NMAP the Network Exploration Tool and Security / Port Scanner
The “Network Mapper” or Nmap (the actual command) is an extremely useful tool for determining what is on your network, what
ports UDP or TCP are open, what operating systems are running, what IP addresses are available, etc… It can be used for network inventory, security audits, etc… If nothing else, it can be fun to run and see what is up and running on which machines and addresses on your network.
When a machine or host is scanned with nmap, a list of ports will likely be in your report. You will see that the state of the port is one of the following:
- Open – an application or program is up and running on that target machine listening for packets on that port.
- Filtered – A firewall, or other network filtering tool is blocking that port and nmap cannot tell if it is open or closed.
- Closed – Nothing is listening on the port.
- Unfiltered – A scan could not determine if the port was open or closed
Use some of the examples below to run a security scan on your Network with Nmap. I am sure that you will learn something new about your network from your scan.
Use Nmap to Scan Your Machine for Open Ports
# yum install nmap
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: ftpmirror.your.org
* epel: mirror.chpc.utah.edu
* extras: mirror.hmc.edu
* updates: mirrors.bluehost.com
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package nmap.x86_64 2:5.51-3.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
nmap x86_64 2:5.51-3.el6 base 2.7 M
Transaction Summary
================================================================================
Install 1 Package(s)
Total download size: 2.7 M
Installed size: 9.7 M
Is this ok [y/N]: y
Downloading Packages:
nmap-5.51-3.el6.x86_64.rpm | 2.7 MB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 2:nmap-5.51-3.el6.x86_64 1/1
Verifying : 2:nmap-5.51-3.el6.x86_64 1/1
Installed:
nmap.x86_64 2:5.51-3.el6
Complete!
Run A simple nmap with typical verbosity
# nmap www.uptimemadeeasy.com
Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-07 20:23 MST
Nmap scan report for bigmachine.uptimemadeeasy.com (10.1.1.25)
Host is up (0.020s latency).
rDNS record for 10.1.1.25: bigmachine.uptimemadeeasy.com
Not shown: 993 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
783/tcp closed spamassassin
993/tcp open imaps
8000/tcp closed http-alt
Nmap done: 1 IP address (1 host up) scanned in 4.83 seconds
Or Use Nmap to Scan a Complete Network
# nmap 10.1.1.0/24
Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-07 20:25 MST
Nmap scan report for 10.1.1.1
Host is up (0.00028s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
MAC Address: D0:D0:FD:C2:B1:02 (Cisco Systems)
Nmap scan report for 10.1.1.2
Host is up (0.00024s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
199/tcp open smux
443/tcp open https
445/tcp open microsoft-ds
548/tcp open afp
873/tcp open rsync
2049/tcp open nfs
50000/tcp open ibm-db2
MAC Address: 00:24:FD:C2:2F:E2 (Netgear)
Nmap scan report for 10.1.1.6
Host is up (0.0030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
MAC Address: 00:25:24:0A:B0:98 (Dell)
Nmap scan report for bigmachine.uptimemadeeasy.com (10.1.1.20)
Host is up (0.00020s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
5900/tcp open vnc
5901/tcp open vnc-1
MAC Address: 00:19:24:FE:C9:29 (Dell)
...
Run Nmap in Verbose Mode
# nmap -v bigmachine.uptimemadeeasy.com
Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-07 20:33 MST
Initiating Ping Scan at 20:33
Scanning bigmachine.uptimemadeeasy.com (10.1.1.25) [4 ports]
Completed Ping Scan at 20:33, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:33
Completed Parallel DNS resolution of 1 host. at 20:33, 0.00s elapsed
Initiating SYN Stealth Scan at 20:33
Scanning www.uptimemadeeasy.com (10.1.1.25
) [1000 ports]
Discovered open port 80/tcp on 10.1.1.25
Discovered open port 22/tcp on 10.1.1.25
Discovered open port 25/tcp on 10.1.1.25
Discovered open port 993/tcp on 10.1.1.25
Completed SYN Stealth Scan at 20:33, 4.59s elapsed (1000 total ports)
Nmap scan report for bigmachine.uptimemadeeasy.com (10.1.1.25
)
Host is up (0.021s latency).
rDNS record for 10.1.1.25
: bigmachine.uptimemadeeasy.com
Not shown: 993 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
783/tcp closed spamassassin
993/tcp open imaps
8000/tcp closed http-alt
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.70 seconds
Raw packets sent: 1998 (87.884KB) | Rcvd: 31 (2.000KB)
Other Nmap Examples
# List Scan - just list the targets that will be scanned
nmap -sL 10.1.1.0/24
# Ping Scan - get a list of hosts that are up and running
nmap -sP 10.1.1.0/24
# Scan a Port Range on a specific machine
nmap -p1024-65535 10.1.1.25
# Detect the Operating System for a Host
nmap -O 10.1.1.25
# Put output into a "greppable" file format
nmap -O -oG myfile 10.1.1.0/24
# There are tons of other advanced options that you may wish to explore. Try a man nmap to get more options.
The following two tabs change content below.
Jeff has 20 years of professional IT experience, having done nearly everything in his roles of IT consultant, Systems Integrator, Systems Engineer, CNOC Engineer, Systems Administrator, Network Systems Administrator, and IT Director. If there is one thing he knows for sure, it is that there is always a simple answer to every IT problem and that downtime begins with complexity. Seasoned IT professional by day, Jeff hopes to help other IT professionals by blogging about his experiences at night on his blog: http://uptimemadeeasy.com. You can find Jeff on Google+ or LinkedIn at: LinkedIn or Twitter at: Twitter
Latest posts by Jeff Staten (see all)
- Configure Your HP Procurve Switch with SNTP - May 5, 2015
- Configuring HP Procurve 2920 Switches - May 1, 2015
- Troubleshooting Sendmail - November 28, 2014