What is nmap?
nmap is a network exploration tool and security / port scanner.
If you’ve heard of it, and you’re like me, you’ve most likely used it like this:
nmap 127.0.0.1
ie, you’ve pointed it at an IP address and observed the output:
Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-24 18:36 GMT Nmap scan report for localhost (127.0.0.1) Host is up (0.00033s latency). Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 443/tcp open https 631/tcp open ipp 5432/tcp open postgresql 8080/tcp open http-proxy 9002/tcp open dynamid 50000/tcp open ibm-db2 Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
which tells you the open ports on a host.
I used nmap like this for years, but only recently grokked the manual to see what else it could do. Here’s a quick look and some of the more useful things I found out.
1) Scan a Network
As its description implies, nmap can scan a range of IP addresses. You can do this in a couple of ways.
If you want to use a CIDR range, you can scan like this:
nmap 192.168.0.1/24
which will scan the whole range. The 192.168.1.0 address may be different depending on the network you are on.
Or, if you’re less comfortable with CIDR, you can use a glob like this:
nmap 192.168.1.*
I use this to work out which machines are active on my home network:
nmap -sn 192.168.1.0/24
where the -sn flag skips the default port scan.
2) Scan All Ports
One gotcha about nmap is that it doesn’t scan all ports by default. Instead it ‘scans the 1,000 most common ports for each protocol’. Quite often you might want to find _any_ open ports on the hosts. You can achieve this with:
nmap -p- localhost
where the -p flag indicates the ports to scan and the - means ‘all of them’.
Beware that this (and many other nmap activities, but especially this) can trigger all sorts of network security tripwires, so be sure that it’s OK to run this on the network, and don’t be surprised if you get booted from the network either. I get round this in the example above by running it locally.
You can also specify the specific service you want to find by its name in /etc/services. One I use commonly is:
nmap -p domain 192.168.1.0/24
which tells me all the DNS servers on the network.
3) Get service versions
You can use the -sV flag to get more information on service versions. This command tells me that I’m running a couple of dnsmasq servers on my local network, and their versions.
$ nmap -sV -p domain 192.168.1.0/24 | grep -E '(scan report for|open)' Nmap scan report for Ians-MBP.home (192.168.1.65) Nmap scan report for cage.home (192.168.1.66) 53/tcp open domain dnsmasq 2.79 Nmap scan report for Ians-Air-2.home (192.168.1.119) Nmap scan report for basquiat.home (192.168.1.124) Nmap scan report for Google-Home-Mini.home (192.168.1.127) Nmap scan report for dali.home (192.168.1.133) 53/tcp open domain dnsmasq 2.79 Nmap scan report for Google-Home-Mini.home (192.168.1.137) Nmap scan report for api.home (192.168.1.254)
nmap does this by having a database of versions and their behaviours, and under the hood runs various commands to interrogate and match to these versions.
This can be useful to figure out whether you have any services that appear vulnerable to attackers if they were to scan your network and may need upgrading.
4) Use -A for more data
There are further options to tune the version scan. For example, --version-all takes more time and does more probing to ensure a version match. Using this in addition to the -A flag, which also enables other detection techniques to be used as well:
$ nmap -A -p 443 192.168.1.124 --version-all Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-25 11:55 GMT Nmap scan report for basquiat.home (192.168.1.124) Host is up (0.00054s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=meirionconsulting.com | Subject Alternative Name: DNS:meirionconsulting.com | Not valid before: 2018-09-28T01:01:51 |_Not valid after: 2018-12-27T01:01:51 |_ssl-date: TLS randomness does not represent time Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.78 seconds
The amount of detail can be surprisingly rich and useful.
5) Find out what nmap is up to
nmap isn’t very chatty and can take a long time to return a result, so like many other command line tools, it offers a verbosity (-v) and debug (-d) flags that can tell you more about what’s going on:
nmap -vv -dd -sn 192.168.0.0/24
Adding an extra v or d will make nmap more chatty if needed:
[...]
Ping Scan Timing: About 31.25% done; ETC: 12:32 (0:01:08 remaining)
ultrascan_host_probe_update called for machine 192.168.0.1 state HOST_DOWN -> HOST_DOWN (trynum 1 time: 2002984)
ultrascan_host_probe_update called for machine 192.168.0.2 state HOST_DOWN -> HOST_DOWN (trynum 1 time: 2002937)
ultrascan_host_probe_update called for machine 192.168.0.3 state HOST_DOWN -> HOST_DOWN (trynum 1 time: 2002893)
[...]
6) Script your own scans with NSE
nmap uses the ‘Netmap Scripting Engine’ to run these probing scripts and generate the output. It uses the Lua programming language to achieve this.
On my machine these scripts are located in /usr/share/nmap/scripts. You can call them like this:
nmap --script=http-sitemap-generator example.com
There are all sorts of cool-looking scripts in there that may be useful to you, relating to everything from apache server status to xserver access.
More information is available here.
If you like this, you might like one of my books:
If you liked this post, you might also like these:
Ten Things I Wish I’d Known About bash
How (and Why) I Run My Own DNS Servers
My Favourite Secret Weapon – strace
A Complete Chef Infrastructure on Your Laptop
zwischenzugs 
4 thoughts on “Six Ways to Level Up Your nmap Game”