Hacking/Tools/Network/Nmap



Hacker Fyodor (Gordon Lynn) wrote   to assist in port scanning and network analysis. He published the original source code in Phrack Magazine, Volume 7, Issue 51, Article 11, and now maintains the tool at Insecure.org. Security experts all over the world use  for simple network checks, detecting open ports and service versions; the NSA keeps a list of security tools and current versions&mdash;including , Snort, and Nessus&mdash;up on the big board.

does not only detect open ports; it detects services and operating system versions as well. You can use  to scan a default range of ports, or a specific subset; it can scan a single host, a range, or a set; and it can find out if hosts are up or down. can become a powerful tool in the hands of a skilled user, for good or for evil.

The  network scanning tool supplies a diverse set of options to control its behavior. It can scan multiple hosts and host ranges; utilize various scanning techniques; identify operating systems and service versions; and even perform stealth scanning to avoid triggering certain IDS and IPS utilities.

Usage Example :

Basic use
First, let's cover some basic use of. You should at the very least know how to scan hosts and check for specific ports; these fundamentals will show you what's open on the target network.

Scanning hosts
Basic use of  just involves scanning a target IP address or domain name. For example:

bluefox@ice-ldap:~$ nmap webserv1

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-04-01 15:52 EDT Interesting ports on webserv1 (192.168.30.11): Not shown: 1644 closed ports, 28 filtered ports PORT    STATE SERVICE 21/tcp  close  ftp 22/tcp  close  ssh 80/tcp  close  http 111/tcp close  rpcbind 199/tcp close  smux 443/tcp open  https 1008/tcp close ufsd

Nmap finished: 1 IP address (1 host up) scanned in 15.142 seconds

In this mode of operation,  shows the open ports and the common service carried on that port. will not show services moved to other ports accurately; http on port 21 will read as ftp, for example.

You can specify multiple hosts on 's command line as well:

bluefox@ice-ldap:~$ nmap dbserv1 webserv1

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-04-01 15:56 EDT Interesting ports on 192.168.40.11: Not shown: 1667 closed ports PORT    STATE    SERVICE 22/tcp  close     ssh 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 199/tcp open     smux 445/tcp filtered microsoft-ds 1720/tcp filtered H.323/Q.931 3306/tcp open    mysql 3389/tcp filtered ms-term-serv 5631/tcp filtered pcanywheredata

Interesting ports on webserv1 (192.168.30.11): Not shown: 1644 closed ports, 28 filtered ports PORT    STATE SERVICE 21/tcp  close  ftp 22/tcp  close  ssh 80/tcp  close  http 111/tcp close  rpcbind 199/tcp close  smux 443/tcp open  https 1008/tcp close ufsd

Nmap finished: 2 IP addresses (2 hosts up) scanned in 17.001 seconds

As you can see, my Web server exposes too many ports and my MySQL server has a weak firewall; I ran this scan from a DMZ, which has to go through the firewall to enter my network. Here we can see the power of :  I know I should switch my firewall to default deny and allow only the services needed through explicitly. identifies filtered ports by a lack of response; closed ports send a TCP packet with a RST flag when you try to open them, indicating the server received the packet and would have allowed you to connect to any service listening on that port.

A useful option on the command line to nmap is the "Verbose" switch. Including -v or -vv on the command line will increase the amount of output nmap generates.

bluefox@ice-ldap:~$ nmap -vv webserv1

Advanced target specification
allows you to use IP address targets for various sets and ranges based on a simple syntax.


 * - Specify from x-y.  will scan 192.168.0.1, 192.168.1.1, 192.168.0.2, and 192.168.1.2
 * - Replaced with . Your shell will probably emit a bunch of file names, so just use.
 * - Specify  and  .   will scan 192.168.0.1, 192.168.0.2, and 192.168.0.4. Further,   will scan the same set of hosts.
 * - Scan CIDR notated subnets.  operates as   for example.

You can combine these notations in any form you want. For example, if you wanted to scan a few subnets on 192.168.0.0/12, you could use. Usually you will not want to do anything this drastic, and can stick to a single host; however, if you need it, you should know how to do it. Remember,  maps networks, not just hosts. ? " Vs " ss1

Scanning ports

 * Switches:

Sometimes you don't need to know everything open on a host, sometimes you just want to make sure proFTPd and Apache are up and the SMTP server hasn't died, and see if SSH is listening. For these situations, you can specify ports to scan. Port specification can be manipulated in the same way as target specification, using the  and   notations.



Scanning ports including Service Version (-V)
Includes Service versions for scanned ports:
 * Switches:   and   (Service version)

Basic Network ping Scanning
Basic network ping scanning for discovering host responding to icmp requests (ping).
 * Switches:, previosly and now deprecated

Service Scans

 * Switches: ,

has the ability to do service scans and RPC grinding; in other words, it can tell you what high level protocol, application, version, version of libssl if the service supplies an [(SSL)] connection, etc., listens on a port instead of matching the port number to the common service. also uses an RPC grinder, which makes RPC connections to ports running an RPC service; typically a single RPC portmapper port tells you which ports run RPC, but if the firewall blocks that then  will find it itself.

Let's take a look first at a scan against the server behind me. This server provides a profoundly good example because I've configured it to let me poke holes in my college's firewall, and thus it looks really strange. A typical  scan comes out well enough:

bluefox@icebox:/home/shared/qemu$ nmap 192.168.1.40

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-03 20:58 EDT Interesting ports on 192.168.1.40: Not shown: 1688 closed ports PORT   STATE SERVICE 21/tcp close  ftp 22/tcp close  ssh 53/tcp filter  domain 80/tcp close  http 81/tcp close  hosts2-ns 139/tcp close netbios-ssn 389/tcp close ldap 443/tcp open https 445/tcp close microsoft-ds

Nmap finished: 1 IP address (1 host up) scanned in 0.971 seconds

The above shows FTP, DNS, hosts2-ns, HTTP/SSL, and Microsoft Directory Services (Active Directory). We can take a closer look with an  service scan using. The below output gives us something quite different.

bluefox@icebox:/home/shared/qemu$ nmap -sV 192.168.1.40

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-03 21:01 EDT Interesting ports on 192.168.1.40: Not shown: 1688 closed ports PORT   STATE SERVICE     VERSION 21/tcp open  ssh         OpenSSH 4.3p2 Debian 5ubuntu1 (protocol 2.0) 22/tcp open  ssh         OpenSSH 4.3p2 Debian 5ubuntu1 (protocol 2.0) 53/tcp open  ssh         OpenSSH 4.3p2 Debian 5ubuntu1 (protocol 2.0) 80/tcp open  http        Apache httpd 2.0.55 ((Ubuntu) PHP/5.1.6) 81/tcp open  http        Apache httpd 2.0.55 ((Ubuntu) PHP/5.1.6) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME) 389/tcp open ldap        OpenLDAP 2.2.X 443/tcp open  ssh         OpenSSH 4.3p2 Debian 5ubuntu1 (protocol 2.0) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME) Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/. Nmap finished: 1 IP address (1 host up) scanned in 13.747 seconds

So it seems this server really has Apache serving http on two ports; OpenSSH serving over the FTP, DNS, and HTTPS ports; and Samba providing SMB connections. Further, we can see that the server uses SSH 2.0 protocol on OpenSSH 4.3p2 Debian 5ubuntu1, a native Ubuntu .deb rather than a custom build. We can guess with relative accuracy that this server runs Ubuntu, even without an OS scan; either that or the administrator really doesn't have a clue what he's doing, or has managed to change banners with a rewrite proxy to fool us.

Worth note, the  switch activates service scanning as well.

Advanced Port Scans
You can run many types of advanced port scans with. Aside from the standard  port scan,   requires root access to perform these advanced scans because it needs to create raw sockets and construct raw TCP/IP packets.

Using nmap with root (-A)
The  program obtains different information with and without root access. With root access,  can perform advanced TCP/IP scans; operating system detection; and MAC address identification.

First, let's check out a normal user utilizing  with the   option. activates operating system and service scanning, in the same way as. Operating system detection requires root access, so OS detection won't work at all. I've performed the below scan against a Linksys WRT54G wireless router.

bluefox@icebox:~$ nmap -A -p80,1 192.168.1.1

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-04 12:18 EDT Interesting ports on 192.168.1.1: PORT  STATE  SERVICE VERSION 1/tcp closed tcpmux 80/tcp open  http    Linksys wireless-G WAP http config (Name Icelink) Service Info: Device: WAP

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/. Nmap finished: 1 IP address (1 host up) scanned in 6.199 seconds

As you can see,  simply skips the OS detection phase. When we put  into operation as root, however, we see that it can also look up a lot more information. Below, we see it discovered the MAC address and identified the vendor owning that MAC space; the operating system and details about the OS; the uptime; and the network distance. It also gave us a device type;  sees a Linux OS used for desktops, wireless routers, or network storage, and thus classifies the device as either general purpose, WAP, or storage.

bluefox@icebox:~$ sudo nmap -A -p80,1 192.168.1.1

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-04 12:18 EDT Interesting ports on 192.168.1.1: PORT  STATE  SERVICE VERSION 1/tcp closed tcpmux 80/tcp open  http    Linksys wireless-G WAP http config (Name Icelink) MAC Address: 00:13:10:7D:06:C6 (Cisco-Linksys) Device type: general purpose|WAP|storage-misc Running: Linux 2.4.X, Linksys Linux 2.4.X, Asus Linux 2.4.X, Maxtor Linux 2.4.X OS details: Linux 2.4.20 - 2.4.32, Linux-based embedded device (Linksys WRT54GL WAP, Buffalo AirStation WLA-G54 WAP, Maxtor Shared Storage Drive, or Asus Wireless Storage Router) Uptime: 29.285 days (since Tue Mar 6 04:28:28 2007) Network Distance: 1 hop Service Info: Device: WAP

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/. Nmap finished: 1 IP address (1 host up) scanned in 7.833 seconds

becomes much more powerful with root access; however, for security reasons you should not haphazardly give  the SUID permission. You can allow users to run  specifically via , but be aware that anything that allows a user to gain root access&mdash;SUID bits,  , etc.&mdash;represents a security risk.

Operating system detection

 * Switches:

The  switch enables   operating system detection. OS detection attempts to use characteristics of the target's TCP/IP stack to fingerprint the remote operating system; usually it can identify Linux, Windows, and BSD, and find a general range of versions and families like Windows NT/XP or 95/98/ME. A typical OS Detection scan looks like the below.

bluefox@ice-ldap:~$ sudo nmap -O 192.168.1.105 -P0

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-04-05 18:43 EDT Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on 192.168.1.105: Not shown: 1677 filtered ports PORT   STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:76:96:A5:DC (Micro-star International CO.) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP SP2

Nmap finished: 1 IP address (1 host up) scanned in 32.272 seconds

TCP connect Scan

 * Switches:

allows a TCP connect scan in all cases, administrative access or not; when you specify other scan types without root access,  automatically substitutes this scan type.

In this scanning mode,  opens a connection to the port in the same way a Web browser or FTP client does and checks to see how the TCP/IP stack responds. The following results arise from this scan:


 * open:   was able to complete a connection, and then closed the port.
 * closed:   tried to connect and got an error informing it that the port was closed (the OS got a RST packet).
 * filtered:   tried to connect and the OS gave it some other error, like host or port unreachable or connection time-out.

TCP connect scans work with all privilege levels, but can execute slowly and produce excess packets. They also usually create more logs on the target, and can crash really poorly programmed services.

TCP SYN Scan

 * Switches:

The  TCP SYN scan uses a simple SYN packet to connect to a port to determine its status. uses this by default whenever it has raw socket privileges.

The TCP SYN scan sends a SYN packet as if opening a connection, and checks the result. The following statuses come from this test:


 * open:   got a SYN/ACK from the host on that port.    does not have to take further action; the OS has no record of the connection, and responds to the SYN/ACK with a RST, tearing down the connection on the target.
 * closed:   got a RST from the host on that port.
 * filtered:   got something else, or nothing.

TCP SYN scans execute very quickly, create fewer logs, and act in a more stealthy manner.

Scanning Firewalls
You can use  to penetrate firewalls as well. can perform scans useful for determining whether a firewall uses stateful filtering or not; and which ports a firewall allows through. You can scan targets behind the firewall with this and discover the firewall rules, allowing more targeted scans and possibly evading firewall logging.

TCP ACK Scan

 * Switches:

Stealth Scans
Unfortunately, if you scan through certain IPS or IDS machines, you get loads of fluff from proxy ports. This presents a minor annoyance. I had to trim below output, as it contained thousands of lines of text. I've obscured the host I scanned below; I had chosen a live machine on the Internet to scan for this, because I don't have the IPS hardware they use.

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-04-01 16:14 EDT Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 20.95% done; ETC: 16:14 (0:00:09 remaining) Interesting ports on %%% (%%%): Not shown: 861 closed ports PORT     STATE    SERVICE 2/tcp    open     compressnet 3/tcp    open     compressnet 7/tcp    open     echo 10/tcp   open     unknown 12/tcp   open     unknown 14/tcp   open     unknown 15/tcp   open     netstat 18/tcp   open     msp 19/tcp   open     chargen 20/tcp   open     ftp-data 21/tcp   open     ftp 25/tcp   open     smtp 27/tcp   open     nsw-fe 28/tcp   open     unknown 29/tcp   open     msg-icp 30/tcp   open     unknown 31/tcp   open     msg-auth 32/tcp   open     unknown 33/tcp   open     dsp 34/tcp   open     unknown 35/tcp   open     priv-print 38/tcp   open     rap 39/tcp   open     rlp 40/tcp   open     unknown 41/tcp   open     graphics 43/tcp   open     whois 47/tcp   open     ni-ftp 56/tcp   open     xns-auth 58/tcp   open     xns-mail 59/tcp   open     priv-file 60/tcp   open     unknown 64/tcp   open     covia 66/tcp   open     sql*net ..... 134/tcp  open     ingres-net 135/tcp  filtered msrpc 136/tcp  filtered profile 137/tcp  filtered netbios-ns 138/tcp  filtered netbios-dgm 139/tcp  filtered netbios-ssn 141/tcp  open     emfis-cntl 143/tcp  open     imap 145/tcp  open     uaac 147/tcp  open     iso-ip 148/tcp  open     cronus 149/tcp  open     aed-512 150/tcp  open     sql-net 155/tcp  open     netsc-dev ..... 27001/tcp open    flexlm1 27002/tcp open    flexlm2 27005/tcp open    flexlm5 27007/tcp open    flexlm7 27008/tcp open    flexlm8 27009/tcp open    flexlm9 27010/tcp open    flexlm10 27374/tcp open    subseven 27665/tcp open    Trinoo_Master 31337/tcp filtered Elite 32775/tcp open    sometimes-rpc13 32777/tcp open    sometimes-rpc17 32779/tcp open    sometimes-rpc21 32787/tcp open    sometimes-rpc27 38037/tcp open    landesk-cba 43188/tcp open    reachout 47557/tcp open    dbbrowse 50000/tcp open    iiimsf 54320/tcp open    bo2k 61441/tcp open    netprowler-sensor 65301/tcp open    pcanywhere

Nmap finished: 1 IP address (1 host up) scanned in 23.251 seconds

Fortunately, you can perform a stealth scan to evade this; unfortunately, stealth scans take an order of magnitude longer. Usually a polite scan will do the trick, it causes only 150 packets/minute.



The  option takes one of five arguments, given by name or number. These are:


 * (0) - No parallel scanning. 5 minutes between sending packets.
 * (1) - No parallel scanning. 15 seconds between sending packets.
 * (2) - No parallel scanning. 0.4 seconds between sending packets.
 * (3) - Default scanning. Tries to be very fast without overloading the network.
 * (4) - Faster than normal, but loads the network.
 * (5) - Parallel scans, times out hosts in 15 minutes, won't wait more than 0.3 seconds for an individual probe. Loses a lot of information.

also provides options to control scan time-outs. Combining these with the above provides more fine-tuned scans, for example a scan doing 100 packets per minute:



Let's try the above scan again, politely.

bluefox@icebox:~$ nmap -T polite

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-02 19:52 EDT Interesting ports on %%% (%%%): Not shown: 1658 closed ports, 26 filtered ports PORT    STATE SERVICE 21/tcp  open  ftp 25/tcp  open  smtp 80/tcp  open  http 110/tcp open  pop3 143/tcp open  imap 389/tcp open  ldap 443/tcp open  https 1026/tcp open LSA-or-nterm 1027/tcp open IIS 1433/tcp open ms-sql-s 3389/tcp open ms-term-serv 8000/tcp open http-alt 9999/tcp open abyss

Nmap finished: 1 IP address (1 host up) scanned in 693.146 seconds

As we can see, this scan takes 693 seconds instead of 23, 30 times longer.