Linux nmap Security Monitoring Tool

Howto scan a network using nmap on Linux

nmap - Security Scanner


Nmap is a security scanning tool (network mapper) that is used to discover hosts and services on a computer network. Nmap accomplishes this by sending specially crafted packets of data to the target hosts and then analyses the responses back. Nmap can identify ports that are open and identify the host operating system in most cases. Nmap was designed to quickly scan large networks although it is often used against selected Ip addresses.



Nmap is often used as a security auditing tool. Nmap can be used to see what connections are active.



Nmap features


Host Discovery - Analysing responses from ping commands and open ports.

Port Scanner - Scans through a range of ports to determine if they are open or not.

Version Detection - nmap can interrogate listening network services and determine application names and numbers.

Operating System Detection - nmap can identify known operating systems.



nmap Installation Guide


nmap can normally be installed direct from your systems standard repositories. Below are examples of installing nmap using Debian/Ubuntu, CentOS/RHEL and openSUSE Linux distributions. To install nmap, simply follow the instructions that match your operating system.



Install nmap for Ubuntu/Debian Distributions


To install nmap on a Debian based system issue the commands below. The first command is used to update your system with the latest versions of available packages. This command is then followed by the install command. Reply "Y" when asked to install the relevant package and any dependencies.



$ sudo apt-get update 

$ sudo apt-get install nmap


Install nmap for RHEL/CentOS Distributions


To install nmap on a Red Hat based systems, issue the following yum command as the root user. When asked to confirm installation and any dependencies, reply "y".



# yum install nmap 


Install nmap for openSUSE Distributions


To install nmap on either openSUSE or SLES, issue the following commands from a terminal as a root user. Reply "y" to the continue prompt.



# zypper install nmap



nmap command examples


The following section illustrates some of the functionality of the nmap command. In the following examples we will use a CentOS 7.0 installation to issue our commands from.



Scan a Single IP Address


In the following example, we are going to run a scan against a single IP address with no additional parameters passed:



[root@centos07a ~]# nmap 192.168.0.16

Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-01 20:51 GMT
Nmap scan report for 192.168.0.16
Host is up (0.00014s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
10000/tcp open  snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 89.70 seconds

In the above example, our target server has the IP address of "192.168.0.16". The following ports were found to be open:

Port 22: Used for ssh connections.

Port 80: Indicates a web server is running.

Port 10000: Webmin administration is running on port 10000.



Scan with OS Detection



[root@centos07a ~]# nmap -v -A 192.168.0.16

Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-01 21:09 GMT
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Parallel DNS resolution of 1 host. at 21:09
Completed Parallel DNS resolution of 1 host. at 21:09, 0.03s elapsed
Initiating SYN Stealth Scan at 21:09
Scanning 192.168.0.16 [1000 ports]
Discovered open port 22/tcp on 192.168.0.16
Discovered open port 80/tcp on 192.168.0.16
Increasing send delay for 192.168.0.16 from 0 to 5 due to 13 out of 43 dropped probes since last increase.
Increasing send delay for 192.168.0.16 from 5 to 10 due to 39 out of 128 dropped probes since last increase.
Increasing send delay for 192.168.0.16 from 10 to 20 due to 11 out of 23 dropped probes since last increase.
Increasing send delay for 192.168.0.16 from 20 to 40 due to 11 out of 24 dropped probes since last increase.
Increasing send delay for 192.168.0.16 from 40 to 80 due to 11 out of 30 dropped probes since last increase.
SYN Stealth Scan Timing: About 45.67% done; ETC: 21:10 (0:00:37 remaining)
Discovered open port 10000/tcp on 192.168.0.16
Completed SYN Stealth Scan at 21:10, 89.69s elapsed (1000 total ports)
Initiating Service scan at 21:10
Scanning 3 services on 192.168.0.16
Completed Service scan at 21:10, 6.09s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.16
NSE: Script scanning 192.168.0.16.
Initiating NSE at 21:10
Completed NSE at 21:11, 30.01s elapsed
Nmap scan report for 192.168.0.16
Host is up (0.00014s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.4 (protocol 2.0)
| ssh-hostkey: 2048 25:0c:45:03:dc:38:1f:0b:95:e5:45:88:97:f2:f9:36 (RSA)
|_256 da:b0:c1:ae:b4:5e:82:e7:b3:cb:ec:53:cf:9c:15:c3 (ECDSA)
80/tcp    open  http    Apache httpd 2.4.6 ((CentOS))
| http-methods: POST OPTIONS GET HEAD TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Apache HTTP Server Test Page powered by CentOS
10000/tcp open  http    MiniServ 1.690 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 9A2006C267DE04E262669D821B57EAD1
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Login to Webmin
| ndmp-version: 
|_  ERROR: Failed to get host information from server
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Uptime guess: 0.022 days (since Mon Dec  1 20:39:14 2014)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros

NSE: Script Post-scanning.
Initiating NSE at 21:11
Completed NSE at 21:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.48 seconds
           Raw packets sent: 1356 (62.416KB) | Rcvd: 2727 (118.770KB)