Sign in Subscribe
Health

How to Port Scan on Linux using nmap - a Powerful Tool for Network Exploration and Security Auditing

Markus

Markus

8 min read
How to Port Scan on Linux using nmap - a Powerful Tool for Network Exploration and Security Auditing
Photo by Markus Spiske / Unsplash

Nmap, which stands for Network Mapper, is a free and open-source tool that can scan networks and discover hosts, services, vulnerabilities, and other information. Nmap is widely used by network administrators, security professionals, hackers, and enthusiasts for various purposes, such as network inventory, security assessment, penetration testing, and troubleshooting.

In this blog post, I will give an overview of the nmap command and its basic usage, as well as a comprehensive guide on some of its most useful features and options. By the end of this post, you should be able to use nmap to perform various types of network scans and analyze the results.

Installing Nmap

Nmap is available for most operating systems, including Linux, Windows, and Mac OS X. You can download the latest version of nmap from its official website or use your package manager to install it.

For example, on Debian-based systems, you can use the following command to install nmap:

sudo apt install nmap

On Red Hat-based systems, you can use the following command to install nmap:

sudo dnf install nmap

To verify that nmap is installed correctly, you can run the following command to check its version:

nmap --version

You should see something like this:

Nmap version 7.93 ( https://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.3.6 openssl-3.1.1 libssh2-1.11.0 libz-1.2.13 libpcre-8.45 libpcap-1.10.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Basic Usage of Nmap

The basic syntax of nmap is:

nmap [options] [targets]

where options are the flags that modify the behavior of nmap, and targets are the IP addresses, hostnames, or ranges of the hosts to scan. For example, to scan a single host with the IP address 192.168.1.1, you can use:

nmap 192.168.1.1

To scan multiple hosts, you can separate them by spaces, or use a CIDR notation, or a hyphenated range. For example, to scan the hosts 192.168.1.1, 192.168.1.2, and 192.168.1.3, you can use:

nmap 192.168.1.1 192.168.1.2 192.168.1.3

or

nmap 192.168.1.1-3

or

nmap 192.168.1.0/24

You can also use a wildcard character (*) to scan all the hosts in a subnet. For example, to scan all the hosts in the 192.168.1.0/24 subnet, you can use:

nmap 192.168.1.*

You can also scan hosts by their hostnames, or use a file that contains a list of targets. For example, to scan the host www.example.com, you can use:

nmap www.example.com

To scan the hosts listed in a file called targets.txt, you can use:

nmap -iL targets.txt

By default, nmap performs a TCP SYN scan, which sends a TCP packet with the SYN flag set to each target port, and waits for a response. If the response has the SYN and ACK flags set, the port is considered open. If the response has the RST flag set, the port is considered closed. If there is no response, the port is considered filtered.

A TCP SYN scan is fast and stealthy, as it does not complete the TCP three-way handshake, and thus does not create a log entry on the target host. However, it requires root privileges to run, and it may not work well against some firewalls or IDS/IPS systems that can detect and block the SYN packets.

Nmap also supports other types of scans, such as TCP connect scanUDP scanSCTP scanICMP scanACK scanFIN scanXmas scanNull scanIdle scan, and more. Each scan type has its own advantages and disadvantages, and can be used for different purposes. You can specify the scan type by using the -s option, followed by a letter that represents the scan type. For example, to perform a TCP connect scan, you can use:

nmap -sT [targets]

To perform a UDP scan, you can use:

nmap -sU [targets]

To perform a SCTP scan, you can use:

nmap -sY [targets]

and so on.

You can also combine different scan types by using multiple -s options. For example, to perform a TCP SYN scan and a UDP scan, you can use:

nmap -sS -sU [targets]

Comprehensive Guide on Nmap Features and Options

Nmap has many features and options that can enhance and customize your network scanning experience. In this section, I will introduce some of the most useful and common ones, and explain how they work and when to use them.

Port Specification

By default, nmap scans the 1000 most common ports for each protocol (TCP, UDP, SCTP, etc.). However, you can specify which ports to scan by using the -p option, followed by a port number, a range, or a list of ports. For example, to scan only port 80 for TCP, you can use:

nmap -p 80 [targets]

To scan ports 1 to 1024 for TCP, you can use:

nmap -p 1-1024 [targets]

To scan ports 22, 80, and 443 for TCP, you can use:

nmap -p 22,80,443 [targets]

You can also use a hyphen (-) to indicate all ports, or a letter (T, U, S, etc.) to indicate all ports for a specific protocol. For example, to scan all ports for TCP, you can use:

nmap -p T [targets]

To scan all ports for UDP, you can use:

nmap -p U [targets]

To scan all ports for all protocols, you can use:

nmap -p - [targets]

Note that scanning all ports can take a long time, especially for UDP, as nmap has to wait for a timeout for each port before moving on to the next one. Therefore, it is recommended to scan only the ports that you are interested in, or use other options to speed up the scan, such as -F (fast scan), -T (timing template), or --min-rate (minimum packet rate).

Service and Version Detection

Nmap can also detect the service and version running on each open port, by sending probes and analyzing the responses. This can help you identify the applications, operating systems, and vulnerabilities of the target hosts. To enable service and version detection, you can use the -sV option. For example, to scan port 80 for TCP and detect the service and version, you can use:

nmap -p 80 -sV [targets]

The output of nmap will show the service name, the product name, the version number, and other information, such as the protocol, the hostname, the device type, the web server, the script, etc. For example, the output may look like this:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1i)
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1i
|_http-title: Test Page for the Nginx HTTP Server on Fedora

This indicates that the port 80 is open for TCP, and the service is http, running Apache httpd 2.4.46 with OpenSSL 1.1.1i. It also shows the server header and the title of the web page.

Nmap has a large database of probes and signatures for various services and versions, which can be found in the /usr/share/nmap/nmap-service-probes file. You can also add your own probes and signatures to this file, or use the --version-all option to send all probes to each port, or the --version-intensity option to control the number of probes to send.

OS Detection

Nmap can also detect the operating system of the target hosts, by analyzing the TCP/IP stack fingerprint. This can help you determine the type, vendor, and version of the operating system, as well as the device type and the network distance. To enable OS detection, you can use the -O option. For example, to scan port 80 for TCP and detect the OS, you can use:

nmap -p 80 -O [targets]

The output of nmap will show the OS details, such as the OS name, the OS family, the OS generation, the OS accuracy, the device type, and the number of hops. For example, the output may look like this:

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:8A:9C:97 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 1 hop

This indicates that the port 80 is open for TCP, and the MAC address is 00:0C:29:8A:9C:97, which belongs to VMware. The device type is general purpose, and the OS is Linux, with a kernel version between 3.10 and 4.11, or between 3.2 and 4.9.

Nmap Scripting Engine

Nmap also has a powerful feature called the Nmap Scripting Engine (NSE), which allows you to run scripts that can perform various tasks, such as vulnerability detection, exploit execution, backdoor detection, banner grabbing, brute forcing, and more. Nmap has a large collection of scripts that are written in Lua, which can be found in the /usr/share/nmap/scripts directory. You can also write your own scripts and add them to this directory, or use the --script option to specify the path to your script.

To use the NSE, you can use the --script option, followed by the name or category of the script, or a wildcard (*) to run all scripts. For example, to run the script http-title.nse, which retrieves the title of the web page from the target host, you can use:

nmap --script http-title [targets]

To run all the scripts in the vuln category, which scan for various vulnerabilities, you can use:

nmap --script vuln [targets]

To run all the scripts, you can use:

nmap --script * [targets]

Note that running all the scripts can be very noisy and intrusive, and may trigger alarms on the target network. Therefore, it is recommended to run only the scripts that are relevant to your goal, or use the --script-args option to fine-tune the behavior of the scripts.

The output of nmap will show the results of the scripts, such as the title of the web page, the vulnerability details, the exploit output, etc. For example, the output may look like this:

PORT   STATE SERVICE
80/tcp open  http
| http-title: Test Page for the Nginx HTTP Server on Fedora
|_Requested resource was http://192.168.1.1/
|_http-vuln-cve2014-3704: Drupal: < 7.32: User profile form allows arbitrary file upload
| http-vuln-cve2017-5638: 
|   VULNERABLE:
|   Apache Struts Jakarta Multipart Parser OGNL Injection
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2017-5638
|       The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
|       mishandles file upload, which allows remote attackers to execute arbitrary commands via a
|       #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
|       
|     Disclosure date: 2017-03-07
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
|       http://www.securityfocus.com/bid/96788
|       https://www.exploit-db.com/exploits/41570/
|_      https://www.exploit-db.com/exploits/41570/

This indicates that the port 80 is open for TCP, and the title of the web page is “Test Page for the Nginx HTTP Server on Fedora”. It also shows that the target host is vulnerable to two CVEs: CVE-2014-3704, which allows arbitrary file upload on Drupal, and CVE-2017-5638, which allows remote command execution on Apache Struts.

Conclusion

Nmap is a powerful tool that can scan networks and discover hosts, services, vulnerabilities, and other information. Nmap has many features and options that can enhance and customize your network scanning experience, such as port specification, service and version detection, OS detection, Nmap Scripting Engine, and more. By using nmap, you can perform various types of network scans and analyze the results, for various purposes, such as network inventory, security assessment, penetration testing, and troubleshooting.

I hope you enjoyed this article and learned something new about nmap. Thank you for reading! 😊

Read more