Learn nmap with examples

NMAP(Network Mapping) is one of the important network monitoring tool. Which checks for what ports are opened on a machine.
Some important to note about NMAP

  • NMAP abbreviation is network mapper
  • NMAP is used to scan ports on a machine, either local or remote machine (just you require IP/hostname to scan).
  • NMAPis can be installed on windows, Sun Solaris machines too.
  • NMAPcan be used to scan large networks, remember I am saying large networks.
  • NMAPcan be used to get operating system details such as open ports, software used for a service and its version no, vendor of network card and up time of that system too(Don’t worry we will see all these things in this post.
  • Please do not try to use NMAP on machines which you don’t have permission.
  • Can be used by hackers to scan for systems for vulnerability.
  • Just a funny note : You can see this NMAP used by Trinity in Matrix-II movie, when she tries to hack in to electric grid super computer.

Note : MAN pages of NMAP is one of the best man pages I have come across. It is explained in such a way that even new user can understand what each option do and one more thing is that, it even have examples in to on how to use NMAP in different situations, when you have time read it. You will get lots of information.

Let us start with some examples to better understand nmap command:

  1. Check for particular port on local machine.
  2. Use nmap to scan local machine for open ports.
  3. Nmap to scan remote machines for open ports.
  4. Nmap to scan entire network for open ports.
  5. Scan only ports with -F option.
  6. Scan a machine with -v option for verbose mode.
  7. Scan a machine for TCP protocol open ports.
  8. Scan a machine for UDP protocol open ports.
  9. Scan a machine for services and their software versions.
  10. Scan for open Protocols such as TCP, UDP, ICMP, IGMP etc on a machine.
  11. Scan a machine for to check what operating system its running.

Example1 : Scanning for a single port on a machine

nmap –p portnumber hostname

Example:

nmap -p 53 192.168.0.1

Starting Nmap 5.21 ( http://nmap.org )
Nmap scan report for localhost (192.168.0.1)
Host is up (0.000042s latency).
PORT STATE SERVICE
53/tcp open domain

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

The above example will try to check 53(DNS) port is open on 192.168.0.1 port or not.

Example2 : Scan entire machine for checking open ports.

nmap hostname

Example:

nmap 192.168.0.1

Starting Nmap 5.21 ( http://nmap.org )
Nmap scan report for localhost (192.168.0.1)
Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
53/tcp open domain
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Example3 : Scan remote machine for open ports

nmap remote-ip/host

Example:

nmap 192.168.0.2

Starting Nmap 5.21 ( http://nmap.org )
Nmap scan report for localhost (192.168.0.2)
Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
53/tcp open domain
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Example4: Scan entire network for IP address and open ports.

nmap network ID/subnet-mask

Example:

nmap 192.168.1.0/24

Starting Nmap 5.21 ( http://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
5000/tcp open upnp

Nmap scan report for 192.168.1.2
Host is up (0.036s latency).
All 1000 scanned ports on 192.168.1.2 are closed

Nmap scan report for 192.168.1.3
Host is up (0.000068s latency).
All 1000 scanned ports on 192.168.1.3 are closed

Nmap done: 256 IP addresses (3 hosts up) scanned in 22.19 seconds

Example5: Scan just ports, dont scan for IP address, hardware address, hostname, operating system name, version, and uptime etc. It’s very much fast as it said in man pages etc. We observed in our tests that it is 70% faster in scan ports when compared to normal scan.

nmap –F hostname

-F is for fast scan and this will not do any other scanning.

Example:

nmap -F 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org ) 
Nmap scan report for 192.168.1.1
Host is up (0.028s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
5000/tcp open upnp

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Example6: Scan the machine and give as much details as possible.

nmap -v hostname

Example:

nmap -v 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org )
Initiating Ping Scan at 13:31
Scanning 192.168.1.1 [2 ports]
Completed Ping Scan at 13:31, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:31
Completed Parallel DNS resolution of 1 host. at 13:31, 0.00s elapsed
Initiating Connect Scan at 13:31
Scanning 192.168.1.1 [1000 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 23/tcp on 192.168.1.1
Discovered open port 5000/tcp on 192.168.1.1
Completed Connect Scan at 13:31, 0.21s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
5000/tcp open upnp

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

 Example7 : Scan a machine for TCP open ports

nmap –sT hostname

Here s stands for scanning and T is for scanning TCP ports only

Example:

nmap -sT 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.022s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
5000/tcp open upnp

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

Example8 : Scan a machine for UDP open ports.

nmap –sU hostname

Here U indicates UDP port scanning. This scanning requires root permissions.

Exmaple9 : Scanning for ports and to get what is the version of different services running on that machine

nmap –sV hostname

s stands for scaning and V indicates version of each network service running on that host

Example:

nmap -sV 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org )
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for localhost (192.168.1.1)
Host is up (0.000010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.59
631/tcp open ipp CUPS 1.5

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds

Example10 : To check which protocol(not port) such as TCP, UDP, ICMP etc is supported by the remote machine. This -sO will give you the protocol supported and its open status.

#nmap –sO hostname

Example:

nmap -sO localhost

Starting Nmap 5.21 ( http://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.14s latency).
Not shown: 249 closed protocols
PROTOCOL STATE SERVICE
1 open icmp
2 open igmp
6 open tcp
17 open udp
103 open|filtered pim
136 open|filtered udplite
255 open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds

 Example11 : To scan a system for operating system and uptime details

nmap -O hostname

-O is for operating system scan along with default port scan

Example:

nmap -O google.com

Starting Nmap 5.21 ( http://nmap.org ) 
Nmap scan report for google.com (74.125.236.168)
Host is up (0.021s latency).
Hostname google.com resolves to 11 IPs. Only scanned 74.125.236.168
rDNS record for 74.125.236.168: maa03s16-in-f8.1e100.net
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
113/tcp closed auth
443/tcp open https
Device type: general purpose|WAP
Running (JUST GUESSING) : FreeBSD 6.X (91%), Apple embedded (85%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (91%), Apple AirPort Extreme WAP v7.3.2 (85%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.23 seconds

Some sites to refer (not for practical examples, but for to get good concept):

nmap.org : official site for ourNMAP
en.wikipedia.org/wiki/Nmap
Please Comment your thoughts regarding this post:-)