Intro to Nmap

Intro to Nmap

Nmap (or Network Mapper) is a tool that aids in scanning devices on a network. A hacker favorite as well as an essential in network administration, Nmap can discover devices on a network, discover open ports on devices, discover the OS and software devices are running among many other things. This is a brief introductory tutorial that goes through installing Nmap (on Ubuntu) and some basic commands to get you started.

Installing Nmap

Installing nmap should be pretty straight forward no matter which distro you are running, we will quickly however run through installing nmap on Ubuntu.

							
							
					sudo apt-get install nmap				
			

Quick note: to view the nmap help docs just run: 

							
							
					nmap --help				
			

Map the Local Network

The first exercise will be to map our local network. First off we need to determine our local network range. In linux we can do this via running ifconfig in the terminal.

							
							
					ifconfig				
			

Running ifconfig will display a list of network interfaces, such as wireless or wifi interfaces, ethernet interfaces, or even docker interfaces etc. you will also see the lo (local) interface. Find the interface of the network which you want to scan. (Ethernet interfaces often are labeled e#### or similar while wifi are often labeled w### or similar) Find the network you wish to map and make a note of the inet and net mask values. See my output of running ifconfig below:

							
							
					enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.123  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fdd2:fa19:4a62:0:1f03:5f5:7810:eb3  prefixlen 64  scopeid 0x0<glob				
			

Here you can see that the inet address is 192.168.10.123 and that the netmask address is 255.255.255.0. The inet address is your local machine’s address on that specific network. The netmask value is 255.255.255.0 which is common in smaller local networks. Larger networks may have a netmask of 255.255.0.0 or similar. To dig deeper into how netmasks work and how they relate to local network IP’s see my article here: https://phoenixignited.tech/intro-to-net-masks . For now we will just say that if you have a netmask of 255.255.255.0 and say an IP as in my case of 192.168.10.123 the local network range is 192.168.10.0 -192.168.10.255 with the network address being 192.168.10.0 and the broadcasting address being 192.168.10.255, the usable range of IP addresses by devices on the network then would be from 192.168.10.1 – 192.168.10.254. In CIDR notation then you have 192.168.10.0/24. On larger networks you may have a net mask of 255.255.0.0 in which case the network range extends from 192.168.0.0 – 192.168.255.255 (in CIDR you would have 192.168.0.0/16). It is worth mentioning here that in smaller networks with a netmask of 255.255.255.0 the first three octets of the IP address declare the network the machine belongs to, while the last octet declares the machine’s “identity” on the network, whereas in larger networks with a netmask of 255.255.0.0 the first two octets declare the network the machine belongs two and the last two octets declare the machine’s “identity” on the network. 

Once you have made note of the inet address and the netmask we need to determine the IP’s we desire to scan. We can scan the entire network via: 

							
							
					nmap -sP 192.168.10.0/24 
# for instance if your inet address was 192.168.10.123 and your netmask was 255.255.255.0
# for an inet address of 192.168.12.222 and a netmask of 255.255.255.0 then it would be 192.168.12.0/24
# for a larger network for instance though with an inet address of 192.168.0.2 and a netmask of 255.255.0.0 then it would be 192.168.0.0/168
# the \-sP flag will ping all devices on the network				
			

After running the above command you should see a list of all hosts that are up as shown below:

							
							
					Starting Nmap 7.80 ( https://nmap.org ) at 2024-07-16 21:08 MDT
Nmap scan report for _gateway (192.168.10.1)
Host is up (0.00046s latency).
Nmap scan report 192.168.10.123
Host is up (0.000069s latency).
Nmap scan report for 192.168.10.124
Host is up (0.00028s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.35 seconds
				
			

We have successfully mapped the local network, now let’s do something a little more in-depth.

Scan for Open Ports on a Remote Machine

We will next scan a remote host machine for open ports. You should either have a remote vps to be able to scan or you could head over to Hack the Box and try your skills on their machines. Do not perform this exercise against a machine for which you do not have authorization to scan.

We will run: 

							
							
					nmap -v -A -sV <host_ip> # replace <host_ip> with your host's actual ip address				
			
  • -v | Increases the verbosity level, providing more details about the scan
  • -A | Enables OS detection, version detection, script scanning, and traceroute
  • -sV | Attempts to determine the version of services running on open ports

The output will list any open ports (it runs it against a list of the top 1000 ports so not all ports may be recorded) as well as the OS, etc. If http and https services are running on the server you will likely see info such as supported http methods, ssl certificate info, what server is running, etc. etc. 

We have successfully scanned for open ports and other server info on a remote machine using nmap. That wraps up our tutorial for today, but check back for more nmap tutorials in the future!

Walter Miely is a tech entrepreneur and CEO of Phoenix Ignited Tech You can find him on Linkedin. This material is licensed under the CC BY 4.0 License LEGAL DISCLAIMER: The content provided here is provided AS IS, and part of, or the entirety of this content may be incorrect. Please read the entireLegal Disclaimer here.