Nmap is a powerful utility for scanning your network and discovering all kinds of information about who is on it and what they’re doing. You can discover used and unused IP addresses, hostnames, services, and operating systems, and their versions – information that can help you monitor who is on your network, and lead you to unsafe or unauthorized servers.
Nmap is included in all Linux distros, and the project also offers binaries for Mac OS X and Windows.
Nmap is a great tool for finding out who is on your network, and listing used and unused IP addresses. This command finds all live hosts in the specified network range and their hostnames:
$ nmap -sn 192.168.1.0/24
The -n option disables DNS lookups, so this version is a little faster when you don’t need to see hostnames:
$ nmap -sn -n 192.168.1.0/24
Nmap’s -sL option lists all addresses in a specified target range. It doesn’t send any packets to network hosts, so it won’t tell you if hosts are up or down, but it does reverse DNS lookups, so it’s a useful tool for testing the correctness of your DNS configuration. Use this to see if your reverse DNS configuration is correct and complete, and if you have any entries for non-existent hosts. The grep '(' incantation weeds out the empty addresses and displays only the addresses that have reverse DNS records:
$ nmap -sL 192.168.1.0/24 | grep '('
This handy one-liner finds all unused IP addresses in an address range and stores them in a plain text file:
$ nmap -v -sn 192.168.1.0/24 | grep down | awk '{print $5}' > filename.txt
A good way to understand what these compound commands do is to run them one part at a time, like this:
$ nmap -v -sn 192.168.1.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2011-12-11 20:00 PST
Initiating Ping Scan at 20:00
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 20:00, 10.37s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 20:00
Completed Parallel DNS resolution of 256 hosts. at 20:00, 0.01s elapsed
Nmap scan report for 192.168.1.0 [host down]
Nmap scan report for 192.168.1.1 [host down]
Nmap scan report for server1.green.net (192.168.1.2)
Host is up (0.010s latency).
Nmap scan report for 192.168.1.3 [host down]
[...]
$ nmap -v -sn 192.168.1.0/24 | grep down
Nmap scan report for 192.168.1.0 [host down]
Nmap scan report for 192.168.1.1 [host down]
Nmap scan report for 192.168.1.3 [host down]
[...]
$ nmap -v -sn 192.168.1.0/24 | grep down | awk '{print $5}'
192.168.1.0
192.168.1.1
192.168.1.3
[...]
You can make a list of the IP addresses of hosts that are up, so you can track who is on your network and keep an eye out for visitors who shouldn’t be there, and check for duplicate addresses:
$ nmap -sn 192.168.1.0/24 |grep -o '192.168.1.*' | sed 's/[ \)]*$//'
Port and Operating System Detection
Nmap can probe your network hosts to learn all sorts of interesting things, such as what operating systems they are running, what services, and the service versions. Version information is especially valuable because you don’t want to be caught running outdated, insecure software. This deceptively short command digs deeply into what your servers are exposing to the network:
$ nmap -A 192.168.1.0/24 Nmap scan report for server1.green.net (192.168.1.3) Host is up (0.0082s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.1p1 Debian 7ubuntu4 (protocol 2.0) | ssh-hostkey: 1024 06:fd:72:16:0d:fc:c2:f5:ea:b7:5b:ea:5d:93:3e:45 (DSA) |_1024 56:73:4a:1f:4b:ac:d1:53:2d:a2:65:0e:a5:10:b9:38 (RSA) 53/tcp open domain dnsmasq 2.23 443/tcp open ssl/http lighttpd 1.4.11 |_sslv2: server still supports SSLv2 |_html-title: Site doesn't have a title (text/html). 5060/tcp closed sip 8000/tcp closed http-alt Service Info: OS: Linux
The -A switch tells Nmap to perform a comprehensive scan with OS detection, version detection, and traceroute. The result of the command as run here shows an old server running a lot of old software, possibly dangerously old. The OpenSSL server even supports SSLv2, which is a big no-no, as SSLv2 has been obsolete and recognized as insecure since its release in 1995, and was replaced by SSLv3 in 1996. Nmap fetches SSH public key fingerprints, which are handy for verifying the authenticity of a public key. It even shows that an HTTP server is running, but the home page has no title and may even be the default page that displays on a new installation. You can quickly check this by pointing your web browser to the IP address or hostname.
You can capture Nmap’s output to files in three formats at once with the -oA option:
$ nmap -A -oA filename 192.168.1.0/24
Replace filename with whatever you want the filename to be. This gives you three output files: filename.gnmap, filename.nmap, and filename.xml. gnmap is designed to be easily grep-able, nmap is the same as your screen output, and of course xml is XML, to look nice on web pages. There is even a tongue-in-cheek script kiddie format option:
$ nmap -sn -oS skriptkiddee 192.168.1.0/24
This results in something like this in skriptkiddee.nmap:
Start1Ng Nmap 5.21 ( http://nmap.0rg ) aT 2011-12-12 11:48 PsT NmaP scan r3pOrT fOR sErvEr1.gr33n.n3t (192.168.1.3) h0st !z uP (0.0041s LatencY)
You might want to limit a scan to check whether specific ports are open. This example probes HTTP ports 80, 443, and 8080:
$ nmap -p T:80,443,8080 192.168.1.0/24
-T: specifies TCP ports. Use -U: for UDP ports.
You can also probe only for services and version information:
$ nmap -sV 192.168.1.0/24
Add -v or -vv to any nmap command to increase the verbosity of the output. If you are filtering the output through a command like awk or sed, you’ll probably have to adjust it to allow for the different verbosity levels.
Target Specifications
The Nmap documentation calls the IP addresses or hostnames you are probing the target specification. You can slice and dice your targets in a lot of useful ways. In our examples the target specification has been a single private subnet in CIDR notation. You can query a single IP address or hostname, or multiple hostnames, with a space-, tab-, or newline-delimited list. I like space-delimited lists on the command line:
$ nmap -A server1 server2 server3
Or create a plain-text list of hostnames or IP addresses separated by newlines, and then call this list with the -iL option:
$ nmap -A -iL hostname-list
Use the --excludefile option instead of -iL for listing hostnames or addresses you don’t want to scan.
You can specify a list of non-consecutive IP addresses in this form: 192.168.1.41,77,103. An address range looks like 192.168.1.15-101.
All of the above only gives you a hint at all Nmap can do. You can learn more about this powerful network scanner at Nmap.org.
Related posts:
- Deep Network Investigation with Wireshark
- Simple Xymon Monitors Hosts, Services, and Network
- How to Use Filters with Wireshark
- Monitoring and Dealing With Snort Alerts
- Apache HTTP Server FAQ
Related Open-Source Packages
| Nmap: | See all Nmap Articles » | Get Nmap Support at OLEX » |
|---|
[...] Read More… [...]
[...] Nmap Network Probing Cheatsheet [...]
Great post,
I think that Nmap is a power tools on hands the netadmins
My nmap 5.00 gives “scantype n not supported”. Online tutorial does not list a -sn scantype. Is this a typo or perhaps a version error?
nmap -sn 192.168.1.0/24 should be nmap -sL 192.168.1.0/24
This is a pretty good post. -sV and -A are probably the options I use the most, although -O and -Pn are pretty far up there too. The only one I think you should have added is -T, which lets you specify the aggressiveness of the scan vs. the speed. (By the way, this is not the same as the “-p T:[ports]” option, and there are no “-T:” or “-U:” options like the ones you mention. For example, ‘nmap -T:80 scanme.nmap.org’ just prints an error message; ‘nmap -p -T:80′ is the same.) Other than that, great article! Isn’t nmap fun?
[...] Nmap Network Probing Cheatsheet [...]
If nmap is not available, a nice list of all unused IP addresses, i.e. the output of
$ nmap -sL 192.168.1.0/24 | grep ‘(‘
can be obtained by
$ host -x `seq –format “192.168.1.%g” 1 255` 2>&1|awk ‘/ does not exist /{print $2}’|column
Similarly for a list of all used IP addresses:
$ host -x `seq –format “192.168.1.%g” 1 255` 2>/dev/null|awk ‘/^Name: /{n=$2;getline;print $2, n;}’
Nice one… !!!
I think you may want to look into -sP for host discovery instead of -sn..
also to speed up scans try -T4 (you can use 1-5 with 5 being the most aggressive).
-sS will do a stealth TCP scan and -sU will do a UDP scan (you can combine this with -p80,443,139 for port specific scans etc)..
Also if you’re trying not to be noisy on a network the -Pn command stops nmap from using icmp for host discovery.
-sV will do a stealth tcp version scan for identifying those old servers and services. Also -sT is nice for connecting to and listing all open ports and services on a host. Don’t forget to tack on -O to find out what OS is running
-A is a noisy fallback to get as much information about the machines youre scanning as possible..
enjoy you network scanning!!
J0hnny_b14z3
[...] http://olex.openlogic.com/wazi/2011/nmap-network-probing-cheatsheet/ Leave a Comment TrackBack URI [...]
[...] Advanced Nmap. Nmap.org, Compare Nmap output files with Ndiff. Olex.openlogic.com, Nmap network probing cheat sheet. Linux-news.org, Nmap: The pentester’s one step shop to network [...]
A nice collection of sample Nmap commands. Linked to you here:
http://dougvitale.wordpress.com/2011/11/07/nmap/