Nmap is a powerful utility for scanning your network and discovering all kinds of information about who is on it and what they’re doing. You can discover used and unused IP addresses, hostnames, services, and operating systems, and their versions – information that can help you monitor who is on your network, and lead you to unsafe or unauthorized servers.
Nmap is included in all Linux distros, and the project also offers binaries for Mac OS X and Windows.
Nmap is a great tool for finding out who is on your network, and listing used and unused IP addresses. This command finds all live hosts in the specified network range and their hostnames:
-noption disables DNS lookups, so this version is a little faster when you don’t need to see hostnames:
-sLoption lists all addresses in a specified target range. It doesn’t send any packets to network hosts, so it won’t tell you if hosts are up or down, but it does reverse DNS lookups, so it’s a useful tool for testing the correctness of your DNS configuration. Use this to see if your reverse DNS configuration is correct and complete, and if you have any entries for non-existent hosts. The
grep '('incantation weeds out the empty addresses and displays only the addresses that have reverse DNS records:
This handy one-liner finds all unused IP addresses in an address range and stores them in a plain text file:
A good way to understand what these compound commands do is to run them one part at a time, like this:
You can make a list of the IP addresses of hosts that are up, so you can track who is on your network and keep an eye out for visitors who shouldn’t be there, and check for duplicate addresses:
Port and Operating System Detection
Nmap can probe your network hosts to learn all sorts of interesting things, such as what operating systems they are running, what services, and the service versions. Version information is especially valuable because you don’t want to be caught running outdated, insecure software. This deceptively short command digs deeply into what your servers are exposing to the network:
-Aswitch tells Nmap to perform a comprehensive scan with OS detection, version detection, and traceroute. The result of the command as run here shows an old server running a lot of old software, possibly dangerously old. The OpenSSL server even supports SSLv2, which is a big no-no, as SSLv2 has been obsolete and recognized as insecure since its release in 1995, and was replaced by SSLv3 in 1996. Nmap fetches SSH public key fingerprints, which are handy for verifying the authenticity of a public key. It even shows that an HTTP server is running, but the home page has no title and may even be the default page that displays on a new installation. You can quickly check this by pointing your web browser to the IP address or hostname.
You can capture Nmap’s output to files in three formats at once with the
Replace filename with whatever you want the filename to be. This gives you three output files: filename.gnmap, filename.nmap, and filename.xml. gnmap is designed to be easily grep-able, nmap is the same as your screen output, and of course xml is XML, to look nice on web pages. There is even a tongue-in-cheek script kiddie format option:
This results in something like this in skriptkiddee.nmap:
You might want to limit a scan to check whether specific ports are open. This example probes HTTP ports 80, 443, and 8080:
-T:specifies TCP ports. Use
-U:for UDP ports.
You can also probe only for services and version information:
nmapcommand to increase the verbosity of the output. If you are filtering the output through a command like
sed, you’ll probably have to adjust it to allow for the different verbosity levels.
The Nmap documentation calls the IP addresses or hostnames you are probing the target specification. You can slice and dice your targets in a lot of useful ways. In our examples the target specification has been a single private subnet in CIDR notation. You can query a single IP address or hostname, or multiple hostnames, with a space-, tab-, or newline-delimited list. I like space-delimited lists on the command line:
Or create a plain-text list of hostnames or IP addresses separated by newlines, and then call this list with the
--excludefileoption instead of
-iLfor listing hostnames or addresses you don’t want to scan.
You can specify a list of non-consecutive IP addresses in this form: 192.168.1.41,77,103. An address range looks like 192.168.1.15-101.
All of the above only gives you a hint at all Nmap can do. You can learn more about this powerful network scanner at Nmap.org.REFERENCES