Nmap serves as a powerful network security audit tool. It discovers hosts and services on a computer network. Security professionals use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime. It also helps identify open ports, operating systems, and services running on target systems during security audits and penetration tests.
Understanding the Network Security Audit Tool: Nmap Basics
Install Nmap on most operating systems. On Debian/Ubuntu systems, use `apt`. CentOS/RHEL users use `yum` or `dnf`. macOS users can install via Homebrew. Windows users download an installer from the official Nmap website.
After installation, verify Nmap runs correctly. Execute the `nmap -v` command. This displays the Nmap version and build information. A successful output confirms the tool is ready for use.
Start with basic host discovery. The `-sn` (skip port scan) option performs a ping scan. This identifies live hosts without scanning their ports. It quickly maps active devices on a network segment.
nmap -sn 192.168.1.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-27 10:00 EDT
Nmap scan report for 192.168.1.1
Host is up (0.00034s latency).
Nmap scan report for 192.168.1.10
Host is up (0.00021s latency).
Nmap scan report for 192.168.1.100
Host is up (0.00056s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 0.23 seconds
This output shows three active hosts on the 192.168.1.0/24 subnet. The ping scan provides quick visibility into network presence. It does not reveal open ports or services. For internet-facing assets, you can use Secably's DNS lookup tool to find IP addresses before scanning.
Step-by-Step Usage: Port Scanning
Perform a TCP port scan to find open ports. The default Nmap scan (`nmap `) scans the 1000 most common TCP ports. Use the `-sS` option for a stealth SYN scan. This type of scan is faster and often less detectable than a full TCP connect scan.
nmap -sS 192.168.1.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-27 10:05 EDT
Nmap scan report for 192.168.1.100
Host is up (0.00021s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
This output reveals SSH, HTTP, and HTTPS services running on the target. This information is critical for identifying potential entry points. For external assets, Secably's free port scanner offers a quick web-based alternative for single IP port checks.
Scan all 65535 TCP ports with the `-p-` option. This scan takes significantly longer. It provides a complete picture of all open TCP ports. Combine it with the `-T4` option for a reasonable speed.
nmap -sS -p- -T4 192.168.1.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-27 10:10 EDT
Nmap scan report for 192.168.1.100
Host is up (0.00021s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 12.33 seconds
This reveals an additional service on port 8080, likely an HTTP proxy or another web server. Comprehensive port scanning helps uncover forgotten or misconfigured services.
Step-by-Step Usage: Service Version Detection
Identify service versions running on open ports using the `-sV` option. This helps detect outdated or vulnerable software. Nmap probes open ports to determine the exact service and its version.
nmap -sS -sV 192.168.1.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-27 10:15 EDT
Nmap scan report for 192.168.1.100
Host is up (0.00021s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds
The output now provides specific software versions. For example, OpenSSH 8.2p1 and Apache httpd 2.4.41 are identified. This information is invaluable for cross-referencing with known vulnerability databases.
Step-by-Step Usage: Operating System Detection
Determine the target's operating system with the `-O` option. Nmap sends TCP/IP packets and analyzes responses. It infers the OS based on various characteristics like TCP initial window size, IP ID sequence, and TCP options.
sudo nmap -O 192.168.1.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-27 10:20 EDT
Nmap scan report for 192.168.1.100
Host is up (0.00021s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
Device type: general purpose
Running: Linux 3.X|4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 3.2 - 5.15
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
Nmap identified the target as running Linux. It even provides potential kernel versions. This helps tailor further security assessments and attack simulations.
Step-by-Step Usage: Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) extends Nmap's capabilities. It performs more advanced tasks like vulnerability detection, brute-forcing, and sophisticated discovery. Use `-sC` to run default scripts and `-sV` for service version detection.
nmap -sC -sV 192.168.1.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-27 10:25 EDT
Nmap scan report for 192.168.1.100
Host is up (0.00021s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 63:6b:1c:e7:d0:c1:f9:94:a8:6d:38:e6:1f:d0:4b:9e (RSA)
| 256 94:d7:1a:c0:81:45:9e:e3:2c:1a:6b:4e:e6:f2:80:a5 (ECDSA)
|_ 256 b4:5e:3b:0d:d2:4f:b6:6e:d7:f8:2e:c7:8b:2d:c2:c0 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=ubuntu/organizationName=Canonical/stateOrProvinceName=SomeState/countryName=US
| Issuer: commonName=ubuntu/organizationName=Canonical/stateOrProvinceName=SomeState/countryName=US
| Public Key type: rsa
| Public Key size: 2048
| MD5: 1438 6760 1481 0A5D 0110 A7D1 9A10 17C1
|_SHA-1: C45D B68F 49A9 720D 60F9 9E34 7E7A 2816 B68F 1F66
|_ssl-date: TLS randomness does not represent time
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds
The output now includes SSH host keys, HTTP titles, and supported HTTP methods. It also provides SSL certificate details for port 443. This enriched data helps identify misconfigurations or weak cryptographic settings. You can use Secably's SSL/TLS certificate checker for a deeper analysis of certificate validity and configuration.
To run specific NSE scripts, use the `--script` option. For example, to check for common HTTP vulnerabilities:
nmap --script http-vuln-* 192.168.1.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-27 10:30 EDT
Nmap scan report for 192.168.1.100
Host is up (0.00021s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-vuln-cve2017-1000000: ERROR: Script execution failed (see https://nmap.org/libpcre for help).
443/tcp open https
|_http-vuln-cve2017-1000000: ERROR: Script execution failed (see https://nmap.org/libpcre for help).
8080/tcp open http
|_http-vuln-cve2017-1000000: ERROR: Script execution failed (see https://nmap.org/libpcre for help).
Nmap done: 1 IP address (1 host up) scanned in 3.12 seconds
This example shows an error, which can happen if the script is not applicable or requires specific parameters. Always check script documentation. For web-specific vulnerabilities, consider using Secably's free website vulnerability scanner for automated checks.
Step-by-Step Usage: Output Formats
Save Nmap scan results in various formats. This allows for easier parsing and integration with other tools.
This command performs a comprehensive scan and saves results to `scan_results.txt` and `scan_results.xml`. The XML output is especially useful for feeding into other security tools or custom scripts.
Common Use Cases with Practical Scenarios
Internal Network Audit
Regularly audit internal networks. Identify unauthorized devices or services. Scan an entire subnet to find all active hosts and their open ports. This helps maintain a clear inventory of internal assets.
This command scans a `/24` internal network. It identifies all open ports, service versions, and operating systems. Review the XML output to spot unexpected services or devices. This proactive approach prevents internal threats from going unnoticed.
External Attack Surface Mapping
Discover your organization's internet-facing assets. Scan your public IP ranges. Identify what services are exposed to the internet. This helps understand your external attack surface. Secably offers attack surface management solutions that automate this discovery.
Replace `your_public_ip_range.com` with your actual domain or public IP block. This scan reveals services accessible from outside your network. Prioritize patching and securing these external services.
Compliance Checks
Verify adherence to security policies. Ensure only approved services run on specific ports. For instance, check if SSH is only open on custom ports, not port 22.
nmap -p 22,80,443,3389 192.168.1.100
This scan specifically checks common compliance-relevant ports. If port 3389 (RDP) appears open on a server not approved for RDP, it flags a compliance violation.
Pre-Penetration Test Reconnaissance
Gather information about targets before a penetration test. This reconnaissance phase informs attack vectors. Nmap provides a foundational layer of target intelligence.
This command performs a full port scan, detects services and OS, and runs vulnerability scripts. The `-oA` option saves output in all three formats (normal, XML, grepable). This comprehensive scan provides a solid basis for further exploitation attempts. For more on auditing, see our Active Directory Security Audit Tool Deep Dive.
Troubleshooting Common Issues
"Host is down" or "No route to host"
This error often indicates a firewall blocking ICMP requests or TCP SYN packets. The target system might also be offline. Verify the target IP address is correct. Check network connectivity using `ping` or `traceroute`.
ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.234 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.211 ms
...
If `ping` fails, try scanning with `-Pn` (no ping). This tells Nmap to assume the host is up, bypassing the initial ping check. This is useful when firewalls block ICMP.
nmap -Pn 192.168.1.100
Slow Scans
Aggressive timing templates or network congestion cause slow scans. Reduce the timing template level (e.g., `-T0` for paranoid, `-T1` for sneaky). This makes scans slower but less detectable. Increase `-T` for faster scans on trusted networks. The default is `-T3`.
nmap -T1 192.168.1.100
Using `--max-rtt-timeout` and `--min-rtt-timeout` can fine-tune response times. This helps with unreliable networks.
Permission Denied Errors
Many Nmap features, like SYN scans (`-sS`) and OS detection (`-O`), require raw socket access. This typically means running Nmap as root or administrator.
sudo nmap -sS -O 192.168.1.100
Always use `sudo` (Linux/macOS) or run as Administrator (Windows) when encountering permission issues.
Firewall Blocking Scans
Firewalls detect and block Nmap scans. Try using different scan types or evasion techniques.
Decoy scans: `-D ,,ME` spoofs source IP addresses.
Fragment packets: `-f` sends tiny IP fragments.
Idle scan: `-sI ` uses a zombie host's IP ID sequence. This is a highly advanced technique.
nmap -sS -D RND:10,ME 192.168.1.100
This command uses 10 random decoy IP addresses to obscure the real source. This makes it harder for firewalls to pinpoint the actual scanner.
Pro Tips for Advanced Usage
Custom Timing Templates
Adjust Nmap's timing templates to optimize scan speed and stealth.
`-T0`: Paranoid (very slow, for IDS evasion)
`-T1`: Sneaky (slower, for IDS evasion)
`-T2`: Polite (slow, reduces network load)
`-T3`: Normal (default, balanced)
`-T4`: Aggressive (faster, more network load)
`-T5`: Insane (very fast, high network load, can be inaccurate)
Choose the appropriate timing template based on your network and objectives.
Target Specification Flexibility
Nmap accepts various target specifications:
Single IP: `192.168.1.1`
Hostname: `example.com`
Range: `192.168.1.1-20`
CIDR notation: `192.168.1.0/24`
List from file: `-iL targets.txt`
The `-iL` option is useful for scanning large lists of targets. Create a text file with one target per line.
Beyond decoys and fragmentation, consider other evasion techniques.
`--source-port `: Spoof the source port.
`--data-length `: Appends random data to sent packets.
`--badsum`: Sends packets with invalid TCP/UDP checksums. This tests firewall behavior.
Use these options responsibly and only on authorized targets.
Writing Custom NSE Scripts
Extend Nmap's functionality by writing your own NSE scripts in Lua. This requires programming knowledge. Scripts can automate custom checks specific to your environment. They can integrate with internal systems.
Find existing scripts in the Nmap `scripts` directory. Analyze their structure for examples.
ls /usr/share/nmap/scripts/
This command lists all available NSE scripts. Explore them to understand Nmap's capabilities.
Integrating Nmap with Other Tools
Nmap's XML output (`-oX`) integrates with many security tools. Parse the XML to feed data into vulnerability management systems. Use it for custom reporting or dashboards.
For instance, you can parse the XML output to identify all HTTP servers and then use Secably's HTTP security headers checker for further analysis on those specific web servers. This creates a powerful audit pipeline. You can also use tools like Zondex for internet-wide scanning to complement Nmap's targeted approach.
