Analyzing hosts and networks with Nmap
Critical Eye
In "The Matrix Reloaded," Trinity uses Nmap to hack into the power grid to pave Neo's way to the architect of the virtual world. However, the port scanner is also ideal for more mundane purposes – such as discovering vulnerabilities in your domestic network.
Nmap (Network Mapper) [1] discovers computers, services, and vulnerabilities on a network. The port scanner, which is implemented in C++ is GPLv2 licensed and runs on all major operating systems. Nmap has been developed since 1996 by Gordon "Fyodor" Lyon of Insecure.Org. Nmap has appeared in 12 movies, including "The Matrix Reloaded," "Die Hard 4," and "The Bourne Ultimatum."
The Nmap scanner can serve many roles. It uses a variety of approaches to discover computers on a network, and it also provides quite accurate information about operating systems, active services, and service vulnerabilities. Packaged in a cron job, Nmap notifies administrators when a service fails or a computer in the network suddenly offers new services installed by an attacker or overzealous user.
Nmap also includes a scripting engine and many LUA scripts for automating tasks and extending the functionality of the tools. Apart from the scanner, the Nmap suite includes other helpful tools, such as the Zenmap graphical user interface, the Ncat data transfer and debugging tool, the Ndiff comparison tool, and the Nping packet generator.
Getting Started
Most popular Linux distributions offer Nmap through their package repositories. The nmap --version
command quickly tells you which version is installed. It is usually not the latest; typically, you will need to build the latest version from source [2]. To build Nmap, download and unpack the source tarball, then execute the standard installation steps with administrative rights:
./configure && make && make install
Nmap allows you to investigate individual computers as well as entire networks, and it distinguishes between privileged and unprivileged users. Some scans are not successful unless you have the necessary privileges (see the box titled "With Privileges"). Nmap's ability to scan entire networks is especially useful if you do not (or no longer) know what services individual computers offer. To scan a network, you can either pass in the IP address of each computer directly in the call to Nmap or pass in a file. An even easier approach is to specify IP address ranges (e.g., in CIDR notation [3]). The commands in the first three lines of Listing 1 are functionally identical. If you want Nmap to parse the hosts from a file, you need a single entry per line, but again, larger ranges are permitted. The file containing the hosts is passed in by using the Nmap -sL <filename>
option.
Listing 1
Specifying IP Addresses
With Privileges
If you run Nmap as a privileged user, it only knocks on port doors using a SYN (half-open) stealth scan, in which Nmap just sends a SYN packet to the server. If the server responds with SYN-ACK, Nmap sends a RST (reset) packet that immediately terminates the connection (Figure 1). The stealth scan was originally developed to prevent the requested computer from logging the IP address of the requesting computer, but now many firewalls and intrusion detection and intrusion prevention systems detect SYN requests and respond accordingly.
By default, Nmap scans the 1,000 most common ports for each host – it uses a pretty fast procedure, but your mileage can naturally vary depending on the number of computers scanned. The -F
(fast) switch lets you limit the number of ports investigated to the 100 most important. To scan only specific ports, you can use the -p
switch to specify individual ports or port ranges as a comma-separated list (Listing 1, last line). If you use -p-
, you are telling Nmap to scan the full range, 1-65535
.
Often knowing whether a host is online and which ports are open is not enough, but Nmap also can collect detailed information about the operating systems and services offered. To do so, use the -sV
(version query) and -O
(OS detection) options, for which Nmap offers an extensive database with fingerprints of numerous services and operating systems (see the "Feeding Nmap Databases" box).
Feeding Nmap Databases
Nmap identifies operating systems and services using databases that have been fed with details for many years. This makes them very extensive: When this article went to press, the database contained about 3,050 reference fingerprints for operating systems and about 8,600 for services. Nevertheless, it can happen that Nmap does not recognize, or at least does not correctly identify, a service or an OS.
The Nmap developers depend on the assistance of users, who are called on to report these cases. I have used Nmap for several years, but have only had a few opportunities to submit Nmap fingerprints [4]. Listing 2 illustrates an example of a fingerprint, which would be a candidate for the database.
Listing 2
Nmap Fingerprint
The -A
option also involves numerous scripts in the OS and version detection scan and returns the traceroute. Such scans take a long time and might cause a lot of unwanted "noise" on the target machine. Nmap flags open ports as open and ports that immediately respond to requests with a RST as closed. Additionally, Nmap interprets some ports as filtered. These are ports that are probably protected by a firewall, which simply rejects the request with a DROP
. Mixed forms such as open | filtered or closed | filtered mean that Nmap cannot detect the exact status of the port.
Output Formats
Nmap outputs its results on the console by default. For a few scanned hosts, this might be okay, but not for a complete network scan. In this case, it is useful to redirect the output to files. Nmap supports output to standard text files (-oN
), grep-optimized text files (-oG
), and XML format (-oX
). The advantage of XML files is that they are easier to evaluate with other programs later on. Additionally, Nmap supports the ScRipT KIdd|3 (-oS
) format, which is designed for a very special target group (Figure 2).
Nmap needs a long time to scan a large network and check UDP ports in the process, but other factors also affect the duration of the scan. For example, if a host is switched off during a scan, Nmap will still try to query all its ports. This might mean that it spends most of the scan time on a handful of computers. The --host-timeout 10s
option tells the tool to ignore the host after the specified period of time.
Although the command
# nmap -p- --host-timeout 120s -O -sV -oX nmap.xml 192.168.x1.1/24
tells Nmap to check all computers on the network that were switched on at the time of the call, it stops the tool from investigating any individual host for more than 120 seconds. Instead of seconds (s
), you can define the duration in milliseconds (ms
) or minutes (m
).
Incidentally, if you send the output to a text file, you can cancel the scan and resume later using nmap --resume <file>
. This does not work for XML files. However, because XML files provide many options for alternative evaluation, they should be your first choice.
To begin, it makes sense to run Nmap on a computer that you know to be always on. If this is a remote computer, the screen multiplexer [5] often turns out to be a useful tool. If Nmap is running in a session started with
screen -S nmap-session
you can close open consoles after a detach (Ctrl+AD). Later, you can view the session from another computer with
screen -r nmap-session
and check on the progress. Compared with other solutions (such as nohup
), the advantage of a screen session is that Nmap is not detached from the input side; thus, you can discover – by pressing Enter at any time – when the port scanner expects to complete the scan (Figure 3).
Zenmap
The Zenmap graphical interface can naturally launch Nmap port scans, but it can also present results in a more intuitive way, such as comparing two XML scans stored at different times, to help you evaluate them. At the command line,
ndiff scan1.xml scan2.xml
displays all the relevant information, but Zenmap makes the comparison a little more convenient and understandable (Figure 4).
Figure 5 shows the topography of the investigated network, another Nmap specialty. All the hosts share a switch. Circles indicate that these are normal computers on the network, such as a desktops, servers, or printers. Rectangles represent network devices, such as switches, routers, or access points.
The size and color of the icons say something about open ports: Green appliances have three, those in yellow between three and six, and those in red more than six. Clicking on a node displays more detailed information about the host. In Figure 5, the topography looks very symmetrical – this changes when you scan computers at different locations over several hops.
When you click one of the icons in the left-hand column and enable the Host Details tab, two large icons indicate whether the host is a computer (Windows screen, a grinning Mac face, or Linux penguins) or a peripheral device (monitor).
The second icon shows you at a glance how many ports are open: A safety deposit box stands for a maximum of two open ports, a treasure chest represents three or four, and a carton indicates five or six. For seven and eight open ports Nmap shows a smelly cheese, and for everything higher, the symbol is a bomb (Figure 6).
Information about the uptime, hostname, and operating systems is displayed if you set the appropriate options for the scan. Filters help you quickly identify candidates that attackers could use as potential entry points, such as computers with old operating systems or vulnerable services (Figure 7).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.