Nmap - A Beginner's Guide

Many have heard and used the wonderful nmap utility . Both system administrators and crackers love her. Even Hollywood knows about her - in the film "The Matrix" nmap is used for hacking.

nmap is an abbreviation of “Network Mapper”, it can most correctly be translated into Russian as “network mapper”. This may not be the best translation into Russian, but it pretty accurately reflects the essence - a tool for researching the network and checking security. The utility is cross-platform, free, it supports Linux, Windows, FreeBSD, OpenBSD, Solaris, Mac OS X operating systems.

Consider the use of the utility in Debian. There is no nmap distribution in the standard distribution, install it with the command

# aptitude install nmap

Nmap can scan using various methods - for example, UDP, TCP connect (), TCP SYN (half-open), FTP proxy (break through ftp), Reverse-ident, ICMP (ping), FIN, ACK, SYN and NULL scanning. The choice of the scanning option depends on the specified keys, the nmap call looks as follows:

nmap <ключи> цель

For experiments, we take a special host for experiments created by the nmap developers themselves - scanme.nmap.org. Run as root It is
not necessary to set scan keys - in this case nmap will check the host for open ports and services that listen on these ports.
Run the command:

# nmap scanme.nmap.org

After a few seconds we get the result: Nothing unusual, ssh on the standard port and http on 80. Nmap recognizes the following port states: open , filtered
Interesting ports on scanme.nmap.org (
Not shown: 998 closed ports
22/tcp open ssh
80/tcp open http

, closed , or unfiltered . Open means that the application on the target machine is ready to accept packets on this port. Filtered means that a firewall, filter, or something else on the network is blocking the port, so Nmap cannot determine if the port is open or closed. Closed - are not currently associated with any application, but can be opened at any time. Unfiltered ports respond to Nmap requests, but you cannot determine if they are open or closed.

# nmap -O scanme.nmap.org

Hint: If you press the spacebar during a scan, you can see the current scan progress and how many percent it has been completed. After a few seconds, we get an answer in which the Device type line is still interesting:

Device type: general purpose|WAP|webcam|storage-misc
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (93%), AXIS Linux 2.6.X (89%), Linksys Linux 2.4.X (89%)
Aggressive OS guesses: Linux 2.6.17 - 2.6.28 (93%), Linux 2.6.9 - 2.6.27 (93%), Linux 2.6.24 (Fedora 8) (92%), Linux 2.6.18 (Slackware 11.0) (92%), Linux 2.6.19 - 2.6.26 (92%), OpenWrt (Linux 2.4.32) (91%), Linux 2.6.22 (91%), Linux 2.6.22 (Fedora Core 6) (90%), Linux 2.6.13 - 2.6.27 (90%), Linux 2.6.9 - 2.6.18 (90%)
No exact OS matches for host (test conditions non-ideal).

In general, it is impossible to determine the exact version of the kernel using nmap, but you can determine the approximate date of "freshness" and the operating system itself. You can scan several hosts at once, for this you need to list them with a space:

# nmap -O example.com example2.com

Let's go back to our experimental host. I would like to know in more detail which software is used. Let's try to clarify the received data using the -sV switches:

# nmap -sV example.com example2.com

We will get the answer: Progress is evident - we learned the exact names of the services used and even their versions, and at the same time we learned exactly which operating system is on the server. There are no problems with decryption; everything is quite clear. Aggressive scanning can be done by specifying the -A switch.

22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
Service Info: OS: Linux

# nmap -A scanme.nmap.org

Nmap will output a lot of information, I will not give an example. Scanning can take quite a while, taking a few minutes.

On local networks or just having a range of ip addresses on hand, it’s convenient to check them for busyness with the -sP keys:

# nmap -sP

Scanning is pretty fast, since it is basically a regular ping test to see if the host responds to ping. Please note that the host may not respond to ping due to firewall settings. If the desired part of the network cannot be limited by a mask, you can specify the range of addresses from which and on which to scan. For example, there is a range of addresses from to Then we do: The

# nmap -sP

answer will look like this: In my case, all ip were currently online.

Host is up (0.0023s latency)
Host is up (0.0015s latency)
Host is up (0.0018s latency)
Host is up (0.0026s latency)

These are far from all the possibilities of nmap, but to fit them in one article is somewhat complicated.

If you are closer to the GUI - there is a wonderful utility Zenmap - a graphical shell for nmap, which is able at the same time to build the proposed network map.

I want to warn you that port scanning on remote machines may violate the law.
UDP Inflame clarified that port scanning is still not illegal.

Also popular now: