Nmap - Network Administrator Tool

Nmap or Network Map is a network exploration tool and security scanner. Nmap is primarily a *nix tool, but ports of the program do exist for Windows platforms. I will demonstrate some primary uses for nmap although any number of uses could be explored, including nefarious activity. I will focus on its usefulness as a network analysis and exploration tool.

Overview

Nmap does many different types of scans; however the most popular are a ping sweep or TCP port scan. The type of scan being performed is often the first parameter. Other scans include SYN, Stealth FIN, Xmas Tree and NULL scans. Window, RPC and ACK scans are also useful for testing firewall rule-sets. These are highly specialized and beyond the scope of this HOW-TO. We will explore the Operating System (OS) fingerprinting and the Listing scan which are simple and somewhat useful on a large scale.

The first parameter is the type of scan and is denotes with -sX where X is the type of scanning. For our purposes we will explore the Ping scan (nmap -sP) and the TCP scan (nmap -sT).

Selecting a Target

The next most important parameter is the TARGET or what you will be scanning. This can be any number of IP addresses or networks. You can specify these any number of ways, but nmap is picky and can be dangerous. Please be certain you know what you are scanning.

You can simply specify a target via DNS lookup:

nmap -sP target-host.com

This will simply ping the host and you will get output similar to:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host xx.xx.xxx.xxx.xxxxx.xxx (x.x.x.x) appears to be up.
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

You can also scan an entire network by adding a CIDR block prefix, a number between 0 and 32. /24 indicates a 24 bit mask in relation to the IP address.

nmap -sP target-host.com/24

Would be valid although ugly. This would simply lookup the IP address for target-host.com and scan that 24 bit subnet mask's hosts.