Nmap. Start using

Have you ever wondered where an attacker knows which ports are open in the system? Or how to find out which applications are running on the server without asking the administrator about it? You can do all this and more with a small tool called Nmap.


What is nmap? The name Nmap is short for “network mapper”, nmap itself is a collection of tools for network scanning. It can be used to check the security, simply to determine the services running on the host, to identify the OS and applications, to determine the type of firewall used on the scanned host.
Nmap is a famous tool. As soon as you learn more about Nmap, you will understand what he does in episodes of such films as The Matrix Reloaded, The Bourne Ultimatum, Hottabych, and others .
This guide will cover the basics of using Nmap and provide some examples that you can use.

Where to get Nmap?

If you use Linux, you can find Nmap packages in the repositories for most distributions. The latest release of Nmap was released in early 2010, so the latest version may not be in the current stable branches. Find the sources and some binary builds on the download page . There is also a windows version.
')

Basics of using Nmap.

The nmap syntax is as follows:

nmap _ _.

Suppose you want to scan a node and find out which operating system is running on it. To do this, do the following:

nmap -O target.host.com

Note that Nmap requires superuser privileges to run this type of scan. The scanning process can take about a minute, so be patient. When the process is over you will see something like this:

Starting Nmap 5.21 ( nmap.org ) at 2010-02-27 23:52 EST
Nmap scan report for 10.0.0.1
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
5009/tcp open airport-admin
10000/tcp open snet-sensor-mgmt
MAC Address: 00:11:24:6B:43:E2 (Apple Computer)
Device type: WAP|printer
Running: Apple embedded, Canon embedded, Kyocera embedded, Xerox embedded
OS details: VxWorks: Apple AirPort Extreme v5.7 or AirPort Express v6.3; Canon imageRUNNER printer (5055, C3045, C3380, or C5185); Kyocera FS-4020DN printer; or Xerox Phaser 8860MFP printer
Network Distance: 1 hop


As you can see Nmap provides a lot of information. Here it displays an assumption about the operating system that was running on the node. In this case, the Apple Airport Extrime router was scanned. As an added bonus, Nmap reported that the device was one hop away, as well as the MAC address of the device and the manufacturer of the network card, open ports, and how long the scan took.
Below are the results of another scan, a home computer running Ubuntu 9.10:

Starting Nmap 5.21 ( nmap.org ) at 2010-02-28 00:00 EST
Nmap scan report for 10.0.0.6
Host is up (0.0039s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:17:08:2A:D6:F0 (Hewlett Packard)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.19 - 2.6.31
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at nmap.org/submit .
Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds


Here we see that the system has an HP network card, running Linux between versions 2.6.19 and 2.6.31. By the way, you can not clearly identify the distribution, only the version of the Linux kernel.

Scanning someone else's nodes.

In the examples above, a local router and one of the workstations were selected for scanning, because we had the right to scan them. However, it would be a bad idea to launch a multiple scan of someone else’s site if you do not control them or you do not have permission to scan. For experiments, Nmap has a publicly available scanme.nmap.org test server that you can use.
Many administrators do not like the unauthorized scanning of their servers, so the best option would be to limit the scanning of the nodes of your local network or those for which you have the rights to scan. Also in some cases, you may break the contract with your provider when using some particularly aggressive Nmap scanning methods, so be careful.

Scan multiple nodes.

You can scan more than one node at a time using nmap. If you scan by IP address, you can specify a range of 10.0.0.1-6 or 10.0.0.0/24. Using a range of 10.0.0.1-6, nodes from 10.0.0.1 to 10.0.0.6 will be scanned. Using the definition of / 24 will scan the entire range of nodes from 10.0.0.0 to 10.0.0.255. For example, if you need to scan the nodes from 10.0.0.1 to 10.0.0.42 and find out which OS is probably running, use:

nmap –O 10.0.0.1-42

If you have a list of domain names instead of IP addresses, you can separate them on the command line, like this:

nmap -O host1.target.com host2.target.com

Check open ports

If you run nmap with no options at all and specify some node, it will scan the ports and show all the open ports and services found on them. For example, run:
nmap target.hostname.com
whereupon he should issue something similar to this:

Interesting ports on target.hostname.com (10.0.0.88):
Not shown: 1711 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 0.228 seconds


Nmap will display more information if you use the -v (verbose) option.

Scanning running services

If you want to know which service is possible, try the –sV option. This option will perform a more aggressive scan and try to find out which version of services is running on this node, and can also help to more accurately determine which OS is running. For example, run nmap –sV on the test server and get the following answer:

Starting Nmap 5.21 ( nmap.org ) at 2010-02-28 00:15 EST
Nmap scan report for test.host.net (XX.XXX.XXX.XX)
Host is up (0.090s latency).
Not shown: 965 closed ports, 33 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at nmap.org/submit .
Nmap done: 1 IP address (1 host up) scanned in 11.43 seconds


As you can see, Nmap can analyze packages and determine the version of running applications on SSH and HTTP ports. Here you can see that the polled system is Ubuntu with Apache 2.2.8 and OpenSSH 4.7p1. This information may be useful for several reasons. Nmap scanning can identify a system running outdated services that may be vulnerable to known exploits.

Who is in my network?

Not sure how many online nodes are in your network? Try using nmap –sP which will ping the specified network. For example, nmap –sP 10.0.0.0/24 scans 256 nodes from 10.0.0.0 to 10.0.0.255 will check if they are available and report about it. You can also use a range, for example:

nmap –sP 10.0.0.1-15

Zenmap

Finally, if all these command-line joys are not for you, nmap has a GUI that you can use to build and execute commands. Called Zenmap. It will allow you to select a target, run a scan, display the results, as well as save them and compare them with others.
Zenmap GUI is a good way to get familiar with Nmap, but it's better to know how to use Nmap on the command line if you want to work with it often.
In the future tutorial, we will learn more in depth about Nmap and the specific tasks that you can solve.

This post is a free translation of the article Beginner's Guide to Nmap . Thanks for attention.