Network Mapper (Nmap) is a free, open-source network security scanning tool. By sending IP packets and analyzing the responses, Nmap can discover information about hosts and services on remote computer networks.
Nmap can also audit the security of a device, identify the vulnerabilities of your network, or perform an inventory check with relative ease.
This tutorial shows how to install Nmap on Linux and explains Nmap’s most important features.
- A user with sudo privileges
- Access to a command line
Installing Nmap on Linux
The installation process of NMAP is simple and straightforward, requiring only a single command.
How to Install Nmap on Debian / Ubuntu
1. Install Nmap on Ubuntu by entering the following command:
sudo apt-get install nmap
2. The system prompts you to confirm the installation by typing y.
3. After the installation is finished, verify the installed version of Nmap by entering:
In this example, the version is 7.60.
How to Install Nmap on CentOS / RHEL
1. To install Nmap on an RHEL based Linux distribution type the following command:
sudo yum install nmap
This is an example of the output in CentOS 7.
2. Confirm the installation by typing y.
3. Like in other Linux distributions, once the installation is completed, check the version of Nmap by entering:
In this example, the installed version for CentOS 7 is 6.40.
How to use NMAP Security Scanner on Linux
Once you complete the installation process, Nmap commands are identical regardless of the Linux distribution. Nmap provides a list of scanned targets along with supplemental information, based on the options and arguments used.
The article covers the basic options this tool has to offer. For a full list of options visit the Nmap official page or access the manual from your command line:
Note: It is important to emphasize that aggressive port scanning to find open ports without permission can be interpreted as malicious by third-party organizations.
Scan IP range or subnet
To obtain general information of a remote system type:
sudo nmap target_IP or domain.com
Instead of scanning individual IPs, scan a whole IP range by defining it in your command line:
sudo nmap 188.8.131.52-222
The following command scans the entire specified subnet:
sudo nmap 184.108.40.206/24
Port Scanning with Nmap
Nmap is an efficient port scanner that recognizes six port states:
- open – actively accepting TCP connections, UDP datagrams or SCTP associations
- closed – accessible; however, no application is listening on the port
- filtered – nmap cannot determine whether the port is open due to packet filtering
- unfiltered – the port is accessible; however, nmap is unable to determine if it is open or closed
- open|filtered – nmap cannot determine if a port is open or filtered
- closed|filtered – nmap cannot establish if a port is closed or filtered
Port Specification and Scan Order
By default, Nmap scans the thousand most common ports for each protocol. It also offers options for specifying which ports are to be scanned, and whether the scan is random or ordered.
The -p option allows you to specify port ranges and sequences:
sudo nmap –p 80,443 220.127.116.11
This command scans ports 80 and 443 for the defined host.
TCP SYN scan
Initiate TCP SYN for a fast and unobtrusive scan. Since this type of scan never completes TCP connections, it is often referred to as half-open scanning.
To run a TCP SYN scan, use the command:
sudo nmap -sS 18.104.22.168
Nmap: Scan Speed, Aggression, and Verbosity
Scanning a large number of hosts is a time-consuming process. Nmap has an option to define the speed and thoroughness of the scan. Understandably, scans that need to avoid IDS alerts are slower.
Scan speeds designations start at T0 and span to T5. The higher the speed of the scan the more aggressive it is deemed.
The results of sophisticated tests and algorithms need to be presented in an understandable and structured manner to be useful. The –v command increases verbosity and forces Nmap to print more information about the scan in progress.
Open ports are shown in real-time and completion time estimates are provided.
The -A option enables a comprehensive set of scan options. It enables:
- OS (Operating System) detection, also available with the -O command
- version scanning, also available with the -sV command
- script scanning, also available with the -sC command
- traceroute, also available with the –traceroute command
Since Nmap accepts multiple host specifications on the command line, they do not need to be of the same type.
We can combine the options listed to detect the OS and version, script scanning, and traceroute. We can also use –A and –T4 for faster execution. Additionally, the –Pn option to tell the Nmap tool not to initiate a ping scan:
sudo nmap –A –T4 –v –Pn phoenixnap.com
The output compiles and presents the information from the scan we requested.
Now you know how to install and use Nmap on your Linux system. Nmap has many available options and can be a powerful and versatile scanning tool to discover network vulnerabilities.
Learn 17 more Nmap Commands with examples in this article!