Nmap is a command line network recon tool that is very likely to become your preferred hacking buddy when you need to probe and map out a local or remote network. It’s available for Linux (if you’re using Kali Linux, you’ll find it pre-installed), Mac OS X and Windows (see here for installation details).
Nmap will mainly do two things for you. First, it will scan the target network and list the IP addresses of the machines (or hosts) it has identified. Once you get that, Nmap will help you scan these machines individually and list the active ports as well as the services listening on these ports.
With this info in hand, you can switch to another tool (like Hydra or Metasploit) to exploit these services.
Warning: scanning remote hosts for open ports is considered a hacking attempt in many countries and is likely to trigger some form of legal action (you will be tracked with your IP address). You should only use Nmap within a sandboxed environment like a TryHackMe box accessed through OpenVPN, or locally on a machine you own.
Bottom line: don’t run port scans against random third parties.
Scanning a target network
Basic syntax:
nmap -sn 192.168.1.0/24
This pings all addresses on the network (using the network mask you provide to determine a list of all possible addresses) and lists those responding. For each device that responds to the ping, the command’s output shows:
the hostname
IP address
Mac address and vendor of the corresponding NIC
The -sn
flag indicates that we want to do a ping scan (it disables port scanning, as we don’t need it at this stage).
This is useful for host discovery.
You can define the range of IP addresses to scan in several different ways:
nmap -sn 192.168.1.0/24
nmap -sn 192.168.1.1-24
nmap -sn 192.168.1.*
nmap -sn 192.168.16-19.*
Scanning individual hosts
Basic syntax:
nmap 192.168.1.112
You can also do:
nmap 192.168.1.108 192.168.1.112 192.168.1.134
nmap 192.168.1.108,112,134
this will scan 192.168.1.108
and 192.168.1.112
and 192.168.1.134
For each target host, the output lists:
the hostname
IP address
number of ports scanned
list of active ports, status (open/closed) and corresponding services
Mac address and vendor of the corresponding NIC (network interface card)
nmap -sV 192.168.1.33
The -sV
flag also displays the software version of the running services.
nmap -O 192.168.1.19
The -O
(capital o, not zero) flag detects the operating system running on the target host (not always accurate).
This is useful to determine if you’re up against a Linux or a Windows box.
nmap -A 192.168.1.21
The -A
flag enables a full scan, with OS and version detection, script scanning, and traceroute.
Other flags worth knowing:
-sT
performs a TCP connect scan (this means nmap will attemp to do a full TCP handshake)
-sS
performs a SYN scan (nmap does not make a full TCP handshake if the port is open)
To clarify the difference between -sT
and -sS
, compare this with knocking on someone’s front door. The TCP connect scan (-sT
) is when you knock on a door, wait for someone to open, say hi to each other, then say goobye and walk away. The TCP SYN scan (-sS
) is more like knocking on the door, and when you hear someone grab the handle, you turn around and run away. The second scenario will make it difficult to identify you. In other words, a -sS
scan is stealthier.
Using nmap with Windows targets
By default, Windows systems don’t respond to ping probes. So using the -sn
flag for host discovery won’t work.
Instead, use the -Pn
flag. This skips host discovery and treats all target hosts an online. In effect, this disables pinging the target to verify that the host is reachable. Nmap will just assume the target is online and not proceed with scanning.
nmap -Pn 192.168.1.72
Use this syntax on target hosts that appears to be blocking ping requests (iPhones also do, apparently).
Selecting a range of ports
By default, Nmap scans the first 1000 ports, which happen to be the most commonly used ports. If a scan returns nothing interesting, you may want to extend the search to all 65000+ existing ports, using this command:
nmap -p- 192.168.1.128
Note that the scan will take longer.
To scan for specific services, use the corresponding ports (443 for https servers, 21 for ftp, 22 for ssh…):
nmap -p- 21,22,443 192.168.1.128
Nmap scripting engine (NSE)
Nmap has its own scripting engine. Kali Linux comes with a series of Nmap scripts already installed, located in:
/usr/share/nmap/scripts/
To run a given script:
nmap 192.168.0.212 --script=vulners.nse -sV
This runs the script: vulners.nse
To find out if there is a script that could be useful in a given scenario, cd into the scripts directory and try searching by key word:
ls | grep brute
This lists all the files in the current directory with ‘brute’ in their file name.
Doing this will let you identify the scripts relevant to a given action.
Final note on Nmap:
Some scans require admin priviledges, so if a scan doesn’t turn up anything, try typing sudo !!
and run the scan again.
Details? Here’s the full story: Nmap Reference Guide.