IntroductionNmap is a powerful tool for discovering information about machines on a network or the Internet. It allows you to probe a machine with packets to detect everything from running services and open ports to the operating system and software versions.
Like other security tools, Nmap should not be misused. Only scan networks and machines that you own or have permission to investigate. Probing other machines could be seen as an attack and be illegal.
That said, Nmap can go a long way in helping to secure your own network. It can also help you to ensure that your servers are properly configured and don't have any open and unsecured ports. It will also report if your firewall is correctly filtering ports that should not be externally accessible.
Nmap is installed by default on Kali Linux, so you can just open it up and get started.
Basic ScansNmap has fairly intelligent defaults set, so you are able to just open up Nmap and run a scan without specifying anything but the target. So, why not try it out on a computer on your network. Scanning the computer running Kali isn't going to give you much of anything, so it's best to pick another computer that you own. If you already know the IP of one, awesome. If not, Nmap has a tool to get the IP addresses of the computers on your network.
Open up a terminal, if you haven't already, and run the following command.
# nmap -sn 192.168.1.0/24If your home network doesn't use the
192.168.1.XIP structure, substitute in yours. The sequence ends with
0/24to tell Nmap to scan the entire subnet.
What you'll see when Nmap finishes is a list of every devices that was reachable. Each device will have a name(if applicable), IP address, and MAC address with a manufacturer. By using the names and the hardware manufacturers, you should be able to tell what each device on your network is. Pick a computer that you own, and scan it.
# nmap 192.168.1.15You can just write in the IP of that computer. Nmap will take a few seconds to probe the computer with packets and report back.
The report will be sort, but it will contain a list of ports with their state and which service they correspond to. It will also show that MAC address information and your IP again.
Useful FlagsEven though the defaults do give some useful information, and you can tell which ports are open, it would still be nice to get some more data. Nmap has tons of flags that you can set to specify just how you would like it to run. There are way too many to cover in this basic guide, but you can always check out Nmap's detailed manpage for more.
-sSflag is the default scanning flag for Nmap. It just specifies the way that Nmap will scan. Even though it's the default, it's probably a good idea to specify it anyway.
-TTiming can be important. Not only does the timing of the scan determine how long scanning will take, but it can also be instrumental in triggering or not triggering firewalls and other safeguards on a target system. While Nmap offers more fine-grained timing control, it also provides a set of six pre-built timing schemes with the
-Tflag. These timings range from 0 through 5, with 0 being the slowest and least invasive and 5 being the fastest and most overt.
-T3is the default timing flag, but many users prefer
-T4to speed up the scan.
-iLYou can use Nmap to scan multiple targets at once. Doing so can easily be done in-line when you run Nmap.
# nmap -sS -T4 192.168.1.4 192.168.1.35 192.168.1.102For a small number of targets this works, but it can quickly become cumbersome and isn't all that readily repeatable. The
-iLflag imports a list of targets for Nmap to use. This way, you can save targets and repeat scans at a later date.
Before running Nmap, open up your text editor of choice and enter in a couple of the IPs on your network.
$ vim ~/Documents/targets.txt 192.168.1.4 192.168.1.10 192.168.1.35 192.168.1.102 192.168.1.128Save that file and run Nmap with the
# nmap -sS -T4 -iL /home/user/Documents/targets.txtNmap will read through the list and preform a scan on each entry.
-FBy default, Nmap will scan the 1000 most commonly used ports on a target machine. This, of course, takes time. If you know that you only need to or only want to scan the most common ports to reduce the run time of Nmap, you can use the
-Fflag tells Nmap to only scan the 100 most commonly used ports instead of the usual 1000.
# nmap -sS -T4 -F 192.168.1.105
-OIf you would like information on the operating system being run on the target machine, you can add the
-Oflag to tell Nmap to probe for operating system information as well. Nmap is not super accurate when it comes to operating system information, but it usually gets very close.
# nmap -sS -T4 -O 192.168.1.105
--openIf you are only looking for which ports are open on a specific machine, you can tell Nmap to only look for open ports with the
# nmap -sS -T4 --open 192.168.1.105
-sVSometimes, it's useful to know what software and what versions of that software a machine is running. This is especially good for investigating your own servers. It also gives you insight into what server information others can see. Nmap's
-sVallows you to get as detailed information as possible about the services running on a machine.
# nmap -sS -sV -T4 192.168.1.105
-pOccasionally, you may only want to scan select ports with Nmap. The
-pflag allows you to specify specific ports for Nmap to scan. Nmap will then only scan those specified ports on the target machine.
# nmap -sS -T4 -p 25,80,443 192.168.1.105Nmap will then only scan ports 25, 80, and 443 on the computer at
If you don't know the port number of a common service, you can use the name of the service instead, and Nmap will know to look at the right port.
# nmap -sS -T4 -p http,https,imap 192.168.1.105
-p-There are many more ports on a computer than the 1000 that Nmap scans by default. As a result, some my be missed in a basic scan. If you are absolutely concerned about the security of your system, it is worth doing a complete scan of every port. To do this, use the
# nmap -sS -p- 192.168.1.105This will take a long time, so it should not be done lightly.
-ABy now, you've acquired a lot of flags to use. Using all of them together can be very awkward. Nmap has the
-Afor just this reason. It's sort of the "kitchen sink" flag that tells Nmap to aggressively gather as much information as it can.
# nmap -A 192.168.1.105
Logging OutputIt would sure be able to store the results from Nmap. Well, you can. Nmap has yet another flag that allows you to store output in a variety of different formats. This is excellent for long scans like ones with the
-p-flag. To use Nmap's logging capabilities, pass the
-oXalong with the name of the file.
-oNlogs the normal output.
-oXlogs the output as XML. By default, Nmap will overwrite existing logs with new ones, so be careful not to overwrite anything you don't want to.
# nmap -sS -p- -oN Documents/full-scan.txt 192.168.7.105You can find the full log in the text file when Nmap completes.
If you want something ridiculous, try the