Mastering Nmap: The Ultimate Guide to Network Scanning Like a Pro
What is Nmap?
Nmap, or Network Mapper, is a free, open-source tool that’s a game-changer in the world of network scanning and vulnerability detection. It’s like the Swiss Army knife of network tools, praised for its flexibility, speed, and ability to deliver meaningful results across various systems. With Nmap, you can:
- Check if systems are open
- Identify ports and their statuses
- Detect running services
- Identify operating systems in use
- Uncover security vulnerabilities
Why Use Nmap?
Nmap is widely regarded as one of the best tools in its field, and for good reason. It comes packed with a variety of scripts that provide detailed information about the target system and identify potential security vulnerabilities. These scripts are typically executed once for each port on every detected host. You can run them using parameters like –script or -sC.
The Nmap Scanning Process
To ensure a successful scan using Nmap, follow these steps:
Pre-Scan Scripts
Nmap includes scripts that gather information about the network to be scanned. For instance, scripts like dhcp-discover and broadcast-dns-service-discover are used to obtain information from network services.
Target Enumeration
Nmap identifies host specifiers such as DNS, IP addresses, and CIDR values to enumerate target hosts. You can use the -iR parameter to specify the number of hosts to be scanned.
Host Discovery
Host discovery in Nmap is typically performed to determine whether a machine is active. By default, Nmap first performs host discovery and then proceeds with port scanning. If you only need host discovery, use the -sn parameter. To skip host discovery, use the -Pn parameter, which prevents pinging the hosts.
Reverse-DNS Resolution
Nmap performs Reverse-DNS resolution on active machines identified through ping scanning. This process can be executed using the -R parameter and is typically performed only on open machines.
Port Scanning
Port scanning is one of Nmap’s primary functions. It involves sending requests to the ports of an active system to determine whether they are open or closed.
Version Detection
Version detection is used to identify the services running on detected open ports. Nmap uses probes and over 6500 service signatures to compare and identify the services on the ports. This process is performed using the -sV parameter.
Operating System Detection
Nmap can detect the operating systems of open machines by comparing the responses from the machines with a database of known operating system responses. This process is performed using the -O parameter.
Traceroute
Nmap can determine the path packets take to each target using the –traceroute parameter.
Script Scanning
Nmap includes a structure called the Nmap Script Engine (NSE), which contains numerous scripts. These scripts can be used to gather information about the target and detect security vulnerabilities. NSE is supported by the Lua programming language and a standard library designed for gathering information over the network.
Output
Nmap displays the information obtained from the scanning process on the screen. These results can be saved in various file formats.
Installing Nmap
Linux (Debian/Ubuntu) Environment
To install Nmap on a Linux (Debian/Ubuntu) environment, run the command sudo apt-get install nmap in the terminal. Alternatively, you can download and install setup files with .rpm or .deb extensions from the official website.
Windows Environment
To install Nmap on a Windows environment, download the setup file from the official website and run it as an administrator. After the installation, you can run the nmap.exe application from the Program Files (x86)Nmap directory. Additionally, the graphical user interface application Zenmap will be installed along with Nmap.
Host Discovery
Host discovery is performed by pinging the systems on the network. However, different methods can be used for larger networks or networks with machines that do not respond to ICMP packets. Scanning can be performed without pinging the target network, and probes like TCP, SYN/ACK, and UDP can be used optionally. The purpose of these probes is to determine whether the machine with the given IP address is truly open based on the received responses.
Determining Target Hosts and Networks
To determine the target hosts, you need to provide Nmap with the IP address or hostname information of the target network. Instead of a single IP address, you can provide a range of IP addresses. Additionally, Nmap supports CIDR addressing, which involves values like /24 or /18 following the IP address or hostname. Nmap calculates the number of hosts to be scanned based on these values and automatically performs the scanning process. For example, entering the IP address 192.168.10.0/24 will scan 256 hosts. Similarly, you can perform a scan by specifying a hostname, such as priviasecurity.com/24.
Specifying an IP List
This type of scanning is typically performed for large network scans. After saving hundreds or thousands of IP addresses to a file, you can start the scanning process using the -iL parameter.
Selecting Random Targets
To scan random IP addresses with Nmap, you can use the -iR parameter.
Excluding Targets
One often overlooked aspect is excluding certain targets from the scan to prevent risky operations. To exclude specific IP addresses from the scan, you can use the –exclude parameter. If there are many IP addresses to exclude, you can save them to a file and use the –excludefile parameter.
