In a previous article, Network Scanning Tools (part 2), we briefly covered Nmap which is described as:
… a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
nmap.org
Below are some of the core features of the Nmap suite:
- Nmap:
- uses raw IP packets to determine what hosts are available on a network, the services they offer, the operating system they are running, packet filters or firewalls being used, and more.
- Zenmap:
- an advanced GUI and results viewer.
- Ncat:
- a flexible data transfer, redirection, and debugging tool.
- Ndiff:
- a utility for comparing scan results.
- Nping:
- a packet generation and response analysis tool.
In the following sections we will look at Nmap in more detail and demonstrate how to use it with some examples.
Tool Usage
The synopsis or syntax of Nmap is as follows:
nmap [Scan Type(s)] [Options] {target specification}
Below are some of the more common command line settings:
- Scan Type(s):
- -sL
- List Scan – simply list targets to scan.
- -sn
- Ping Scan – disable port scan.
- -sU
- UDP Scan.
- -sI zombieHost[:probePort]
- Idle Scan.
- -s0
- IP protocol scan
- -sL
- Options:
- -p portRanges
- only scan specified ports.
- –exclude-ports portRanges
- exclude the specified ports from scanning.
- -F
- Fast mode – scan fewer ports than the default scan.
- -r
- scan ports consecutively – don’t randomize.
- -O
- enable Operating System detection.
- -A
- enable OS detection, version detection, script scanning, and traceroute.
- -T0-5
- set timing template (higher is faster).
- -v
- increase verbosity level.
- -p portRanges
- target specification:
- hostnames, IP addresses, networks etc e.g. scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
- -iL inputFileName
- input from a file containing a list of hosts/networks.
- -iR numHosts
- choose random targets.
- –exclude host1[,host2][,host3]…
- exclude specified hosts/networks
There are many more settings than those outlined above. For further details and the latest version click here.
Test Environment
For the purposes of this article we will be using Nmap v7.91 installed on a Kali Linux 2021.2 virtual machine (IP = 10.0.2.15) running within VirtualBox 6.1. The target machines are being run as virtual machines on the same NAT Network:
- Metasploitable 2:
- IP = 10.0.2.4
- MAC = 08:00:27:e9:d3:d7
- Ubuntu 21.04:
- IP = 10.0.2.5
- MAC = 08:00:27:cd:fe:4b
- Windows 10:
- IP = 10.0.2.6
- MAC = 08:00:27:42:90:70
Demonstrations
1) Default scan all reserved TCP ports by IP address
The IP address of the target is specified as well as running a default scan in verbose mode (-v):
2) Default scan all reserved TCP ports by hostname
Scan the target, specified by hostname, but without verbose mode:
3) Scan specified TCP ports by IP address range
Scan a range of IP addresses with a set of specified ports:
4) Scan fewer TCP ports in Fast Mode by IP address
Scan a specified IP address in Fast Mode so that fewer ports are scanned compared to a default scan:
5) Scan Operating System & specified TCP ports by IP address
Scan a specified IP address to detect the Operating System and a select set of ports:
Further Information
- Homepage:
- Download:
- Documentation:
Have you used Nmap for Penetration Testing? How useful did you find this tool? Please share you thoughts in the comments below.