all the open ports, services, and operating systems in use on your network. This security audit will tell you the potential entry points for malicious actors. You can find even more security audit information using the Nmap Scripting Engine or NSE.

NSE comes with a suite of scripts that will help you find vulnerabilities in your systems. The scripting engine uses the Lua programming language and you can write your own scripts to customize your scans to your needs. The current list of NSE scripts has 604 entries which you browse here. Most of them are pre-installed with Nmap.

For our example, we will use the vulners script, which uses the Vulners vulnerability database. This script depends on having information on software versions, so you must use the -sV flag with it. Here is an example scan using this script to scan a range of IPs:

nmap -sV --script=vulners 10.0.0.0/24

Fortunately or unfortunately, this network had no vulnerabilities, but here is a partial output:

Nmap for different operating systems

While Nmap commands are generally consistent across different operating systems, some tips and considerations may be more relevant to specific operating systems.

Linux

1. Installing Nmap: How you install Nmap depends on your package manager. You will use apt-get on Debian and Ubuntu or yum on RHEL/CentOS. You can also go to the Nmap download page and install the RPM packages manually.
2. Running Nmap: To run Nmap on Linux, open the terminal and enter the desired Nmap command
3. Updating Nmap: This depends on your Linux distribution. For Debian and Ubuntu, the command is sudo apt-get update & sudo apt-get upgrade nmap; for RHEL/Centos, it is sudo yum update nmap.
4. Uninstalling Nmap: Again, this depends upon the distribution. It is sudo apt-get remove nmap for Debian/Ubuntu and sudo yum remove nmap for RHEL/Centos.

Windows

1. Installing Nmap: Go to the Nmap download page and download the installation executable.
2. Running Nmap: On Windows, run Nmap by opening the Command Prompt or PowerShell and enter the desired Nmap command.
3. Updating Nmap: Nmap will automatically detect and update the latest version on Windows.
4. Uninstalling Nmap: Open the folder where Nmap is installed and double-click the uninstallation script to start the uninstallation process.
5. Performance: Nmap on Windows may not be as efficient as on a Unix-based system, and it only supports ethernet interfaces for raw packet scans, but the performance is generally good enough for most use cases.

Mac

1. Installing Nmap: On Mac, you can install Nmap either by downloading the .dmg installation file from the Nmap download page or with Homebrew via this command: brew install nmap.
2. Running Nmap: Open the terminal application and enter the desired Nmap command.
3. Updating Nmap: If you installed Nmap with Homebrew, run brew upgrade nmap to update it. If you downloaded the .dmg file, you can find your nmap version by running the nmap command. You can compare it against the current stable version on the download page to see if you need to download a new installation.
4. Uninstalling Nmap: If you installed Nmap with Homebrew, run brew uninstall nmap to uninstall it. If you installed Nmap from the official website, run sudo rm -rf /usr/local/bin/nmap /usr/local/share/man/man1/nmap.1.

Unleashing Nmap for enhanced network security

Nmap can be your invaluable ally when your goal is to keep your network secure. Using various scanning techniques, Nmap uncovers live hosts, probes open ports, and identifies potential vulnerabilities. The Nmap Scripting Engine (NSE) will help you automate these assessments and address specific security concerns.

To leverage Nmap effectively:

• Tailor scans to specific objectives and scope.
• Regularly patch systems to guard against known vulnerabilities.
• Conduct regular security audits to stay ahead of threats.

With Nmap as your trusted security copilot, you can navigate the complex landscape of network security, secure your digital assets, and safeguard against cyber threats.