The Joy of NMAP

A program I use on Linux a huge amount is NMAP. It was first written 21 years ago! It can be used a variety of ways but its simplest use is as a simple scan of what is on your network. I will document some very simple uses.

First of all see what is responding to pings on your local network.

nmap -sn 192.168.1.0/24 (I used to always use -sP. This was the old way and it still works)

gives a variety of hosts – e.g.

Nmap scan report for host1 (192.168.1.10)
Host is up (0.00021s latency).
Nmap scan report for host2 (192.168.1.11)
Host is up (0.00044s latency).

Very useful for a basic scan of what is out there. It simply uses ping to find out what is out there. As noted it uses ping which may well be blocked by a local firewall so some hosts might not appear.

The next use of nmap requires root permission. Lets see the MAC address of each host. We will run the same scan but this time with sudo.

sudo nmap -sn 192.168.1.0/24

gives the MAC address of each host. You should see under each host –

MAC Address: AA:BB:CC:DD:EE:11 (Unknown)

Right now let us look at a particular host. Let us see what ports are open.

nmap 192.168.1.10

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-20 13:28 BST
Nmap scan report for host1 (192.168.1.10)
Host is up (0.0066s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3128/tcp open squid-http

We can see that ports 22,111 and 3128 are open. As it says ssh and squid are open. You do not want SSH open to the whole world without other limitations but this is a local scan so fine.

What about seeing what other servers are listening to SSH? Again assuming we are in the local network 192.168.1.0/24 run

nmap -p 22 192.168.1.0/24

The lowercase p followed by the port you want to check. in this case 22 for SSH. You will see all hosts whether they have port 22 open or not. On hosts that are on but have no SSH server you will see CLOSED

On hosts that have a firewall you will see “filtered” meaning the host is on but not allowed a check of whether the port is open or not.

It is often handy to check that your host is firewalled correctly externally by running nmap from a host outside your network against your external IP address to check the ports are blocked or open.

Finally with root permissions you can get inmap to check the host to try and work out what OS it is running. This is not perfect but actually works better than you would think. Run with

sudo nmap -O 192.168.1.11

You will see back something like

Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.0
Network Distance: 1 hop

Handy for that rogue host on the network that you have forgotten is plugged in!