{:title "Nmap usage" :layout :post :tags "Networking" }

What is Nmap?

Nmap(Network Mapper) is one of the most popular tools used in the Cybersecurity/Networking fields, it's a port scanner at heart, but it's capable of finding even more information. Nmap is often used to find out which ports are open, like port 22 for ssh, port 80 for http, port 443 for https, etc. However, it's also used to figure out more information about the host user, like which Operating System the host is running, or to scan for vulnerabilities.

The Basics

Running nmap like nmap hostname does a basic TCP SYN scan for the first 1000 ports open on the host, which doesn't show much besides the ports.

I personally prefer getting more verbosity by simply adding -v or -vv to the parameters. Simply by adding v, you can get more indepth information about the host.

If you're interested in doing a ping scan, you can use -sn. A ping scan identifies all of the IP addresses that are online and on the network of the provided host. For example, when I use my RaspberryPi's hostname, I can see all the device hostnames/IP addresses that are connected to the internet, ranging from phones, computers, TVs, etc. You would do this by using nmap -sn hostname/24. /24 tells nmap to scan all the addresses from 192.168.100.0 to 192.168.100.255, or rather 256 hosts on the network. IPv4 addresses are 32 bits, every period signifies a section of an IP address, so the /24 tells nmap to only vary the last 8 bits of an address when scanning.

Scan Types and Specifying Ports

There are 9 scan types that can be used, however I've only learnt about 2. The first one is TCP SYN, which is the default scan type used in Nmap. When scanning UDP ports, you want to use the -sU option. For the other scan types, you can look at https://nmap.org/book/man-port-scanning-techniques.html. By default, only 1000 ports are scanned, so in order to scan more ports you can add the -p parameter. nmap -p 1-65535 localhost scans every port. You can also write this as nmap -p- localhost, which produces the same output. You can specify ports using ranges, or with single ports, as shown here:

This shows the status of every port, ranging from port 22-25, to port 80-85.

Specifics

By using ``nmap -sV`, you can probe further to see what service is running on the port. Like if port 80 is open, you can see if they're running something like Apache or Nginx as their server. You can set the intensity using –version-intensity, which ranges from 0-9, 0 being the fastest but least accurate, and 9 being the slowest but most accurate.

Finally, one of the things that you can do with Nmap is guess what operating system a host is running. You can do this with the -O parameter. I usually do this with the -v option, because it returns a lot more information.