BLOG
Working with Network Mapper (NMAP) in Linux
Network Mapper or NMAP is powerful open source network scanner, which may scan network hosts, subnets and ports. NMAP may be used as CLI tool or with GUI (Zenmap). Today we show how it works in command line interface.
How to install in Debian-like systems:
sudo apt install nmap -y
After installation complete, check with nmap --help command:
user@localhost:~$ nmap --help
Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
...
Host scanning. In case you want to scan one network node just give it's IP address or domain name to NMAP:
nmap 192.168.8.198
Result:
user@localhost:~$ nmap 192.168.8.198
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-15 19:15 +05
Nmap scan report for 192.168.8.198
Host is up (0.00015s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
Here we see opened and listen 80 port.
For getting more information about target try agressive scan using -A key:
nmap -A example.com
Result:
user@localhost:~$ nmap -A example.com
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-15 19:17 +05
Nmap scan report for example.com (93.184.215.14)
Host is up (0.24s latency).
Other addresses for example.com (not scanned): 2606:2800:21f:cb07:6820:80da:af6b:8b2c
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http ECAcc (dcd/7D26)
|_http-title: Example Domain
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 404 Not Found
| Content-Type: text/html
| Date: Sun, 15 Dec 2024 14:18:07 GMT
| Server: ECAcc (dcd/7D26)
| Content-Length: 345
| Connection: close
| <?xml version="1.0" encoding="iso-8859-1"?>
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
| "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.92 seconds
Lets try with disabled ping-requests. -Pn key disable ping requests, for example if you want pass firewall unnoticed:
nmap -A -Pn 192.168.8.180
Result:
user@localhost:~$ nmap -A -Pn 192.168.8.180
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-15 19:21 +05
Nmap scan report for 192.168.8.180
Host is up (0.0086s latency).
Not shown: 980 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
23/tcp filtered telnet
80/tcp filtered http
110/tcp filtered pop3
113/tcp filtered ident
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp filtered imap
199/tcp filtered smux
256/tcp filtered fw1-secureremote
445/tcp filtered microsoft-ds
554/tcp filtered rtsp
995/tcp filtered pop3s
1025/tcp filtered NFS-or-IIS
2638/tcp filtered sybase
3306/tcp filtered mysql
3389/tcp filtered ms-wbt-server
5900/tcp filtered vnc
8888/tcp filtered sun-answerbook
9011/tcp filtered d-star
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds
Scan entire subnet. This command return scan results from 192.168.8.1 to 192.168.8.255:
nmap 192.168.8.0/24
sudo nmap -sP 192.168.8.0/24 | awk '/Nmap scan report for/{printf $5;}/MAC Address:/{print " => "$3;}' | sort
Result:
user@localhost:~$ sudo nmap -sP 192.168.8.0/24 | awk '/Nmap scan report for/{printf $5;}/MAC Address:/{print " => "$3;}' | sort
192.168.8.198 => XX:XX:XX:XX:XX:XX
192.168.8.150 => XX:XX:XX:XX:XX:XX
192.168.8.8 => XX:XX:XX:XX:XX:XX
These methods may be used for operation system or firmware version detection:
sudo nmap -v -Pn -O 192.168.8.110
sudo nmap -vv -O 192.168.8.110
sudo nmap -T4 -A 192.168.8.110
sudo nmap -sV 192.168.8.110
Support me on Patreon
