Getting started with Nmap for system administrators
Learn the basics of this system security software
Nmap is a powerful tool that can be used for multiple purposes such as security scanning or discovering servers on a network. It is open source software that is available without cost for all major platforms such as the Linux, IBM® AIX®, Mac OS X, and Microsoft® Windows® operating systems. This article covers the basics of Nmap and some of ways system administrators can use it.
On most distributions of Linux, Nmap is available as a package in the distribution's repository. For example, on Red Hat Enterprise Linux, simply run
yum install nmap to install. On Debian and related systems such as Ubuntu, run
apt-get install nmap to install.
Michael Perzl has packaged Nmap for AIX (see Related topics for a link). If you are running Windows or Mac OS X, you can download the official Nmap versions from their site (see Related topics for a link).
Specify hosts or networks to scan
All Nmap command lines must specify a list of hosts or networks to act upon. There are several options for doing this:
- List individual server names or IP addresses. For example: "server1" would scan only the host named server1, and "192.168.0.240" would scan only the host with the IP address, 192.168.0.240.
- List an entire network in the CIDR format. For instance, "192.168.0.0/24" would scan 256 addresses between 192.168.0.0 through 192.168.0.255, and "10.0.0.0/8" would scan the 16 million addresses in the 10.0.0.0 through 10.255.255.255 range.
- Specify an IP range. For example, "192.168.0.50-95" would scan the 46 IP addresses between 192.168.0.50 through 192.168.0.95.
-iLflag to specify a text file that has a list of hosts or networks to scan.
- Use a * wildcard. For instance, 192.168.0.* would scan 256 addresses between 192.168.0.0 through 192.168.0.255.
- Advanced options can scan the network around a host name. For example, "example.com/24" would scan the class C subnet of whatever network example.com is on.
You can specify multiple hosts on the command line in different formats. For example, you can specify "server1 192.168.0.6 10.0.0.0/8" to specify the host server1, the IP address 192.168.0.6, and the sixteen million addresses in the 10.0.0.0/8 network.
Verify the specified hosts
Be extremely careful to scan only hosts and IP addresses that you have permission to scan. To get a list of what to scan, run
nmap -n -sL followed by a list of hosts or networks. The
-n flag specifies not to carry out a reverse name lookup, and the
-sL option tells Nmap to list the IP addresses that would be scanned. Therefore, the
nmap -n -sL doesn't send anything out on the network; it simply lists what Nmap would scan if it were to do an actual scan. This command can be useful to run before you do a scan to verify that you are scanning only what you intended to. Figure 1 shows an example where you specified hosts "linux1" and "192.168.0.200-210." The
-n -sL options cause Nmap to list the 12 addresses it would be scanning without contacting any of these hosts.
Figure 1. Verify the specified hosts before running a real scan
Discover servers on the network
For system administrators, one of the most useful aspects of Nmap is its ability to discover servers or hosts on a network. This functionality is useful to audit what hosts exist, to document your environment, or to gather information about which subnets are almost out of available IP addresses.
A basic Nmap operation is one that simply does reverse name lookups for an IP range. For example, if you wanted to see if any of the hosts in the 192.168.0.0/24 subnet had reverse Domain Name System (DNS) records, you could run an
nslookup command for each of the 256 addresses — or you could have Nmap do all the work for you. To have Nmap do this for you, simply use the
-sL flag, which tells Nmap to list the IP addresses and resolved host names that would be scanned. Figure 2 shows an example of this.
Figure 2. Showing DNS names of servers
In Figure 2, if you tell Nmap to do reverse DNS lookups on the seven addresses between 192.168.0.139 and 192.168.0.145, Nmap does the reverse lookups on the addresses and shows the names in the output. Several of the IP addresses were not in DNS, so they have no name listed.
A ping scan is handy to determine how many IP addresses are used and available in an address range, as well as to inventory what hosts are on the network. The ping scan is similar to running the
ping command against an IP address to see if it responds, but Nmap can do this on a large scale quickly.
When doing a ping scan, Nmap sends an Internet Control Message Protocol (ICMP) packet (ping), as well as requests on port 80 and 443 (commonly used web server ports). If the IP address responds to any of these, it is reported as up. To run a ping scan, specify the
-sn flag to Nmap. Figure 3 shows an example of doing a ping scan on the 192.168.0.245 – 192.168.0.250 addresses. Nmap finds that several of these addresses are up and reports the information. Note that if you do a scan on the same subnet that you are on, Nmap also reports the Media Access Control (MAC) address of the system and even tells you what company the MAC address was registered to. This functionality helps determine what type of hardware the system is running.
Figure 3. An Nmap ping scan
Basic port scanning
Nmap is primarily a port scanner. Every network service on a system "listens" on a network port between 1 and 65,535. For example, Secure Shell (SSH) listens on port 22, and a Hypertext Transfer Protocol (HTTP) web server listens on port 80. A port scanner such as Nmap attempts to make connections to ports on an IP address to discover which network services are running.
A port scanner is useful because one of the first tenets of good system security is to disable unused services. Every running service on a server is a possible way in for an attacker. Security vulnerabilities pop up all the time, and often it is a specific network service that is vulnerable. If you don't need a network service, then disable it! Nmap helps you verify which services are running on a single host — or every host — in your environment.
For example, if your environment uses SSH to access servers, then you should disable Telnet. That way, users won't access Telnet, which sends cleartext passwords. Additionally, if security vulnerability is ever found in Telnet, it wouldn't affect you if the service isn't running.
The simplest way to do an Nmap port scan is to run the
nmap command followed by a list of server names, IP addresses, or IP address ranges. See Figure 4:
Figure 4. A basic Nmap port scan
Figure 4 shows a basic Nmap port scan of the 192.168.0.245 IP address. When run without any options, Nmap scans the 1,000 most frequently used ports. You can set up Nmap to check all 65,535 ports on an IP address; however, this is slow so that by default, it scans just the 1,000 most frequently used ports. You can see in the output in Figure 4 that Nmap found five open ports on this IP address (22, 442, 2301, 5989, and 8899).
You have dozens of options to control almost every aspect of how the port scan is done. For instance, you can specify
-p0- to scan all 65,535 ports instead of just 1,000 that it does by default.
You also have options to control the type of scan, speed of the scan, and much more. See the Nmap manual page for more information on other options.
Operating system detection
Operating system detection allows Nmap to attempt to determine what operating system a device is running. This feature can be useful if you find an IP address on your network and you're not sure what it is, or you want to do an inventory. To activate this feature, use the
-O option. Figure 5 shows an example where Nmap correctly detects that the server is running the IBM AIX operating system.
Figure 5. Nmap operating system detection
Service version detection
By default, when Nmap carries out a scan, it simply tells you which ports are open and lists their common service names. For example, if a server has port 21 open, it lists it as File Transfer Protocol (FTP). However, nothing stops someone from running a web server on port 21, and if they did, it would fool the default Nmap scan into thinking it was an FTP server.
Nmap supports a feature called version detection, which overcomes this issue. Not only does it detect which ports are open, it then probes them to attempt to determine what type of service is running on the port and what version of the service it is. This functionality is useful when you audit your environment to ensure that all servers are at standard and approved versions of network services.
To do a scan with version detection, specify the
-A option. Figure 6 shows an example scan with this option enabled. Notice the difference in Figure 6, which has this option enabled, compared to Figure 5, which doesn't.
Figure 6. Nmap version detection
Figure 6 demonstrates that Nmap's service detection shows details such as: the server is running OpenSSH version 5.8, and the AIX versions of ftpd and telnetd, and so on.
This article covers just the basics of Nmap to get you started. Nmap is a powerful and feature-rich tool, and it can do more than was discussed here. As you begin to use Nmap, you'll find it to be a useful tool that should be in every Linux and UNIX® systems administrator's toolbox.
- To learn more about Nmap, go to the official Nmap website.
- The Stack Scan sensor uses Nmap to gather data about the targets for credential-less discovery. Learn how to configure Nmap.
- Find out how to install Nmap with the Stack Scan sensor.
- Learn how to use the Nmap scan wizard.
- Download Nmap for yourself to see how it works.
- Get Nmap for AIX at Michael Perzl's website.