The network reconnaissance and security audit tool Nmap, released in 1997, is one of the most basic and widely used cybersecurity tools today. From its beginnings as an advanced port scanner, it has evolved into a multifunctional tool with a family of useful projects that can discover weak passwords, scan IPv6 addresses, perform IP address geolocation, detect vulnerabilities and more.
The open-source tool helps security professionals, network teams, system administrators and other IT personnel analyze hosts, networks, applications, mainframes, Unix and Windows environments, control systems supervision and data acquisition, as well as industrial control systems.
Websec co-founder and part-time Nmap developer Paulino Calderon wrote Nmap Network Exploration and Security Auditing Cookbook, Third Edition, published by Packt, to offer first-hand information on using the multi-faceted tool .
In this excerpt from Chapter 1, “Nmap Fundamentals,” Calderon shares a recipe for how to use Nmap to find open ports. Follow along to learn how to perform the quintessential Nmap task, and review Calderon’s advice on port scanning techniques, options that affect Nmap scanning behavior, and more. Download a PDF of Chapter 1 to know more.
List open ports on a target
This recipe describes how to use Nmap to determine a target’s port states, a process used to identify running services commonly referred to as port scanning. This is one of the tasks that Nmap excels at, so it’s important to know the essential Nmap options related to port scanning.
How to do…
To run a default scan, the bare minimum you need is a target. A target can be an IP address, hostname, or network range:
$ nmap scanme.nmap.org
The scan results will show all the host information obtained, such as IPv4 address (and IPv6 if available), reverse DNS name, and ports of interest with service names. All listed ports have a status. Ports marked as open or filtered are of particular interest because they represent services running on the target host:
Nmap scan report for scanme.nmap.org (188.8.131.52)
Host is up (0.16s latency).
Other addresses for scanme.nmap.org (not scanned):
Not shown: 995 closed ports PORT STATE SERVICE
22/tcp open ssh 25/tcp filtered smtp 80/tcp open http
9929/tcp open nping-echo 31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 333.35 seconds
How it works…
The default Nmap scan returns a list of ports. Additionally, it returns a service name from a distributed database with Nmap and port status for each of the listed ports.
Nmap classifies ports into the following states:
- Open: Open indicates that a service is listening for connections on this port.
- Firm: Closed indicates that probes were received, but it was determined that no service was running on that port.
- Filtered: Filtered indicates that there was no sign that probes were received and the status could not be established. This could indicate that the probes are being dropped by some kind of filtering.
- Unfiltered: Unfiltered indicates that probes were received but a status could not be established.
- Open/Filtered: This indicates that the port was filtered or opened, but the status could not be established.
- Closed/Filtered: This indicates that the port was filtered or closed but the status could not be established.
Even for this simple port scan, Nmap does a lot of stuff in the background which can also be configured. Nmap first converts the hostname to an IPv4 address using DNS name resolution. If you want to use another DNS server, use –dns-servers
$ nmap --dns-servers 184.108.40.206,220.127.116.11 scanme.nmap.org
Then it runs the host discovery process to check if the target is online (see the Find web hosts online Recipe). To skip this step, use the no ping option, -PN:
$ nmap -Pn scanme.nmap.org
Nmap then converts the IPv4 or IPv6 address back to the hostname using a reverse DNS query. Use -not to also skip this step if you don’t need this information:
$ nmap -n scanme.nmap.org
The preceding command will initiate either a SYN stealth scan or a TCP connection scan depending on the privileges of the user running Nmap.
There is more…
Port scanning is one of the most powerful features available, and it’s important that we understand the different techniques and options that affect Nmap’s scanning behavior.
Privileged versus unprivileged
Run the simplest port scan command, nmap
Scan specific port ranges
Properly setting port ranges during your scans is a task you often need to perform when performing Nmap scans. You can also use it to filter machines running a service on a specific port, for example, finding all open SMB servers in the port 445. Reducing the list of ports also optimizes performance, which is very important when scanning multiple targets.
There are several ways to use the Nmap -p option:
- Comma separated list of ports: $ nmap -p80,443 localhost
- Port range indicated by hyphens: $ nmap -p1-100 localhost
- Aliases for all ports of 1 at 65535: # nmap -p-localhost
- Specific ports per protocol: # nmap -pT:25,U:53
- Service name: # nmap -p smtp
- Service name with wildcards: # nmap -p smtp*
- Only ports registered in the Nmap services database: # nmap -p[1-65535]
Selecting a network interface
Nmap attempts to automatically detect your active network interface; however, in some situations it will fail or you may need to select a different interface in order to test for network issues. To force Nmap to scan using a different network interface, use the -e argument:
#nmap -e eth2 scanme.nmap.org
This is only necessary if you are having trouble with broadcast scripts or if you see the WARNING: Unable to find the correct interface for the system route to message.
More Port Scanning Techniques
In this recipe, we talked about the two default scanning methods used in Nmap: SYN stealth scanning and TCP connection scanning. However, Nmap supports several more advanced port scanning techniques. Use nmap-h or visit https://nmap.org/book/man-portscanning-techniques.html to learn more about them as Fyodor has done a fantastic job describing how they work in depth.
Nmap supports several target formats that allow users to work with IP address ranges. The most common type is when we specify the IP or host of the target, but it also supports reading targets from files and ranges, and we can even generate a list of random targets like we will see it later.
All arguments that are not valid options are read as targets by Nmap. This means that we can tell Nmap to scan more than one range in a single command, as shown in the following command:
# nmap -p25,80 -O -T4 192.168.1.1/24 scanme.nmap.org/24
There are several ways to manage IP ranges in Nmap:
- Multiple host specification
- Byte range addressing (they also support wildcards)
- CIDR notation
To scan the 192.168.1.1, 192.168.1.2and 192.168.1.3 IP addresses, the following command can be used:
$ nmap 192.168.1.1 192.168.1.2 192.168.1.3
We can also specify byte ranges using -. For example, to analyze hosts 192.168.1.1, 192.168.1.2and 192.168.1.3we could use the expression 192.168.1.1-3as shown in the following command:
$ nmap 192.168.1.1-3
Byte range notation also supports wildcards, so we can scan from 192.168.1.0 at 192.168.1.255 with the phrase 192.168.1.*:
$ nmap 192.168.1.*
Excluding hosts from scans
Additionally, you can exclude hosts from ranges by specifying the –exclude option, as shown below:
$ nmap 192.168.1.1-255 --exclude 192.168.1.1
$ nmap 192.168.1.1-255 --exclude 192.168.1.1,192.168.1.2
Alternatively, you can write your exclusion list to a file using the –exclude-file option:
$ cat dontscan.txt
$ nmap --exclude-file dontscan.txt 192.168.1.1-255
CIDR notation for targets
The CIDR notation (pronounce Cider) is a compact way to specify IP addresses and their routing suffixes. This notation has gained popularity due to its granularity compared to per-class addressing, as it allows variable-length subnet masks.
CIDR notation is specified by an IP address and a network suffix. The network or IP suffix represents the number of network bits. IPv4 addresses are 32 bits, so the network can be between 0 and 32. The most common suffixes are /8, /16, /24and /32.
To visualize it, take a look at the following CIDR to netmask conversions:
- /16: 255.255.0.0
- /24: 255.255.255.0
- /32: 255.255.255.255
For example, 192.168.1.0/24 represents the 256 IP addresses of 192.168.1.0 at 192.168.1.255. 18.104.22.168/8 represents all IP addresses between 50.0-255.0-255.0-255. the /32 the network suffix is also valid and represents a single IP address.
CIDR notation can also be used when specifying targets. To scan the 256 hosts in 192.168.1.0-255 using CIDR notation, you will need the /24 suffix:
$ nmap 192.168.1.0/24
Working with target lists
Often we will need to work with multiple targets, but having to type a list of targets into the command line is not very convenient. Fortunately, Nmap supports loading targets from an external file. Enter the list of targets in a file, each separated by a new line, a tab or one or more spaces:
To load targets from the targets.txt file, use the Nmap -he
$ nmap -iL targets.txt
You can also use different target formats in the same file. In the following file, we specify an IP address and an IP range in the same file:
$ cat targets.txt
You can enter comments in your target list by starting the new line with the # personage:
$ cat targets.txt
# FTP servers 192.168.10.3
About the Author
Paulino Calderon (@calderpwn on Twitter) is a published author and international speaker with over 10 years of professional experience in the field of network and application security. He co-founded Websec, an application, network and digital asset security consulting firm operating in North America, in 2011. When he’s not traveling to security conferences or consulting for Fortune 500 with Websec, he spends peaceful days enjoying the beach in Cozumel, Mexico. His contributions have reached millions of users through Nmap, Metasploit, Open Web Application Security Project Mobile Security Testing Guide, OWASP Juice Shop and OWASP IoTGoat.