Nmap is a cornerstone tool for network administrators and ethical hackers alike. It allows you to discover hosts and services on a computer network by sending packets and analyzing the responses. This lesson will provide a hands-on introduction to using Nmap for basic network scanning, building upon the networking concepts we’ve already covered. We’ll focus on fundamental scan types and options, preparing you for more advanced techniques in later modules.

Installing Nmap

Before we dive into scanning, you’ll need to install Nmap on your system. The installation process varies depending on your operating system:

• Linux: Most Linux distributions include Nmap in their package repositories. You can install it using your distribution’s package manager. For example, on Debian-based systems like Ubuntu, you can use the command: sudo apt-get install nmap. On Fedora or CentOS, you can use sudo yum install nmap or sudo dnf install nmap.
• macOS: You can download a pre-built Nmap package from the official Nmap website (https://nmap.org/download.html). Alternatively, you can use a package manager like Homebrew: brew install nmap.
• Windows: Download the Nmap installer from the official Nmap website. The installer includes Nmap itself, as well as the Zenmap GUI.

After installation, verify that Nmap is correctly installed by opening a terminal or command prompt and typing nmap -v. This should display the Nmap version number and other information.

Basic Nmap Syntax

The general syntax for running Nmap is:

nmap [scan type(s)] [options] {target specification}

• Scan Type(s): Specifies the type of scan you want to perform (e.g., TCP Connect scan, SYN scan).
• Options: Modifies the scan behavior (e.g., setting the port range, enabling OS detection).
• Target Specification: Defines the target(s) you want to scan. This can be a single IP address, a hostname, a network range, or a list of targets.

Target Specification

Nmap offers flexible ways to specify targets:

• Single IP Address: nmap 192.168.1.100
• Hostname: nmap example.com
• Network Range: nmap 192.168.1.0/24 (scans all IP addresses from 192.168.1.0 to 192.168.1.255)
• Multiple Targets: nmap 192.168.1.100 192.168.1.101 example.com
• Reading Targets from a File: nmap -iL targets.txt (where targets.txt contains a list of IP addresses or hostnames, one per line)

Common Scan Types

Nmap offers various scan types, each with its own advantages and disadvantages. Here are some of the most common ones:

TCP Connect Scan (-sT)

The TCP Connect scan is the most basic form of TCP scanning. It completes a full TCP three-way handshake with the target, making it reliable but also easily detectable. It’s the default scan type when you don’t have raw packet privileges (e.g., when running Nmap as a non-root user).

• How it works: Nmap attempts to establish a full TCP connection with the target port. If the connection is successful, the port is considered open. If the target sends a RST (reset) packet, the port is considered closed. If there’s no response, the port is filtered (likely blocked by a firewall).
• Example: nmap -sT 192.168.1.100
• Advantages: Works without raw packet privileges.
• Disadvantages: Easily detectable due to the full TCP handshake. Slower than other scan types.

SYN Scan (-sS)

The SYN scan, also known as “half-open scanning,” is a stealthier scan type than the TCP Connect scan. It doesn’t complete the full TCP handshake, making it less likely to be logged by the target system. It requires raw packet privileges.

• How it works: Nmap sends a SYN (synchronize) packet to the target port. If the target responds with a SYN/ACK (synchronize/acknowledge) packet, the port is considered open. Nmap then sends a RST packet to terminate the connection. If the target responds with a RST packet, the port is considered closed.
• Example: sudo nmap -sS 192.168.1.100 (Note the sudo is required to gain raw packet privileges)
• Advantages: Stealthier than TCP Connect scan. Faster than TCP Connect scan.
• Disadvantages: Requires raw packet privileges.

UDP Scan (-sU)

The UDP scan sends UDP packets to the target ports. UDP is a connectionless protocol, so the responses are different than TCP scans.

• How it works: Nmap sends a UDP packet to the target port. If the target responds with an ICMP “port unreachable” error, the port is considered closed. If there’s no response, the port is considered open|filtered. Determining open UDP ports can be unreliable due to firewalls and rate limiting.
• Example: sudo nmap -sU 192.168.1.100
• Advantages: Can identify open UDP ports.
• Disadvantages: Slow and unreliable. Firewalls often filter UDP traffic.

Ping Scan (-sn)

The ping scan (also known as host discovery) is used to determine which hosts are alive on a network. It doesn’t scan individual ports.

• How it works: Nmap sends various probe packets (ICMP echo requests, TCP SYN packets, TCP ACK packets, and UDP packets) to each target host. If a host responds to any of these probes, it’s considered alive.
• Example: nmap -sn 192.168.1.0/24
• Advantages: Fast way to discover active hosts on a network.
• Disadvantages: Doesn’t scan ports. Can be blocked by firewalls that block ICMP or other probe packets.

Common Nmap Options

Nmap provides a wide range of options to customize your scans. Here are some of the most useful ones:

• -p (Port Specification): Specifies which ports to scan.
  • -p 80: Scans only port 80.
  • -p 1-100: Scans ports 1 through 100.
  • -p-: Scans all 65535 ports.
  • -p http,https,ssh: Scans ports 80, 443, and 22 (using service names).
• -F (Fast Scan): Scans only the ports listed in the nmap-services file, which contains the most common ports. This is faster than scanning all ports.
  • nmap -F 192.168.1.100
• -v (Verbose): Increases the verbosity level, providing more detailed output. Use -vv for even more verbosity.
  • nmap -v 192.168.1.100
• -A (Aggressive Scan): Enables OS detection, version detection, script scanning, and traceroute. This is a comprehensive scan but can be noisy and take a long time.
  • sudo nmap -A 192.168.1.100
• -O (OS Detection): Attempts to determine the operating system of the target host. Requires root privileges.
  • sudo nmap -O 192.168.1.100
• -sV (Version Detection): Determines the version of the software running on open ports.
  • nmap -sV 192.168.1.100
• –script (Script Scan): Executes Nmap scripts to perform various tasks, such as vulnerability detection, service enumeration, and more.
  • nmap --script banner 192.168.1.100 (runs the banner script to grab service banners)
• -T (Timing Templates): Controls the speed of the scan. There are six templates: paranoid (T0), sneaky (T1), polite (T2), normal (T3), aggressive (T4), and insane (T5). Higher numbers are faster but also more likely to be detected.
  • nmap -T4 192.168.1.100

Interpreting Nmap Output

Nmap’s output provides valuable information about the target system. Here’s how to interpret the key elements:

• Port State:
  • open: The port is listening for connections.
  • closed: The port is accessible, but no application is listening on it.
  • filtered: Nmap cannot determine whether the port is open or closed because of firewall interference.
  • unfiltered: The port is accessible, but Nmap cannot determine whether it’s open or closed. This is less common than filtered.
  • open|filtered: Nmap believes the port is either open or filtered, but cannot determine which.
  • closed|filtered: Nmap believes the port is either closed or filtered, but cannot determine which.
• Service: The service running on the port (e.g., http, ssh, smtp).
• Version: The version of the service running on the port (if version detection is enabled).
• OS Details: If OS detection is enabled, Nmap will attempt to identify the operating system of the target host.

Example Output:

Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:00 EDT
Nmap scan report for 192.168.1.100
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (protocol 2.0)
80/tcp   open     http    Apache httpd 2.4.41 ((Ubuntu))
443/tcp  open     ssl/http Apache httpd 2.4.41 ((Ubuntu))

OS details: Linux 3.2 - 4.9

In this example:

• The host 192.168.1.100 is up.
• Ports 22, 80, and 443 are open.
• Port 22 is running OpenSSH 8.2p1.
• Ports 80 and 443 are running Apache httpd 2.4.41.
• The operating system is likely Linux.

Practice Activities

1. Basic Scan: Perform a TCP Connect scan on your own computer (localhost or 127.0.0.1). What ports are open?
2. SYN Scan: If you have the necessary privileges, perform a SYN scan on your own computer. Compare the results to the TCP Connect scan. Are there any differences?
3. Port Range Scan: Scan ports 1-1000 on a target of your choice (ensure you have permission to scan the target). How many ports are open? What services are running on those ports?
4. Version Detection: Perform a version detection scan on a target of your choice. What versions of software are running on the open ports?
5. Ping Scan: Perform a ping scan on your local network (e.g., 192.168.1.0/24). How many hosts are up?
6. Aggressive Scan: Perform an aggressive scan (-A) on a target of your choice. Analyze the output. What information did Nmap gather about the target?

Next Steps and Future Learning

This lesson provided a foundation for using Nmap for basic network scanning. In future lessons, we’ll explore more advanced Nmap techniques, including:

• Nmap Scripting Engine (NSE): Using Nmap scripts to automate tasks and perform more sophisticated scans.
• Firewall Evasion: Techniques for bypassing firewalls and other security devices.
• Advanced Target Specification: Using Nmap’s target specification options to scan complex networks.
• Integrating Nmap with other tools: Combining Nmap with other security tools for comprehensive security assessments.