Nmap, which stands for Network Mapper, is a versatile and powerful tool that is essential for anyone who manages a network or is involved in cybersecurity. Its primary function is to scan a network and identify all connected devices, along with open ports and other network attributes. However, Nmap is more than just a simple scanner. It’s a comprehensive tool that can be customized to fit specific needs.
As a long-time Linux user, I have had the opportunity to explore and experiment with Nmap’s various features and functionalities. In this blog, I’ll share ten of my favorite Nmap commands, along with personal insights and tips. Whether you’re a seasoned cybersecurity expert or a beginner, this journey into the world of Nmap on Linux is sure to be informative and exciting.
Understanding nmap
Before diving into commands, let’s understand what nmap is. Standing for “Network Mapper,” nmap is a powerful open-source tool used for network discovery and security auditing. It can discover devices running on a network and find open ports along with various attributes of the network.
Installing nmap in Linux
Nmap is not installed by default on all Linux distributions. However, it is available in the package repositories of most major Linux distributions, so it can be easily installed.
To check if Nmap is installed on your Linux system, you can open a terminal window and type the following command:
nmap --version
If Nmap is installed, you will see a message like this:
Nmap 7.93 ( https://nmap.org )
If Nmap is not installed, you will see an error message like this:
nmap: command not found
If Nmap is not installed on your Linux system, you can install it using your distribution’s package manager.
Here are some examples of how to install Nmap on popular Linux distros:
- Ubuntu:
sudo apt install nmap - Fedora:
sudo dnf install nmap - CentOS:
sudo yum install nmap - Debian:
sudo apt install nmap - Arch Linux:
sudo pacman -S nmap
Once Nmap is installed, you can start using it to scan networks for open ports and services.
10 nmap command uses in Linux
1. Basic Nmap scan
Every beginner’s first step into the realm of Nmap starts with the basic scan. It’s the simplest way to scan a target IP or a range of IPs to find out which hosts are up and running.
Command:
nmap [target_IP]
Output:
Starting Nmap (https://nmap.org) Nmap scan report for 192.168.1.1 Host is up (0.0011s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https
2. Scan multiple IP addresses or subnets
I often find myself wanting to scan multiple hosts or even an entire subnet. This command is a lifesaver in such situations. It helps in getting a quick overview of the network.
Command:
nmap [IP1,IP2,IP3] or nmap [IP_range]
Output:
Nmap scan report for 192.168.1.1 Host is up (0.0012s latency). ... Nmap scan report for 192.168.1.2 Host is up (0.0018s latency). ...
3. Scan with a specific port number
While I adore the basic scan, sometimes, I need to dig deep into a particular port. This command focuses on that very task. If you ever wonder about the status of a specific port, this is your go-to.
Command:
nmap -p [port_number] [target_IP]
Output:
Nmap scan report for 192.168.1.1 PORT STATE SERVICE 22/tcp open ssh
4. Detect OS and services
This is among my personal favorites. I cannot count how many times I’ve relied on it to determine the operating system and services of a mysterious device on the network.
Command:
nmap -O [target_IP]
Output:
Nmap scan report for 192.168.1.1 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 80/tcp open http Apache httpd 2.4.18 ... Aggressive OS guesses: Linux 3.x (95%), Linux 4.x (93%), ...
5. Fast scan
When I’m in a hurry, and who isn’t these days, the fast scan comes to the rescue. It checks fewer ports, thus speeding up the scan.
Command:
nmap -F [target_IP]
Output:
Nmap scan report for 192.168.1.1 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
6. Stealth scan (SYN scan)
This is the James Bond of scans. Stealthy and incognito! If you want to scan without ringing too many bells, this is the way.
Command:
nmap -sS [target_IP]
Output:
Nmap scan report for 192.168.1.1 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
7. UDP scan
Sometimes, I’ve had to venture beyond the TCP realm. This command is great for when you need insights into UDP ports.
Command:
nmap -sU [target_IP]
Output:
Nmap scan report for 192.168.1.1 PORT STATE SERVICE 53/udp open domain 123/udp open ntp
8. Aggressive scan
For those moments when you want all the information and you want it now! This scan gives a detailed overview, but I’d advise caution; it’s loud and might be detected.
Command:
nmap -A [target_IP]
Output:
Nmap scan report for 192.168.1.1 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 80/tcp open http Apache httpd 2.4.18 ...
9. Vulnerability scan
As a security enthusiast, this holds a special place in my heart. This scan provides insights into potential vulnerabilities. However, remember always to have permission before scanning for vulnerabilities.
Command:
nmap --script vuln [target_IP]
Output:
Nmap scan report for 192.168.1.1 PORT STATE SERVICE 22/tcp open ssh |_ ssh-vuln-cve2018-15473: VULNERABLE 80/tcp open http |_ http-vuln-cve2017-5638: VULNERABLE
10. Saving the scan results
Lastly, what good is a scan if you cannot store its results? This command ensures that the outputs are saved for future reference.
Command:
nmap [target_IP] -oN outputfile.txt
You would not see an immediate output on the terminal, but the scan results will be saved in ‘outputfile.txt’.
Frequently Asked Questions (FAQs) on nmap
Navigating nmap’s capabilities often brings a myriad of questions. Let’s address some of the most common ones:
Why use nmap?
Answer: nmap is an indispensable tool for network discovery and security auditing. It provides a comprehensive view of open ports, active hosts, services, and even the operating system versions on the network, enabling both network admins and security professionals to secure and optimize their environments.
Is it legal to use nmap?
Answer: Using nmap in itself is legal. However, scanning networks that you don’t own or have explicit permission to scan is illegal in many jurisdictions. Always ensure you have proper authorization and are adhering to local laws and regulations.
Can nmap scans be detected?
Answer: While nmap offers “stealthy” scanning techniques, no method is entirely invisible. Intrusion Detection Systems (IDS) and some firewalls can detect even the most covert scans. It’s always wise to assume that your scan might be detected.
How long does an nmap scan typically take?
Answer: Scan duration varies widely based on the range of IPs, the type of scan, network conditions, and the number of ports scanned. While a basic scan on a local network might complete within minutes, more comprehensive scans can take hours or even longer.
What is the difference between TCP and UDP scans?
Answer: TCP and UDP are two primary transport protocols. TCP is connection-oriented, meaning it establishes a connection before transferring data, while UDP is connectionless and sends data without formal connections. nmap provides different scanning techniques for both, with TCP scans often being faster but more detectable, and UDP scans being slower but essential for services running on UDP.
How do I protect my network against nmap scans?
Answer: A few strategies include:
- Using a good firewall to filter incoming traffic.
- Employing an Intrusion Detection System to recognize and alert on scanning activities.
- Regularly updating and patching systems to guard against known vulnerabilities.
- Limiting the number of open ports and services running on network devices.
Conclusion
Nmap is a highly sophisticated and versatile tool that offers a plethora of commands to meet diverse needs. Whether you are a beginner or an advanced user, Nmap has got something to offer to everyone. From basic port scanning to more advanced network mapping and vulnerability detection, Nmap has it all. Its intuitive interface and powerful features make it a popular choice among security professionals worldwide. So, if you’re looking for a tool that can help you accomplish your network scanning goals, Nmap is the way to go.
