Unix: Why you should love nmap

Discovering hosts and services isn't just something that hackers do. A good sysadmin needs to work with an up-to-date view of the systems they manage or those they want to keep an eye on.

You have to love nmap. No other tool is set up to give you as quick a view of your network and at so little cost. The name stands for "network mapper" and it can tell you a lot about the network you are managing, including what systems are on it, what's running on those systems, and quite a bit of services you might need to worry about. It's a very basic tool in some ways. You hand it a few command line parameters and it runs around your network making connections and reporting on what it is able to discover. Plus, it's surprisingly efficient (unless you inadvertently ask for too much information) and is easy to install and to use. For example, you can use nmap to profile your systems -- to get an idea what's running on them, what operating system they have installed, and what vulnerabilities they might have (e.g., when you're running services that you might not want to support). While hackers often use tools like nmap in their fact finding missions -- laying out your network and looking for ways to attack your systems, you would likely use it to get an up-to-date view of what systems you might need to patch or protect, what services you are running that might require your attention (or to be shut down). Here's an example of a "fast scan" run on a single system. Note that the scan took .164 seconds. That certainly qualifies as fast.

$ nmap -F 192.168.0.6

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-06-03 19:56 EDT
Interesting ports on boson (192.168.0.6):
Not shown: 1229 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
111/tcp open  rpcbind
143/tcp open  imap
888/tcp open  accessbuilder
993/tcp open  imaps
995/tcp open  pop3s

Nmap finished: 1 IP address (1 host up) scanned in 0.164 seconds

Another scan took a little longer but, again, provides some important clues as to the nature of the system being queried.

# nmap -F 10.3.2.77

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-04 14:05 EDT
Nmap scan report for 10.3.4.5
Host is up (0.00048s latency).
Not shown: 86 closed ports
PORT     STATE SERVICE
7/tcp    open  echo
9/tcp    open  discard
13/tcp   open  daytime
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
37/tcp   open  time
79/tcp   open  finger
111/tcp  open  rpcbind
513/tcp  open  login
514/tcp  open  shell
515/tcp  open  printer
587/tcp  open  submission
2049/tcp open  nfs

Nmap done: 1 IP address (1 host up) scanned in 2.33 seconds

If you work on a complex network on which the systems and the applications and services that they provide frequently change, nmap is a great tool for getting an up-to-date picture of each of your subnets. It's surprising how much can change in a month! What you don't want to do is scan every system and every possible port. There are, after all, as many as 65,536 ports on your systems. Generally, only a handful -- something between 4 and 20 -- are going to be in use, actually listening for network connections. Almost no one asks nmap to check all possible ports. That would be far too time consuming and too light on results. I find nmap particularly helpful for building or verifying my system inventory. I generally scan by subnet. If I want to update my view of what systems are active on a particular subnet, I might run a quick scan just to tell me what systems are there. Here's a command that reports the systems active on the 192.168.0.0/24 subnet.

$ nmap -sP 192.168.0.0/24

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-06-03 19:50 EDT
Host boson (192.168.0.3) appears to be up.
Host fermion (192.168.0.6) appears to be up.
Host 192.168.0.21 appears to be up.
Host 192.168.0.25 appears to be up.
Host 192.168.0.30 appears to be up.
Host 192.168.0.33 appears to be up.
Host 192.168.0.34 appears to be up.
Nmap finished: 256 IP addresses (7 hosts up) scanned in 7.158 seconds

In this example using the -sn (ping) scan, nmap has found seven active systems on this particular subnet. The -sP option appears to be synonymous with -sn. Here's output from a different system:

# nmap -sn 10.10.1.0/24

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-04 13:13 EDT
Nmap scan report for 10.10.1.1
Host is up (0.00052s latency).
MAC Address: 00:00:0C:11:AD:04 (Cisco Systems)
Nmap scan report for loc11.particles.com (10.10.1.2)
Host is up (0.00034s latency).
MAC Address: 00:50:65:A2:4C:67 (VMware)
Nmap scan report for vm11.particles.com (10.10.1.3)
Host is up (0.00034s latency).
...

Note that you can give nmap a single system as an argument or a subnet address such as the 256-address network specifications (254 usable IPs) shown in the examples above. Because I'm generally interested in single-line-per-system results, I often pass the output of nmap through a Perl script that turns multi-line output as show in that last example into something that better meets my needs. This just pulls the interesting data from the three-lines-per-system output shown. It reads its data from whatever file you provide as an argument.

#!/usr/bin/perl -w

open NMAP,"<$ARGV[0]";

while ( <NMAP> ) {
    next if /Starting/;
    if ( /^Nmap scan report/ ) {
        s/Nmap scan report for //;
        print;
    }
}
close NMAP;

This cuts the output that I need to look at down to this:

10.10.1.1
loc11.particles.com (10.10.1.2)
vm11.particles.com (10.10.1.3)

Many of nmap's options, such as OS fingerprinting, require root privilege. Some do not. In OS fingerprinting, nmap tries to determine what operating system is running on each system. An OS fingerprinting scan needs to look at some port activity to be reliable; otherwise it might not have enough information to properly identify the OS.

# nmap -O 10.2.3.4

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-04 14:27 EDT
Nmap scan report for 10.2.3.4
Host is up (0.00027s latency).
Not shown: 966 closed ports
PORT      STATE SERVICE
7/tcp     open  echo
9/tcp     open  discard
13/tcp    open  daytime
19/tcp    open  chargen
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
37/tcp    open  time
79/tcp    open  finger
111/tcp   open  rpcbind
512/tcp   open  exec
513/tcp   open  login
514/tcp   open  shell
515/tcp   open  printer
587/tcp   open  submission
898/tcp   open  sun-manageconsole
2049/tcp  open  nfs
3052/tcp  open  powerchute
4045/tcp  open  lockd
5987/tcp  open  wbem-rmi
6112/tcp  open  dtspc
7100/tcp  open  font-service
13722/tcp open  netbackup
13782/tcp open  netbackup
13783/tcp open  netbackup
32771/tcp open  sometimes-rpc5
32772/tcp open  sometimes-rpc7
32773/tcp open  sometimes-rpc9
32774/tcp open  sometimes-rpc11
32775/tcp open  sometimes-rpc13
32776/tcp open  sometimes-rpc15
32777/tcp open  sometimes-rpc17
32783/tcp open  unknown
32785/tcp open  unknown
Device type: general purpose
Running: Sun Solaris 10
OS CPE: cpe:/o:sun:sunos:5.10
OS details: Sun Solaris 10 (SPARC)
Network Distance: 4 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.15 seconds

You might know what's supposed to be on some subnet, but not what's down or what's been added in the last few months especially for portions of your network that you don't administer. Some subnets might be much more dynamic than others and keeping on top of the changes can be a full time job if you don't find some way to make it easier. Nmap can be very useful in building network maps, important in complex sites with lots of network segments. You can also scan just for a particular port, such as this nmap command looking for Oracle listeners on a subnet:

$ nmap -p 1521 192.168.0.0/24

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-06-03 19:57 EDT
Interesting ports on vader.aacc.edu (192.168.0.6):
PORT     STATE  SERVICE
1521/tcp closed oracle

Nmap finished: 1 IP address (1 host up) scanned in 0.105 seconds

Cautions

You should always exercise some caution when using tools like nmap. Your scans, for example, might set off alerts if someone else or some system is watching for this kind of activity as possibly hostile. Make sure you clear your scans with the proper people in your organization before you get too carried away seeing what you can discover.

Read more of Sandra Henry-Stocker's Unix as a Second Language blog and follow the latest IT news at ITworld, Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies