Network Mapper or nmap

Network Mapper or nmap is a command available in linux which can be used to scan ports on a machine. This scanning can be done either local or remote machines. This nmap Packages can be installed on windows machines too.

This article tells you on how to use the nmap command with linux

By Using Nmap we can get many details including system details, Uptime , software used for the service and its version , Network card details and many more details.

When we run the nmap with a Host we see,

(! 1077)-> nmap vx1379

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-08-06 21:43 CDT

Interesting ports on vx1379.nova.com (xxx.xxx.xx.xx):

Not shown: 1674 closed ports

PORT STATE SERVICE

22/tcp open ssh

111/tcp open rpcbind

699/tcp open unknown

12346/tcp open NetBus

13782/tcp open VeritasNetbackup

13783/tcp open VeritasNetbackup

Nmap finished: 1 IP address (1 host up) scanned in 0.196 seconds

This command give information about the ports Opened even. Some More Examples would be

OS Identifier

[root@vx111a Desktop]# nmap -sS -O 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:49 IST

Nmap scan report for 172.16.101.231

Host is up (0.000030s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

Device type: general purpose

Running: Linux 2.6.X

OS details: Linux 2.6.19 - 2.6.31

Network Distance: 0 hops

OS Identifier w/ Extra Verbosity

[root@vx111a Desktop]# nmap -sS -O -v 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:50 IST

Initiating Parallel DNS resolution of 1 host. at 13:50

Completed Parallel DNS resolution of 1 host. at 13:50, 0.18s elapsed

Initiating SYN Stealth Scan at 13:50

Scanning 172.16.101.231 [1000 ports]

Discovered open port 111/tcp on 172.16.101.231

Completed SYN Stealth Scan at 13:50, 0.03s elapsed (1000 total ports)

Initiating OS detection (try #1) against 172.16.101.231

Nmap scan report for 172.16.101.231

Host is up (0.000031s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

Device type: general purpose

Running: Linux 2.6.X

OS details: Linux 2.6.19 - 2.6.31

Uptime guess: 49.710 days (since Tue Jun 18 20:47:55 2013)

Network Distance: 0 hops

TCP Sequence Prediction: Difficulty=200 (Good luck!)

IP ID Sequence Generation: All zeros

Read data files from: /usr/share/nmap

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds

Raw packets sent: 1019 (45.598KB) | Rcvd: 2042 (86.944KB)

No Ping

[root@vx111a Desktop]# nmap -PN 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:50 IST

Nmap scan report for 172.16.101.231

Host is up (0.0000050s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

Scan For Open IP

[root@vx111a Desktop]# nmap -sP 172.16.101.0/24

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:52 IST

Nmap scan report for 172.16.101.2

Host is up (0.00058s latency).

MAC Address: 80:C1:6E:E3:98:91 (Unknown)

Nmap scan report for 172.16.101.3

Host is up (0.00044s latency).

MAC Address: 00:26:73:21:47:B3 (Ricoh Company)

Nmap scan report for 172.16.101.5

Host is up (0.00048s latency).

MAC Address: 00:14:D1:E1:3B:7F (Trendware International)

Nmap scan report for 172.16.101.7

Host is up (0.00044s latency).

Scanning for a single port on a machine

[root@vx111a Desktop]# nmap -p 22 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:53 IST

Nmap scan report for 172.16.101.231

Host is up (0.000067s latency).

PORT STATE SERVICE

22/tcp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

[root@vx111a Desktop]# nmap -p 111 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:53 IST

Nmap scan report for 172.16.101.231

Host is up (0.000074s latency).

PORT STATE SERVICE

111/tcp open rpcbind

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

For scanning only ports

[root@vx111a Desktop]# nmap -F 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:53 IST

Nmap scan report for 172.16.101.231

Host is up (0.000011s latency).

Not shown: 99 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

-F is for fast scan and this will not do any other scanning like IP address, hostname, operating system, and uptime etc. It’s very much fast as it said in man pages.

For scanning only TCP ports

[root@vx111a Desktop]# nmap -sT 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:54 IST

Nmap scan report for 172.16.101.231

Host is up (0.00044s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

For scanning only UDP ports

[root@vx111a Desktop]# nmap -sU 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:54 IST

Nmap scan report for 172.16.101.231

Host is up (0.0000060s latency).

Not shown: 995 closed ports

PORT STATE SERVICE

68/udp open|filtered dhcpc

111/udp open rpcbind

631/udp open|filtered ipp

774/udp open|filtered acmaint_dbd

5353/udp open|filtered zeroconf

Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds

Scanning for ports and to get what is the version of different services running on that machine

[root@vx111a Desktop]# nmap -sV 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:54 IST

Nmap scan report for 172.16.101.231

Host is up (0.0000050s latency).

Not shown: 999 closed ports

PORT STATE SERVICE VERSION

111/tcp open rpcbind

To check which protocol is supported by the remote machine

[root@vx111a Desktop]# nmap -sO 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:55 IST

Nmap scan report for 172.16.101.231

Host is up (0.14s latency).

Not shown: 249 closed protocols

PROTOCOL STATE SERVICE

1 open icmp

2 open igmp

6 open tcp

17 open udp

103 open|filtered pim

136 open|filtered udplite

255 open|filtered unknown

To scan a system for operating system and uptime details

[root@vx111a Desktop]# nmap -O 172.16.101.231

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-07 13:55 IST

Nmap scan report for 172.16.101.231

Host is up (0.000029s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

Device type: general purpose

Running: Linux 2.6.X

OS details: Linux 2.6.19 - 2.6.31

Network Distance: 0 hops

Scanning a network

#nmap networkID/subnetmask

nmap 172.16.0.0/24

Get Info About Remote Host Ports And OS Detection

# nmap -sS -P0 -sV -O targetIP

Get List of Servers With A Specific Port Open

# nmap -sT -p 80 -oG - 172.16.0.* | grep open

[root@vx111a Desktop]# nmap -sT -p 111 -oG - 172.16.101.* | grep open

Host: 172.16.101.221 () Ports: 111/open/tcp//rpcbind///

Host: 172.16.101.231 () Ports: 111/open/tcp//rpcbind///

Change the -p argument for the port number.

Find All Active IP Addresses In A Network

# nmap -sP 172.16.0.*

How Many Linux And Windows Devices Are On Your Network?

# sudo nmap -F -O 172.16.0.1-255 | grep "Running: " > /tmp/os; echo "$(cat /tmp/os | grep Linux | wc -l) Linux device(s)"; echo "$(cat /tmp/os | grep Windows | wc -l) Window(s) devices"

Get list of servers with a specific port open

nmap -sT -p 80 -oG – 172.16.1.* | grep open

Change the -p argument for the port number. See “man nmap” for different ways to specify address ranges.

Find all active IP addresses in a network

nmap -sP 172.16.0.*

There are several other options. This one is plain and simple.

for specific subnets

nmap -sP 172.16.0.0/24

Ping a range of IP addresses

nmap -sP 172.16.1.100-254

nmap accepts a wide variety of addressing notation, multiple targets/ranges, etc.

Find unused IPs on a given subnet

nmap -T4 -sP 172.16.2.0/24 && egrep “00:00:00:00:00:00? /proc/net/arp

More To Come ,Happy Learning :-)