Nmap Tutorial

Get introduced to the process of port scanning with this Nmap Tutorial. If you are not familiar with Nmap, Linux, Ubuntu or even networking; with a basic understanding of networking (IP addresses and Service Ports) you will learn how to run a port scanner. Nmap is the world’s most effective and extensible port scanner. So lets get started.

Want to port scan with Nmap without having to install, update or configure it? Try our Online Port Scanner.

One thing to note is that Nmap will run on a Windows operating system, however I have found that it works better and is faster under Linux so that is my recommended platform.

It really is easy to get started on an Ubuntu Linux system, so why not try it. The latest version 12.04 has just been released.

The steps in this guide are for an Ubuntu Linux based system but could be applied with minor changes to other Linux flavors such as Fedora / Centos or even a Mac if you are one of the iPeople.

If you are not using a Linux based system as your main operating system you will likely find it the most convenient and simple to fire up an installation of Ubuntu Linux in a virtual machine. You can then do the installation, play with Linux and break things without affecting your base system. If you are interested in doing remote scanning such as that provided by hackertarget.com you could get a cheap Ubuntu based VPS from one of hundreds of providers, paying anything from $10 per month to $100 or so. Linode is great for this, providing high quality and good specifications for the price.

Step 1: Virtualbox Installation

Virtualbox is a free and easy to use virtual machine manager, you could of course use VMware or Parallels but we will get started with Virtualbox.

I suggest selecting bridged network for your adapter – this will give your virtual machine an IP address on your local network and then when you are playing with Nmap you can scan your local virtual machine on one IP and your base operating system on another IP and then other devices on your local network. Scanning is fun, just keep in mind that it is also intrusive so only scan systems you own / operate or have permission to scan.

Step 2: Ubuntu Installation

Download the latest Ubuntu iso from www.ubuntu.com, select the ISO as the boot media for your guest and start the virtual machine. Select the install option and Ubuntu will be installed onto the virtual hard disk on the machine.

Step 3: Nmap Installation from source

Ubuntu comes with nmap in the repositories or software library, however this is not the one we want. In most cases I suggest sticking with the software from the Software Center but in this case there are many benefits you will get from running the latest version of nmap.

On the download page http://nmap.org/download.html you will see the bzip2 version (you can get the stable or development).

We are going to be riding the edge so grab the latest development version, start a terminal (type terminal in the menu of Ubuntu and it will show as an option):

wget http://nmap.org/dist/nmap-5.61TEST5.tar.bz2

Hopefully Internet access from your virtual machine is working, if it is you will soon have the latest in your home directory.

Now to install it. It’s easy, unpack it, configure it, make it, and make install it. This is the general process for compiling a source package in Linux.

You may need to install g++ in order to compile so check that we have it.

sudo apt-get install g++

Now unpack and configure. Building from source is not generally recommended unless you have a specific need (updates are more difficult to manage if you don’t use a package manager).

tar jxvf nmap-5.61TEST5.tar.bz2
cd nmap-5.61TEST5/
./configure
make
make install

Running the simple nmap commmand should show the command line options.

testuser@ubuntu8:/~$nmap

Nmap 5.61TEST5 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL : Input from list of hosts/networks
  -iR : Choose random targets
  --exclude : Exclude hosts/networks
  --excludefile : Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers : Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags : Customize TCP scan flags
  -sI : Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p : Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports : Scan  most common ports
  --port-ratio : Scan ports more common than 
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity : Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=:  is a comma separated list of
           directories, script-files or script-categories
  --script-args=: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=: Show help about scripts.
            is a comma separted list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take 

You should have a list of the options available to you as an elite nmap port scan tester. :)

As you can see there are a great many variations on port scanning that can be done with Nmap. Hit the book in the column to the right for an in depth guide.

To get started this is a simple command for scanning your local network (class C or /24):

nmap -sV -p 1-65535 192.168.1.1/24

This command will scan all of your local IP range (assuming your in the 192.168.1.0-254 range), and will perform service identification (-sV) and will scan all ports (-p 1-65535). Since you are running this as a normal user and not root it will be TCP Connect based scan. If you run the command with sudo at the front it will run as a TCP SYN scan.

Alternate Usage:

Load zenmap either from the command line or through your menu. This is the GUI interface to the nmap scanner. It is solid and works, I just prefer the command line as it allows you to script things, collect the output and have more understanding of what’s going on. Each to their own!

Hacking Nmap Video from Defcon 13

This video contains some interesting Nmap features, the presenter is Fyodor the creator of the Nmap port scanner.