nmap Command in Linux

Introduction

In this tutorial, we will delve into the Linux `nmap` command, a cornerstone tool for network discovery and robust security auditing. Starting with the fundamentals of `nmap`, including its installation and basic network scanning techniques, we'll progress to more sophisticated functionalities such as version detection and OS fingerprinting.

This tutorial covers the following key areas:

1. Grasping the Essentials of `nmap`
2. Executing Network Scans with `nmap`
3. Leveraging Advanced `nmap` Capabilities

Throughout this tutorial, we will utilize the `nmap` command within an Ubuntu 22.04 Docker container environment. The necessary installation command for `nmap` is provided if needed. The goal is to empower you with the knowledge and practical skills required to effectively employ `nmap` for comprehensive network exploration and thorough security assessment, a crucial skill for any systemadmin.

Understand the Basics of nmap

In this section, we will cover the essential aspects of the `nmap` (Network Mapper) command. This powerful utility is invaluable for both network discovery and security auditing. `nmap` is a free and open-source tool, ideal for scanning networks and individual hosts, identifying active services, and uncovering potential security vulnerabilities that a systemadmin needs to be aware of.

Let's begin by installing `nmap` on our Ubuntu 22.04 Docker container:

sudo apt-get update
sudo apt-get install -y nmap

Example output:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  liblinear6 libpcap0.8 libpcre2-8-0 libsqlite3-0 libssl-dev libssl1.1 zlib1g
Suggested packages:
  nmap-frontend
The following NEW packages will be installed:
  liblinear6 libpcap0.8 libpcre2-8-0 libsqlite3-0 libssl-dev libssl1.1 nmap zlib1g
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.

With `nmap` now installed, let's explore some fundamental usage scenarios:

1. Performing a simple TCP connect scan on a target host to determine open ports:

nmap 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

2. Conducting a more in-depth scan, including version detection and OS fingerprinting, to gather detailed information about the target:

nmap -sV -O 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4.1 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
443/tcp  open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
OS CPE: cpe:/o:linux:linux_kernel
OS details: Linux 5.4.0 - 5.15.0

In this section, we've covered the basic usage of the `nmap` command. This includes initiating a simple TCP connect scan and a more comprehensive scan incorporating version detection and OS fingerprinting. In the subsequent section, we will investigate more sophisticated `nmap` functionalities and techniques relevant for a systemadmin managing a Linux environment.

Perform Network Scanning with nmap

This section provides a deeper exploration into network scanning using `nmap`, unveiling a selection of its advanced features applicable in various systemadmin scenarios.

First, let's execute a SYN scan. This is often favored for its stealth, providing insights into network topology without fully establishing connections:

sudo nmap -sS 192.168.1.1-254

Example output:

Starting Nmap scan on 192.168.1.0/24
Nmap scan report for 192.168.1.1
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

Nmap scan report for 192.168.1.100
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

Next, we'll perform a UDP scan to pinpoint open UDP ports. This is essential for identifying services utilizing the UDP protocol:

sudo nmap -sU 192.168.1.100

Example output:

Starting Nmap UDP scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT    STATE SERVICE
123/udp open  ntp

`nmap` also allows for scanning a defined port range, enhancing targeted reconnaissance:

sudo nmap -p 1-1000 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

Finally, let's combine a TCP SYN scan with version detection and OS fingerprinting for a comprehensive analysis:

sudo nmap -sS -sV -O 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4.1 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
443/tcp  open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
OS CPE: cpe:/o:linux:linux_kernel
OS details: Linux 5.4.0 - 5.15.0

This section has demonstrated diverse network scanning techniques using `nmap`, including SYN scans, UDP scans, port range scans, and scans enhanced with version detection and OS fingerprinting. These techniques prove invaluable for network discovery, security auditing, and effective troubleshooting – all essential skills for a systemadmin.

Utilize Advanced nmap Features

In this final segment, we'll explore advanced features within `nmap`, showing how they facilitate more refined network scanning and in-depth analysis crucial for securing Linux systems and managed by a systemadmin.

We'll initiate with a script scan, geared towards detecting potential vulnerabilities present on our target host. This capability extends beyond simple port enumeration:

sudo nmap -sV --script=vuln 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4.1 (protocol 2.0)
| ssh-hostkey:
|   3072 c4:f8:9c:0c:cb:8a:d0:95:87:04:a9:44:b2:2e:ac:e5 (RSA)
|   256 ac:00:66:17:63:c0:80:9d:43:bd:ee:e9:a6:ca:e5:84 (ECDSA)
|_  256 f5:90:d8:9e:6b:b3:19:e5:7c:ab:02:5a:c1:4b:08:e4 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: VULNERABLE
|     IDs:  CVE-2007-6750, CWE-476
|       Slowloris tries to keep many connections to the target web server open and hold
|       them for as long as possible.  This can effectively starve the web server of
|       resources, slowing it down or causing it to crash.
|
|     Disclosure date: 2009-09-03
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
443/tcp  open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: VULNERABLE
|     IDs:  CVE-2007-6750, CWE-476
|       Slowloris tries to keep many connections to the target web server open and hold
|       them for as long as possible.  This can effectively starve the web server of
|       resources, slowing it down or causing it to crash.
|
|     Disclosure date: 2009-09-03
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/

We can instruct `nmap` to conduct a TCP connect scan and simultaneously save the detailed results into a structured output file. This enables thorough post-scan analysis and documentation. A systemadmin will find this particularly useful for audits.

sudo nmap -oA nmap_results 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

The scan output will be persisted across these file formats:

• nmap_results.nmap
• nmap_results.gnmap
• nmap_results.xml

Finally, we'll execute an encompassing TCP SYN scan complemented by service and version detection, OS fingerprinting, along with script scanning. This provides the most comprehensive insight obtainable from a single `nmap` command invocation – invaluable for robust security posture assessment:

sudo nmap -sS -sV -O -sC 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4.1 (protocol 2.0)
| ssh-hostkey:
|   3072 c4:f8:9c:0c:cb:8a:d0:95:87:04:a9:44:b2:2e:ac:e5 (RSA)
|   256 ac:00:66:17:63:c0:80:9d:43:bd:ee:e9:a6:ca:e5:84 (ECDSA)
|_  256 f5:90:d8:9e:6b:b3:19:e5:7c:ab:02:5a:c1:4b:08:e4 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-server-header:
|   Apache/2.4.41 (Ubuntu)
|_  Server: Apache/2.4.41 (Ubuntu)
443/tcp  open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
| http-server-header:
|   Apache/2.4.41 (Ubuntu)
|_  Server: Apache/2.4.41 (Ubuntu)
OS CPE: cpe:/o:linux:linux_kernel
OS details: Linux 5.4.0 - 5.15.0

This final section showcased advanced `nmap` capabilities, encompassing script scanning for vulnerability identification, persisting scan outputs to files, and orchestrating a comprehensive scan leveraging service and version pinpointing, OS fingerprinting, and script scanning. These approaches are invaluable for system administrators focused on strengthening network security and proactive problem resolution, particularly when managing Linux server environments where understanding potential vulnerabilities and system configurations is paramount. Mastering tools like nmap is crucial for any systemadmin aiming to maintain a secure and well-managed infrastructure, often requiring root privileges for comprehensive scanning.

Summary

In this tutorial, we explored the foundations of the `nmap` (Network Mapper) command, a versatile instrument for network reconnaissance and rigorous security assessments. Initially, we installed `nmap` on our Ubuntu 22.04 Docker container and then examined its core functionalities, conducting a fundamental TCP connect scan and a refined scan integrating version detection and OS fingerprinting. We learned to use `nmap` to enumerate running services and discover potential vulnerabilities on target hosts. The subsequent sections will delve into `nmap`'s advanced functionalities, further refining our network scanning and security auditing skills, which are essential for any aspiring systemadmin. Effective utilization of nmap allows a systemadmin to thoroughly assess a network's security posture, identifying potential weaknesses that could be exploited. Furthermore, understanding how to interpret nmap's output is critical for making informed decisions regarding network hardening and security policy implementation. Nmap's versatility extends to various operating systems, but its prevalence in Linux environments makes it a must-know tool for any systemadmin working with Linux servers or networks.

Tác giả

Tôi là một chuyên gia System Administrator (SysAdmin) & DevOps Engineer với hơn 10 năm kinh nghiệm trong lĩnh vực quản trị hệ thống, bảo mật mạng, và tối ưu hạ tầng Cloud. Tôi đã từng làm việc tại các tập đoàn công nghệ lớn và tham gia triển khai nhiều hệ thống High Availability (HA), Load Balancing, Database, container và CI/CD giúp doanh nghiệp hoạt động ổn định với hiệu suất cao. Bài này tôi viết với thời gian đọc khoảng 8 phút. I also wrote a Vietnamese version.