Installing Nmap
Nmap is open-source, which means that it is readily available for all major Linux distributions, as well as other operating systems, such as Windows, Mac OS, Solaris, and more. To download the binary for your system or compile it on your own, check out the nmap download resources provided.
To install it on Ubuntu/Debian, use the apt package manager:
Once Nmap is installed, you can run network scans by calling the Nmap command from the terminal.
Quick Network Host Discovery
To perform a quick network host discovery using Nmap, use the -sn flag with the Nmap command. This flag tells Nmap to determine whether the hosts are active without conducting any port scans.
Consider the following scan for the network 192.168.0.1/24:
Nmap scan report for 192.168.0.1
Host is up (0.0020s latency).
MAC Address: 44:32:C8:70:29:7E (Technicolor CH USA)
Nmap scan report for 192.168.0.10
Host is up (0.0080s latency).
MAC Address: 00:10:95:DE:AD:07 (Thomson)
Nmap scan report for 192.168.0.12
Host is up (0.080s latency).
MAC Address: AC:2D:A9:B2:C8:A0 (Tecno Mobile Limited)
Nmap scan report for 192.168.0.25
Host is up (0.084s latency).
MAC Address: 18:5E:0F:7C:2D:65 (Intel Corporate)
Nmap scan report for 192.168.0.26
Host is up (0.083s latency).
MAC Address: 9C:B7:0D:88:34:4D (Liteon Technology)
Nmap scan report for 192.168.0.29
Host is up (0.082s latency).
MAC Address: 82:10:2A:BC:41:66 (Unknown)
Nmap scan report for 192.168.0.30
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 3.31 seconds
The above command scans the entire network and tells you which devices are active, as well as their respective IP addresses.
You can also pass multiple networks by passing them as arguments. For example:
Quick Host Scan for Open Ports
To perform a quick network scan and determine the open ports on a network, use the Nmap command, followed by the host IP address or subnet range. For example:
You should get an output like the one shown below. If you have a large subnet, it may take a while to complete the scan.
Host is up (0.0089s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
1900/tcp closed upnp
8080/tcp open http-proxy
MAC Address: 44:32:C8:70:29:7E (Technicolor CH USA)
Nmap scan report for 192.168.0.10
Host is up (0.0034s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:10:95:DE:AD:07 (Thomson)
Nmap scan report for 192.168.0.25
Host is up (0.099s latency).
All 1000 scanned ports on 192.168.0.25 are filtered
MAC Address: 18:5E:0F:7C:2D:65 (Intel Corporate)
If you know which ports are running on the system or want confirmation of the running ports, you can tell Nmap to scan only those ports to check if they are available. The command for this is as follows:
Save Nmap Scan to File
In most cases, when performing a network scan, you will need a copy of the results to reference the open ports or the running service. Nmap allows you to save the output of a scan to a file.
To save the output of an Nmap scan to a file, use the -oA argument and pass the file name, as follows:
The -oA flag saves the output in all formats to the specified file. To specify a specific file format, such as XML, use the -oX flag:
To specify a normal output, use the -oN flag:
Conclusion
As shown in this article, Nmap provides several quick methods for performing simple network scans. Nmap is a powerful tool that you can use to your advantage to exploit and secure networks.
To expand your knowledge, consider the main nmap documentation.
