Nmap: A Comprehensive Guide

What is Nmap?

Nmap is an open source utility for network discovery and security auditing. It was designed by Gordon "Fyodor" Lyon to rapidly scan large networks, although it works fine for single hosts. According to the documentation, Nmap uses "raw IP packets in novel ways" to determine:

What hosts are available on a network
What services (and their versions) these hosts are running
What operating systems they're using
What type of packet filters/firewalls are in use
And dozens of other characteristics

Why Use Nmap?

Network inventory - Discover all devices on your network
Security auditing - Find and address vulnerabilities
Service upgrade management - Track services that need updates
Uptime monitoring - Check host and service availability
Penetration testing - Assess network security posture

Nmap Output Types

When Nmap scans a target, it provides information about:

1. Port states:

Open: An application is actively listening
Closed: No application is listening
Filtered: A firewall/obstacle is blocking access
Unfiltered: Port is responsive but status unclear
Open|filtered: Cannot determine if open or filtered
Closed|filtered: Cannot determine if closed or filtered

2. Additional information:

Reverse DNS names
Operating system guesses
Device types
MAC addresses
Service versions

Basic Nmap Usage

The basic syntax for Nmap is:

nmap [scan type(s)] [options] {target specification}

Target Specification

You can specify targets in several ways:

Single IP: nmap 192.168.1.1
Hostname: nmap scanme.nmap.org
IP range: nmap 192.168.1.1-50
Subnet: nmap 192.168.1.0/24
From file: nmap -iL targets.txt
Random targets: nmap -iR <number>

Nmap Scan Types

TCP 3-way Handshake (used in TCP Connect scan)

Beginner Scans

Command	Purpose
`nmap -v -sL <range>`	List scan (enumerate targets without scanning)
`nmap -v -sn <range>`	Host discovery (ping scan) without port scanning
`nmap -v -O <ip>`	Operating system detection
`nmap -v -A <ip>`	Aggressive scan (OS detection, version detection, script scanning, traceroute)
`nmap -v -sC <ip>`	Default script scan
`nmap -v -sV <ip>`	Version detection

Intermediate Scans

Command	Purpose
`nmap -F <ip>`	Fast scan (fewer ports)
`nmap -sU <ip>`	UDP port scan
`nmap -p- <ip>`	Scan all 65,535 ports
`nmap -S <ip>`	Spoof source IP address
`nmap -T<0-5> <ip>`	Set timing template (0=slowest, 5=fastest)
`nmap -n <ip>`	No DNS resolution
`nmap -6 <ip>`	IPv6 scanning

Advanced Scans

Command	Purpose
`nmap -sS <ip>`	TCP SYN (stealth) scan
`nmap -sF <ip>`	FIN scan (may evade some firewalls)
`nmap -sN <ip>`	NULL scan (no flags set)
`nmap -sX <ip>`	Xmas scan (FIN, URG, PUSH flags set)
`nmap -sA <ip>`	ACK scan (useful for mapping firewall rules)

Stealth and Evasion Techniques

Command	Purpose
`nmap --scan-delay <time>`	Add delay between packets
`nmap --max-rate <number>`	Limit packets per second
`nmap -D <decoy1,decoy2,...>`	Cloak scan with decoys
`nmap --spoof-mac <mac>`	Spoof MAC address
`nmap -sI <zombie host[:probeport]>`	Idle scan using zombie host
`nmap --proxies <url1,[url2],...>`	Relay connections through HTTP/SOCKS4 proxies

Output Options

Nmap provides various output formats:

Normal output: -oN filename
XML output: -oX filename
Grepable output: -oG filename
Script kiddie output: -oS filename
All formats at once: -oA basename

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine extends Nmap's functionality with scripts written in Lua:

# Find all NSE scripts
locate *.nse

# Find vulnerability scanning scripts
locate *vuln*.nse

# Get help for a specific script
nmap --script-help <script-name>

# Run vulnerability scanning scripts
nmap --script vuln <target>

Real-World Example

Here's an example of a typical Nmap scan:

nmap -A -T4 scanme.nmap.org

Output:

Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.029s latency).
rDNS record for 74.207.244.221: li86-221.members.linode.com
Not shown: 995 closed ports
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp   open     http        Apache httpd 2.2.14 ((Ubuntu))
|_http-title: Go ahead and ScanMe!
646/tcp  filtered ldp
1720/tcp filtered H.323/Q.931
9929/tcp open     nping-echo  Nping echo

Legal Considerations

While Nmap is a legitimate security tool, port scanning can be considered illegal in some jurisdictions without explicit permission. The Nmap documentation mentions that unauthorized port scanning has been prosecuted in some cases. Always ensure you have permission to scan the target network.

Further Resources

For more comprehensive information about Nmap:

1. Official Documentation:

Nmap Reference Guide: https://nmap.org/book/man.html
Official website: https://nmap.org

2. The Nmap Book:

"Nmap Network Scanning" by Gordon "Fyodor" Lyon
ISBN: 978-0-9799587-1-7
Contains 18 detailed chapters on every aspect of Nmap

3. Related Tools:

Zenmap: GUI for Nmap
Ndiff: Tool for comparing scan results
Ncat: Networking utility
Nping: Packet generation and analysis tool

Nmap is a versatile tool with a vast range of capabilities. This guide covers the basics, but exploring the official documentation will reveal many more advanced features and techniques.