Network Mapper, commonly called Nmap, is a popular, open-source security auditing and network scanner created by Gordon Lyon. Nmap can be quite capable when performing network diagnostics and information-gathering in penetration testing. Nmap allows you to scan from a single host in a network to a collection of hosts in a large network.
An Nmap scan can provide information such as the operating system running on the hosts, the ports, the corresponding services, and the host services versions. Nmap scans can also help to detect vulnerabilities in the network hosts using the built-in scripting engine.
Simply put, Nmap works by sending raw IP packets to gather information about the hosts in a network, the services running, the versions, and even the operating systems.
A few key features set Nmap apart from other information gathering tools. These include:
- Open-source: Despite Nmap being amazingly powerful, this tool is free to download for all major operating systems. Nmap is fully open-source, which means that the code is free to modify and redistribute under the terms stipulated in the patent license.
- Easy: Nmap is extremely straightforward and easy to use, thanks to its graphical interface version called ZeNmap. Thanks to ZeNmap and other beginner-friendly features, Nmap is suitable for both advanced professionals and first-time users.
- Cross-platform: Nmap is available for all major operating systems, including Windows, Mac OS, Linux, FreeBSD, OpenBSD, Solaris, and more.
- Powerful: Nmap can be said to be the best tool at what it does. This powerful tool supports the scanning of large networks with thousands of connected hosts.
- Popular: Nmap is very popular and has a large community of users who are always ready to help and contribute to further development of the tool.
- Documentation: One of the best features of Nmap is the documentation that comes with it. Nmap provides intuitive, well-organized, and clear information on how to use and explore the tool.
Nmap is free and available for download from the official download page, provided below:
At the download page, select the installer that is right for your system and perform a normal install. For Linux users, you can install Nmap using popular package managers, as it is available in the repositories of all major Linux distributions.
For Debian users here are the install commands:
How to Use Nmap to Scan Network Subnet
One way to use Nmap at home is to scan your network to view all the connected devices. This can be helpful to see if there are any unauthorized devices on the network. To view all unauthorized devices, you can tell Nmap to scan an entire subnet.
NOTE: In penetration testing, you will rarely scan an entire network. Instead, you will only dive into targeted hosts in the network, as the process can be slow and unnecessary.
Obtaining the Subnet Mask
Before commanding Nmap to scan your network for the connected host, you will first need to get your network’s subnet mask. A network subnet is also a network’s IP range.
Begin by opening a terminal session and installing the net-tools package using the following command:
Next, use the ifconfig command to grep for the netmask:
You should obtain an output similar to the one shown below:
inet 192.168.0.24 netmask 255.255.255.0 broadcast 192.168.0.255
From this output, you can see that the network IP is 192.168.0.24 with a subnet mask of 255.255.255.0. That means that the IP range is 255. Though I will not dive into the details of subnetting, this means that you have valid IP addresses from 192.168.0.1 to 192.168.0.254.
Scanning the Subnet
NOTE: This tutorial does not seek to teach you about host discovery with Nmap. It focuses on showing you a simple way to scan devices connected to your network.
To accomplish this, use the Nmap command followed by the scan option. In this case, we only need a ping scan for host lookup.
The command is as:
We pass the /24 mask from the subnet. You can find the subnet mask cheat sheet in the resource provided below:
Once the command executes successfully, you should get an output showing the devices connected to your network.
Nmap scan report for 192.168.0.1
Host is up (0.0040s latency).
MAC Address: 44:32:C8:70:29:7E (Technicolor CH USA)
Nmap scan report for 192.168.0.10
Host is up (0.0099s latency).
MAC Address: 00:10:95:DE:AD:07 (Thomson)
Nmap scan report for 192.168.0.16
Host is up (0.17s latency).
MAC Address: EC:08:6B:18:11:D4 (Tp-link Technologies)
Nmap scan report for 192.168.0.36
Host is up (0.10s latency).
MAC Address: 00:08:22:C0:FD:FB (InPro Comm)
Nmap scan report for 192.168.0.254
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.82 seconds
NOTE: You do not have to call Nmap with sudo, but in some instances, the scan may fail if called without root.
This tutorial showed you some of the basics of using Nmap for scanning hosts on a network. It is important to note that this is just one feature of Nmap’s scanning capabilities; Nmap can do a lot more than what was illustrated in this guide.
If you want to get a deeper understanding of Nmap and how it works, feel free to check out the Nmap official documentation.
For network nerds, penetration testers, and network engineers, knowing how to use Nmap is a must-have skill. Hopefully, this tutorial has helped to get you started with Nmap.