Tutobox.fr

Computer Tutorials - System - Network - Security

Introduction to Nmap

by - Published - Updated

tuto introduction to nmap on linux

Nmap, short for Network Mapper, is a powerful and versatile tool used primarily for network discovery and security auditing. It is widely adopted by system administrators, cybersecurity auditors and even IT security professionals in general. This tool, which has been around since 1998, has remained a benchmark thanks to its many options for adapting to the varied needs of users, whether for network mapping, diagnostics or penetration testing.

Nmap is a tool designed to explore a network, identify active hosts, discover the services exposed by these hosts, and collect valuable information such as software versions in use. It can also be used for vulnerability scanning.

It can be run on several operating systemsincluding Linux, Windows and macOScommand line, although graphical interfaces such as Zenmap are available.

In this introductory tutorial, we'll look at Nmap basics through its installation and some useful commands. We'll start by installing Nmap on Linux, then learn how to perform our first network scans and interpret the results.

To go further, I recommend you read this free course available on IT-Connect to learn Nmap :

1. Installing Nmap on Linux

Installing Nmap is relatively straightforward. Under Linux, it is generally available in the official distribution repositories. For example, under Debian or Ubuntu, you can install it with the following command :

sudo apt-get install nmap

Once installed, you can check the version of Nmap installed with the command :

nmap --version

This tutorial mainly uses Nmap on the command line. Under Windows, you need to download the Zenmap installation file from the Nmap official website and follow the instructions provided.

2. First scan with Nmap

To start using Nmap, we're going to perform a simple scan of a host on our local network. We're not going to specify any options for this first scan, but you should know that Nmap contains many very interesting options... We'll find out about a few of them.

The following command performs a scan of the most commonly used ports on the target host:

nmap 192.168.100.1

Nmap will try to connect to various ports on the target host and determine whether they are open, closed or filtered. You'll then see output like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-08-27 22:18 CEST
Nmap scan report for 192.168.100.1
Host is up (0.015s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 2.83 seconds

Understanding the results is key to getting the most out of Nmap. Each line of the scan report shows you a specific port, its status (open, closed, filtered) and the associated service.

In the example above, we see that the ports 53 (DNS) and 80 (HTTP) are openwhich means that these services are available on the host. There's probably a web interface on this host, as well as the possibility of requesting it as a DNS resolver. Other ports associated with HTTPS, Telnet and SSH are filtered, i.e. there's an active filtering system.

3. Basic options for Nmap scans

A. Scan TCP SYN (Default scan)

The TCP SYN scan, also known as the " half-open scan" is Nmap's default option. It sends SYN packets to each target port and waits for a response to determine the status of the port. This type of scan is fast and unobtrusive, as it does not establish a full connection with open ports.

nmap -sS 192.168.100.1

B. Scan TCP connect

If you don't have the necessary privileges to perform a SYN scan, you can use a TCP connect scan. This establishes a full connection with each port, but is slower and easier to detect.

nmap -sT 192.168.100.1

C. UDP scan

TCP scans are not sufficient to analyze UDP-based services. The -sU can scan a host's UDP ports, but these scans can be slower and less reliable than TCP scans.

nmap -sU 192.168.100.1

D. Specify ports to be scanned

You don't need to scan every port every time. With the -pYou can target specific ports or port ranges. The example below scans ports 22, 80 and 443, used by default for SSH, HTTP and HTTPS respectively.

nmap -p 22,80,443 192.168.100.1

To scan a complete port range, rather than a list of ports, use the following syntax:

nmap -p 10-500 192.168.100.1

This example is used to scan ports 10 to 500. Each port will be tested on the specified host, i.e. 192.168.100.1.

E. Scans on the most common ports

If you want to scan the most frequently used ports, the --top-ports allows you to define the number of ports to be scanned according to their popularity.

nmap --top-ports 100 192.168.100.1

F. Scan all ports

For an exhaustive, and let's say ultra-complete, but also lengthy analysis, you can scan the 65535 ports of a host using :

nmap -p- 192.168.100.1

G. Service version detection

The -sV allows Nmap to attempt to identify the versions of services listening on open ports.

nmap -sV 192.168.100.1

H. Operating system detection

The -O allows you to attempt to "guess" the operating system of the targeted host with Nmap, based on the characteristics of scan responses. This action requires elevated privileges, and it is not certain that Nmap will be able to identify the OS.

sudo nmap -O 192.168.100.1

4. Conclusion

By reading this article from the Computer Tutorials box, you'll have some useful information to get you started with the Nmap tool.

This is just an introduction, but it's a very comprehensive tool that can take you much further. I strongly encourage you to read the course on IT-Connect to learn more and get a complete mastery of Nmap.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *