Daniel Scott
Engineering/Project Manager
Hello, everyone! If you are someone I speak with regularly, you know how often I bring up my interest in cybersecurity. I have studied cybersecurity for a few years and learned many exciting things. One of the tools that I have been using for a while is Nmap. Nmap is a powerful network scanning tool used to discover hosts and services on a computer network.
In this article, I will explain Nmap, why you should use it, and how to use it.
What is Nmap?
Nmap is a free and open-source network scanning tool for discovering hosts and services on a computer network. It is a powerful tool for scanning networks, identifying open ports, and detecting vulnerabilities. Nmap is also well documented and supported; it's actively maintained, making it the number one choice for network administrators, security professionals, and ethical hackers to identify potential security risks and vulnerabilities.
Why use Nmap?
Let's imagine a scenario where you had the task of testing the security of a network; this is one of many tasks that a penetration tester would perform. A penetration tester is another name for a white-hat or ethical hacker; these are security professionals hired to test the security of a company's digital and physical infrastructure.
Before testing a network, you need to use a scanning tool to identify all the hosts, the services running on each host, and any potential vulnerabilities an attacker could exploit. This is where Nmap comes in; it's a powerful tool that helps us do all these things.
There are other ways to scan a network, but Nmap is one of the most popular and widely used tools. It is easy to use, fast, and powerful, and can scan large networks quickly and efficiently. Nmap is also highly customizable, allowing you to scan networks in various ways depending on the practitioner's objective.
How to use Nmap?
Nmap is a command-line tool, which means that you must use your computer's built-in terminal app to run the Nmap command. Unless you're using a special distribution of Linux (i.e., Kali Linux), which comes with an out-of-the-box Nmap installation, you'll need to download and install Nmap manually.
For brevity, I've decided not to cover detailed installation instructions, but if you're interested in learning more, Nmap is available for Windows, Linux, and macOS. For more details, visit their official page: https://nmap.org/.
Once you have installed Nmap, you can run it from the command line.
nmap nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }Here are some basic Nmap scan types you can use:
-
-sP: Used to ping a network and identify all the hosts on the network. -sS: Used to perform a SYN scan on a network and identify all the open ports on each host. **Note**, SYN refers to the TCP handshake process.-sV: Used to perform a version scan on a network and identify the services running on each host.-A: Used to perform an aggressive scan on a network and identify potential vulnerabilities that an attacker could exploit.
Here are some basic Nmap options:
-
-p: Used to specify the ports you want to scan. -T<1-5>: Used to specify the timing of the scan; the higher the number, the faster the scan.-oN: Used to specify the output format of the scan.
These examples above barely scratch the surface of what Nmap offers; it would take many hours to cover all of this tool's features comprehensively.
However, here is an example from the official website of how you can use Nmap to scan a network:
nmap -A -T4 scanme.nmap.org
When I run this command on my computer, I get the following output:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-15 14:18 CDT Nmap scan report for scamn.nmap.org (50.116.1.184) Host is up (0.042s latency). Other addresses for scamn.nmap.org (not scanned): 2600:3c01:e000:3e6::6d4e:7061 rDNS record for 50.116.1.184: ack.nmap.org Not shown: 994 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 48:e0:c6:cd:14:00:00:db:b6:b0:3d:f2:0a:2a:3b:6d (RSA) | 256 88:2b:29:00:d0:c7:81:ac:dd:f4:90:42:d2:aa:f0:5b (ECDSA) |_ 256 64:d6:39:35:04:76:1c:ba:17:f3:fd:4f:1f:b3:71:61 (ED25519) 70/tcp closed gopher 80/tcp open http Apache httpd 2.4.6 |_http-title: Did not follow redirect to https://nmap.org/ |_http-server-header: Apache/2.4.6 (CentOS) 113/tcp closed ident 443/tcp open ssl/http Apache httpd 2.4.6 |_http-title: Did not follow redirect to https://nmap.org/ | ssl-cert: Subject: commonName=insecure.com | Subject Alternative Name: DNS:insecure.com, DNS:insecure.org, DNS:issues.nmap.com, DNS:issues.nmap.org, DNS:issues.npcap.com, DNS:issues.npcap.org, DNS:nmap.com, DNS:nmap.net, DNS:nmap.org, DNS:npcap.com, DNS:npcap.org, DNS:seclists.com, DNS:seclists.net, DNS:seclists.org, DNS:sectools.com, DNS:sectools.net, DNS:sectools.org, DNS:secwiki.com, DNS:secwiki.net, DNS:secwiki.org, DNS:svn.nmap.org, DNS:www.nmap.org | Not valid before: 2024-09-23T19:27:15 |_Not valid after: 2024-12-22T19:27:14 |_http-server-header: Apache/2.4.6 (CentOS) |_ssl-date: TLS randomness does not represent time 31337/tcp closed Elite Service Info: Host: issues.nmap.org Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.08 seconds
Wow! This output contains a lot of information, even though it's just a basic example!
Here's a brief explanation of the output:
- SSH, HTTP (port 80), and HTTPS (port 443) are open, with SSH using OpenSSH 7.4 and the web server using Apache 2.4.6. Ports 80 and 443 can be thought of as channels on a radio—your computer uses ports to run processes that perform specific tasks. In this case, these ports provide HTTP and HTTPS services for a website.
- The host is well-maintained, with modern cryptographic algorithms for SSH.
- There's an SSL certificate covering multiple domains related to Nmap, which is currently valid.
- Ports 70 (Gopher), 113 (Ident), and 31337 (Elite) are closed.
- This scan reveals a publicly accessible server with services related to the Nmap project. The server enforces HTTPS redirection and runs on a CentOS-based system with Apache handling web services.
- No significant vulnerabilities are apparent in this scan. However, we'd perform a deeper investigation if we wanted further insight.
Now, what can you do with this information?
- Identify open ports and misconfigurations on a network.
- Identify the services running on a network (i.e., HTTP, SSH ... etc.)
- Determine if these services are up to date and if they have any known vulnerabilities that can be exploited.
No significant vulnerabilities are apparent in this scan. However, we can perform a deeper investigation if we want further insight. (We will not do this because it's outside the bounds of what we're allowed to do with this target in particular - see my note below).
Nmap offers many other options and scan types. I encourage you to explore the official Nmap documentation to learn more about scanning a network with Nmap.
A critical note about using Nmap and other network scanning tools:
In the example above, I used the scanme.nmap.org host; this is a public host set up for testing purposes. This system allows people to scan and test their network scanning tools; however, it is advised that you limit the number of scans you perform on this host per day.
On the other hand, it is essential to note that scanning a network without permission is unethical and, in some cases, can lead to legal action. You should NEVER scan a network without the explicit consent of the network owner. If you are a network administrator or security professional, you should only use Nmap to scan networks for which you have explicit permission.
My thoughts on Nmap
Nmap is one of the most remarkable tools I've used in my cybersecurity journey. I've also used it to complete dozens of CTF challenges. By the way, CTF stands for Capture The Flag, a type of cybersecurity competition in which you complete a set of challenges. These challenges can range from simple to complex and mimic real-world cybersecurity scenarios, testing your knowledge and skills.
Another interesting fact about Nmap is that it's Hollywood's favorite tool for hacking scenes in movies and TV shows. You can see it in action in films like The Matrix and The Bourne Ultimatum and TV shows like Mr. Robot.
I hope you found this article helpful and informative. If you have any questions or comments, feel free to leave them below. I would love to hear from you!