1. Overview

The nmap command, short for Network Mapper, is a command-line tool in Linux used to scan a network to discover open ports and services, such as servers, routers, and switches. This open-source tool enables administrators and cybersecurity practitioners to map out networks and detect vulnerabilities.

In addition to its powerful command-line features, nmap also offers a graphical user interface called Zenmap. This version is easier to use for those with less experience with the command-line interface and introduces a great visual representation of the network for better understanding.

In this article, we’ll explore various functionalities of the nmap command, such as port and host operating system discovery, among others.

2. Install nmap Command

While most Linux distributions come with the nmap package preinstalled, some do not. Therefore, before using the nmap command, it’s essential to ensure that the necessary package is installed on the system.

Let’s proceed with installing nmap using the apt command:

$ sudo apt-get install nmap

Basically, this command is specific to Debian-based Linux systems, such as Ubuntu, and will install the nmap package and its dependencies after execution.

Additionally, we can also use the dnf command to install nmap. Using this command is particularly useful for systems running Fedora, CentOS, or Red Hat.

For example, let’s show how to install nmap using the dnf command:

$ sudo dnf install nmap

Once the installation is complete, the screen displays a message indicating that the process finished successfully. This message includes information about the installed version of nmap.

3. Common nmap Command Options

The basic syntax and structure of the nmap command are straightforward:

$ nmap [Scan Type(s)] [Options] {target specification}

[Scan Type(s)]: refers to the types of scans we want to perform, such as TCP SYN scan, TCP connect scan, UDP scan, and many others

[Options]: represents flags that modify the behavior of the scan

[target specification]: specifies the target for the scan. Targets can be IP addresses, hostnames, IP ranges, CIDR notation, or a combination of these

Now, let’s explore common options available with the nmap command:

Options

Description

-sn

conducts a ping scan to discover available hosts

-p

conducts scan on specific port on the network

-A

enables OS detection, version detection, script scanning, and traceroute

-O

enables OS detection

-F

enables fast port scanning

-v

increases verbosity level

-oN

provides output to scan in a text file

-sV

probes open ports to determine service/version information

-iL

reads and scans files containing IP addresses and host names

With these numerous options, we can use the nmap tool to conduct scans, discovering open ports, services, hosts, and vulnerabilities in a network.

4. Common nmap Command Examples

Let’s explore practical examples of using the nmap command with various options. In particular, for these examples, we can use www.example.com and scanme.nmap.org as the target.

4.1. Scanning a Single Host or IP Address

We can use the nmap command to scan a single host or IP address. What this basic command does is provide information about the available services and open ports in the target.

Now, for example, let’s use nmap to scan the hostname:

$ nmap example.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-24 13:48 EDT
Nmap scan report for example.com (93.184.215.14)
Host is up (0.18s latency).
...

Overall, the scan results provide valuable information about the services running on the target system associated with the domain. Furthermore, the open ports show the presence of web services, email services, and others. On the other hand, the filtered ports indicate that a firewall configuration is present.

4.2. Scanning a Particular IP Range

The nmap command can be used to get information about an entire subnet. We can achieve this by specifying the IP address and adding the CIDR notation to it.

For example, let’s see how nmap scans an entire subnet:

$ nmap 45.33.32.0/20  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-24 14:28 EDT
Nmap done: 4096 IP addresses (0 hosts up) scanned in 44.94 seconds

Basically, these nmap scan results indicate that we scanned a subnet with a total of 4096 IP addresses. In addition, no hosts were up or responding to the scan within that subnet. Therefore, nmap did not detect any active devices within the specified IP address range during the scan.

4.3. Scanning All Ports

Actually, we can use nmap to scan all ports on remote or local servers. We can achieve this by using the -p option, which provides information about filtered, open, and closed ports. Also, the command is helpful during activities like network mapping, reconnaissance, etc.

For example, let’s use the -p option to scan for open ports on a network:

$ nmap -p 1-65535 scanme.nmap.org 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-24 14:45 EDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.24s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
110/tcp   open  pop3
1720/tcp  open  h323q931
9929/tcp  open  nping-echo
31337/tcp open  Elite
Nmap done: 1 IP address (1 host up) scanned in 637.64 seconds

In this example, we’re able to get information about the open ports and services running on the target system from the scan results. Additionally, from the result, 65529 TCP ports were filtered, indicating that nmap received no response from those ports. This is because of firewall rules, network configuration, or other factors restricting access to those ports.

4.4. OS and Service Detection

More so, nmap enables us to detect the OS and service of the targets. We can achieve this by specifying the -A option. The -A option enables aggressive scanning, combining various techniques, including script scanning and traceroute, to provide more detailed information about the target system and its services.

For example, let’s use the -A option to detect the OS and service of the targets:

$ nmap -A scanme.nmap.org        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 11:01 EDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
...
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
|   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
80/tcp    open  http       Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-favicon: Nmap Project
|_http-title: Go ahead and ScanMe!
110/tcp   open  pop3?
| fingerprint-strings: 
|   NULL: 
|_    -ERR No POP3 service here
1720/tcp  open  h323q931?
9929/tcp  open  nping-echo Nping echo
31337/tcp open  tcpwrapped
...

In this example, we can see information about the open ports and services running on the target host. Furthermore, some insights into the operating system are displayed.

4.5. Performing Stealth Scan

We can use nmap to conduct scans while evading intrusion detection systems using the -sS. To perform this type of scan, we need to have root privileges.

For example, let’s show how to use nmap to run a stealth scan:

$ sudo nmap -sS example.com    
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 18:10 EDT
...

After running the command, the scan identified that the host was up and responsive. Furthermore, this type of scan is possible because the stealth scan does not complete the three-way handshake, making it less noisy but slower.

4.6. Applying Verbosity

In situations where we need to get real-time details of an ongoing scan, the nmap tool supports this idea with the -v option. Through this command, we can get real-time updates about the host, port, and service being scanned. Furthermore, it also provides error messages, which help guide the activity toward the desired result.

Let’s use the -v flag to get real-time information about an ongoing scan:

$ sudo nmap -v example.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 18:23 EDT
Initiating Ping Scan at 18:23
Scanning example.com (93.184.215.14) [4 ports]
Completed Ping Scan at 18:23, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:23
Completed Parallel DNS resolution of 1 host. at 18:23, 0.01s elapsed
Initiating SYN Stealth Scan at 18:23
Scanning example.com (93.184.215.14) [1000 ports]
Discovered open port 110/tcp on 93.184.215.14
Discovered open port 443/tcp on 93.184.215.14
...

This example shows how the -v output provides detailed information about the scan process, including the timing and results of each step.

5. Conclusion

In this article, we looked into different aspects of the nmap command in Linux. We covered its fundamental purpose as a network mapper and practical examples of the command’s application. These range from scanning single hosts and ports to detecting service versions and conducting stealth scans.

Adequately understanding these functionalities enables us to efficiently use nmap in managing networks, troubleshooting issues, and maintaining compliance with industry regulations.