Posted: August 19, 2019 | | by Shashank Nandishwar Hegde (Sudoer alumni, Red Hat)
Image
Nmap (Network Mapper) ispopularly known as the sysadmin’s Swiss Army knife. Since things in a corporate network don’t go as smoothly as desired, those debug/"Save me"tickets can pile up in your work log.
Nmap comes to your rescue. In this article, I explore sixpractical use cases for Nmap.
Using Nmap
Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what's connected, what services each host is operating, and so on. It allows a large number of scanning techniques,such as UDP, TCP connect (), TCP SYN (half-open), and FTP. It also offers a wide variety of scan types, including Proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas, SYN sweep, IP Protocol, and Null scan.See the man page's Scan Techniques section for more details.
Nmap also offers a number of advanced features such asoperating system (OS) detection
via TCP/IP fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel scanning, detection of down hosts via parallel pings, decoy scanning, port filtering detection, direct (non-portmapper) RPC scanning, fragmentation scanning, and flexible target and port specification.
Let's explore some of the practical use cases that can help you deal with your network.
Use case one
The Nmap syntax outlined in the man page is as follows:
nmap[<Scan Type>...] [<Options>] {<target specification>}There are many switch options that can be used along with Nmap, but let's focus on the practical one. For this use case, scan the hostname with thenmap <hostname>command like this:
Image
Use case two
If you have more than one host you need to scan, list all the hosts in a hosts.txt file. Then, use the commandnmap -iL <file containing host names>,like so:
Image
Use case three
When using Nmap, it is possible to identify a host's operating system (OS), which is useful for an inventory sweep of your network.Use the -Aswitch to determine the OS for a remote system. For example, running:
$ nmap -A localhost.example.comresulted in:
Image
Use case four
Nmap can help you gain adeeper understanding of your network's security concerns. Todetermine whether a remote host has a firewall enabled, and which ports are filtered, use-sA.The word filteredin the output below suggests that this host is enabled with a firewall:
Image
Use case five
Whenever we want to check the weak points of a host we need to first analyze the open ports (well-known), to give us an idea of whichservices are enabled on thathost. Using the -pswitch, Nmap scans the range of ports specified, as shown below:
Image
Use case six
To perform a stealth scan for TCP information, use the -sT option. This type of scan is handy when you can't use the -sS (SYN) type scan, which is the default—and is stealthier than the TCP connect scan shown below:
Image
Exploring further
These six use cases will start you in the right direction with Nmap. As you discover more of Nmap's power as a network discovery and inventory tool, you'll see that Nmap is an essential part of your sysadmin toolbox.
Please exercise caution with Nmap, though. Either get permission to use it or inform your IT and security staff that you are performing network sweeps and probes so that your monitoring alerts don't trigger a security incident. Nmap is used by all shades of the hacker spectrum, so this warning should be taken seriously. As with any power tool in your toolbox, there is utility as well as danger.
Topics: Networking Linux
