NMAP the Network Exploration Tool and Security / Port Scanner
The “Network Mapper” or Nmap (the actual command) is an extremely useful tool for determining what is on your network, what
ports UDP or TCP are open, what operating systems are running, what IP addresses are available, etc… It can be used for network inventory, security audits, etc… If nothing else, it can be fun to run and see what is up and running on which machines and addresses on your network.
When a machine or host is scanned with nmap, a list of ports will likely be in your report. You will see that the state of the port is one of the following:
- Open – an application or program is up and running on that target machine listening for packets on that port.
- Filtered – A firewall, or other network filtering tool is blocking that port and nmap cannot tell if it is open or closed.
- Closed – Nothing is listening on the port.
- Unfiltered – A scan could not determine if the port was open or closed
Use some of the examples below to run a security scan on your Network with Nmap. I am sure that you will learn something new about your network from your scan.
Use Nmap to Scan Your Machine for Open Ports
# yum install nmap Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: ftpmirror.your.org * epel: mirror.chpc.utah.edu * extras: mirror.hmc.edu * updates: mirrors.bluehost.com Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package nmap.x86_64 2:5.51-3.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: nmap x86_64 2:5.51-3.el6 base 2.7 M Transaction Summary ================================================================================ Install 1 Package(s) Total download size: 2.7 M Installed size: 9.7 M Is this ok [y/N]: y Downloading Packages: nmap-5.51-3.el6.x86_64.rpm | 2.7 MB 00:01 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 2:nmap-5.51-3.el6.x86_64 1/1 Verifying : 2:nmap-5.51-3.el6.x86_64 1/1 Installed: nmap.x86_64 2:5.51-3.el6 Complete!
Run A simple nmap with typical verbosity
# nmap www.uptimemadeeasy.com Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-07 20:23 MST Nmap scan report for bigmachine.uptimemadeeasy.com (10.1.1.25) Host is up (0.020s latency). rDNS record for 10.1.1.25: bigmachine.uptimemadeeasy.com Not shown: 993 filtered ports PORT STATE SERVICE 21/tcp closed ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 783/tcp closed spamassassin 993/tcp open imaps 8000/tcp closed http-alt Nmap done: 1 IP address (1 host up) scanned in 4.83 seconds
Or Use Nmap to Scan a Complete Network
# nmap 10.1.1.0/24 Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-07 20:25 MST Nmap scan report for 10.1.1.1 Host is up (0.00028s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 80/tcp open http 443/tcp open https MAC Address: D0:D0:FD:C2:B1:02 (Cisco Systems) Nmap scan report for 10.1.1.2 Host is up (0.00024s latency). Not shown: 989 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 199/tcp open smux 443/tcp open https 445/tcp open microsoft-ds 548/tcp open afp 873/tcp open rsync 2049/tcp open nfs 50000/tcp open ibm-db2 MAC Address: 00:24:FD:C2:2F:E2 (Netgear) Nmap scan report for 10.1.1.6 Host is up (0.0030s latency). Not shown: 998 closed ports PORT STATE SERVICE 23/tcp open telnet 80/tcp open http MAC Address: 00:25:24:0A:B0:98 (Dell) Nmap scan report for bigmachine.uptimemadeeasy.com (10.1.1.20) Host is up (0.00020s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 5900/tcp open vnc 5901/tcp open vnc-1 MAC Address: 00:19:24:FE:C9:29 (Dell) ...
Run Nmap in Verbose Mode
# nmap -v bigmachine.uptimemadeeasy.com Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-07 20:33 MST Initiating Ping Scan at 20:33 Scanning bigmachine.uptimemadeeasy.com (10.1.1.25) [4 ports] Completed Ping Scan at 20:33, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 20:33 Completed Parallel DNS resolution of 1 host. at 20:33, 0.00s elapsed Initiating SYN Stealth Scan at 20:33 Scanning www.uptimemadeeasy.com (
10.1.1.25) [1000 ports] Discovered open port 80/tcp on
10.1.1.25Discovered open port 22/tcp on
10.1.1.25Discovered open port 25/tcp on
10.1.1.25Discovered open port 993/tcp on
10.1.1.25Completed SYN Stealth Scan at 20:33, 4.59s elapsed (1000 total ports) Nmap scan report for bigmachine.uptimemadeeasy.com (
10.1.1.25) Host is up (0.021s latency). rDNS record for
10.1.1.25: bigmachine.uptimemadeeasy.com Not shown: 993 filtered ports PORT STATE SERVICE 21/tcp closed ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 783/tcp closed spamassassin 993/tcp open imaps 8000/tcp closed http-alt Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 4.70 seconds Raw packets sent: 1998 (87.884KB) | Rcvd: 31 (2.000KB)
Other Nmap Examples
# List Scan - just list the targets that will be scanned nmap -sL 10.1.1.0/24 # Ping Scan - get a list of hosts that are up and running nmap -sP 10.1.1.0/24 # Scan a Port Range on a specific machine nmap -p1024-65535 10.1.1.25 # Detect the Operating System for a Host nmap -O 10.1.1.25 # Put output into a "greppable" file format nmap -O -oG myfile 10.1.1.0/24 # There are tons of other advanced options that you may wish to explore. Try a man nmap to get more options.