Linux Hardening Guide

A Comprehensive Guide to Using Nmap#

Nmap (Network Mapper) is a powerful, open-source tool used for network discovery and security auditing. It can identify hosts on a network, services running on those hosts, operating systems, and types of packet filters/firewalls in use. This guide will walk you through the fundamentals of using Nmap, from basic scans to more advanced techniques.

Current Date: May 7, 2025

Disclaimer: Using Nmap on networks or systems without explicit permission from the owner is illegal and unethical. This guide is for educational purposes only. Always ensure you have proper authorization before scanning any network.

1. Installation#

Nmap is available for Linux, Windows, and macOS.

• Linux: Most distributions include Nmap in their default repositories. You can usually install it using your package manager:
  • Debian/Ubuntu: sudo apt update && sudo apt install nmap
  • Fedora: sudo dnf install nmap
  • Arch Linux: sudo pacman -S nmap
• Windows: Download the Nmap installer from the official website (nmap.org) and follow the installation instructions. The installer often includes Zenmap, a graphical front-end for Nmap.
• macOS: You can install Nmap using Homebrew (brew install nmap) or by downloading the installer from nmap.org.

To verify the installation, open a terminal or command prompt and type:

nmap -V

This command will display the Nmap version information.

2. Nmap Fundamentals: Target Specification#

Nmap needs to know which hosts to scan. You can specify targets in several ways:

• Single IP Address: nmap 192.168.1.1
• Hostname: nmap scanme.nmap.org (Nmap will resolve the hostname to an IP address)
• Range of IP Addresses:
  • CIDR notation: nmap 192.168.1.0/24 (scans 192.168.1.0 to 192.168.1.255)
  • Octet range: nmap 192.168.1.1-20 (scans 192.168.1.1 through 192.168.1.20)
  • Multiple ranges: nmap 192.168.1.1,5,10-15 (scans specific IPs and a range)
• List of Targets from a File: nmap -iL targets.txt (where targets.txt contains a list of hosts, one per line)
• Random Hosts: nmap -iR 10 (scans 10 random hosts on the internet - use with extreme caution and be aware of legal implications)
• Exclude Targets: nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.100
• Exclude Targets from a File: nmap 192.168.1.0/24 --excludefile exclude_hosts.txt

3. Basic Scan Types#

Nmap offers various scan techniques. Here are some common ones:

• Ping Scan (Host Discovery Only): -sn or -sP (older versions)

  • This scan simply determines which hosts are online without performing port scanning. It’s useful for discovering live hosts on a network.
  • Example: nmap -sn 192.168.1.0/24

• TCP SYN Scan (Default and Most Popular): -sS

  • Also known as a “half-open” scan because it doesn’t complete the TCP three-way handshake. It sends a SYN packet and waits for a SYN/ACK response. If SYN/ACK is received, the port is open. If RST (reset) is received, the port is closed. If no response is received (or an ICMP unreachable error), the port is filtered.
  • This scan is relatively stealthy and fast.
  • Requires root/administrator privileges.
  • Example: nmap -sS 192.168.1.1

• TCP Connect Scan: -sT

  • This scan uses the operating system’s connect() system call to establish a full TCP connection with the target port. If the connection succeeds, the port is open; otherwise, it’s closed.
  • It’s less stealthy than a SYN scan and more likely to be logged.
  • Does not require root/administrator privileges.
  • Example: nmap -sT 192.168.1.1

• UDP Scan: -sU

  • Scans for open UDP ports. UDP scanning is generally slower and more difficult than TCP scanning because UDP is a connectionless protocol.
  • Open UDP ports might not send a response. Nmap sends UDP packets to target ports and waits for responses. If an ICMP port unreachable error is received, the port is closed. If a UDP response is received, the port is open. If no response is received after several retransmissions, the port is marked as open|filtered.
  • Often used in conjunction with version detection (-sV).
  • Example: nmap -sU 192.168.1.1

• FIN, Null, and Xmas Scans: -sF, -sN, -sX

  • These are stealthier scan types that can sometimes bypass older firewalls and intrusion detection systems. They rely on the fact that RFC 793 states that if a port is closed, a RST packet should be sent in response to a malformed TCP packet (like one with only FIN, no flags, or FIN, PSH, URG flags set). Open ports should ignore such packets.
  • These scans don’t work reliably on Windows systems (which tend to send RST regardless of port state).
  • Requires root/administrator privileges.
  • Example: nmap -sF 192.168.1.1

• ACK Scan: -sA

  • Used to map out firewall rule sets and determine if they are stateful or stateless. It sends ACK packets to specified ports. If an RST is returned, the port is considered “unfiltered” (reachable by ACK packets). If no response is received or an ICMP error is returned, the port is “filtered.”
  • This scan doesn’t determine if a port is open or closed.
  • Example: nmap -sA 192.168.1.1

• Fast Scan (Limited Ports): -F

  • Scans fewer ports than the default scan (typically the 100 most common ports).
  • Example: nmap -F 192.168.1.1

• Scan Specific Ports: -p

  • Allows you to specify which ports to scan.
  • Examples:
    • nmap -p 80 192.168.1.1 (scans port 80)
    • nmap -p 22,80,443 192.168.1.1 (scans ports 22, 80, and 443)
    • nmap -p 1-1024 192.168.1.1 (scans ports 1 through 1024)
    • nmap -p U:53,T:21-25,80 192.168.1.1 (scans UDP port 53, TCP ports 21-25, and TCP port 80)
    • nmap -p- 192.168.1.1 (scans all 65535 TCP ports)

4. Service and Version Detection#

Knowing a port is open is useful, but knowing what service is running on that port and its version is even better for vulnerability assessment.

• Version Detection: -sV
  • Probes open ports to determine service and version information. Nmap sends a series of probes and matches the responses against its nmap-service-probes database.
  • Can be combined with other scan types (e.g., nmap -sS -sV 192.168.1.1).
  • Intensity can be controlled with --version-intensity <0-9> (default is 7). Higher values are more comprehensive but slower.
  • Example: nmap -sV 192.168.1.1

5. Operating System (OS) Detection#

Nmap can attempt to identify the operating system of the target host based on its TCP/IP stack fingerprint.

• OS Detection: -O
  • Requires at least one open and one closed TCP port to be found on the target.
  • Requires root/administrator privileges.
  • Example: nmap -O 192.168.1.1
• Aggressive OS Detection: -A
  • This option enables OS detection, version detection, script scanning, and traceroute. It’s a powerful and common option for gathering a lot of information quickly.
  • Example: nmap -A 192.168.1.1
• OS Guessing (--osscan-guess, --fuzzy): If Nmap can’t find a perfect match, these options can make it guess more aggressively.

6. Timing and Performance#

Nmap’s scanning speed can be crucial, especially for large networks.

• Timing Templates: -T<0-5>
  • Nmap offers timing templates for convenience:
    • -T0: Paranoid (very slow, for IDS evasion)
    • -T1: Sneaky (slow, for IDS evasion)
    • -T2: Polite (slower than default, uses less bandwidth)
    • -T3: Normal (default)
    • -T4: Aggressive (faster, assumes a fast and reliable network)
    • -T5: Insane (very fast, may sacrifice accuracy, assumes a very fast network)
  • Example: nmap -T4 192.168.1.0/24
• Manual Timing Controls: Nmap offers many granular timing options (e.g., --min-hostgroup, --max-retries, --initial-rtt-timeout). These are for advanced users.

7. Nmap Scripting Engine (NSE)#

NSE allows users to write (and use pre-written) scripts to automate a wide variety of networking tasks. Scripts can perform more advanced discovery, vulnerability detection, and even exploitation (with caution).

• Default Scripts: -sC or --script default
  • Runs a set of default scripts considered safe and useful.
  • Example: nmap -sC 192.168.1.1
• Specify Scripts:
  • --script <script-name>: Runs a specific script.
  • --script <category>: Runs all scripts in a category (e.g., vuln, discovery, auth).
  • --script <directory>: Runs all scripts in a specified directory.
  • --script "http-*": Runs all scripts starting with “http-”.
• Script Arguments: --script-args <arg1=val1,arg2=val2,...>
  • Some scripts accept arguments.
  • Example: nmap --script http-title --script-args http.max-hostscript-time=60s 192.168.1.1
• Updating Script Database: nmap --script-updatedb (run as root/administrator)
• Finding Scripts: Scripts are typically located in the Nmap scripts directory. You can also find many online.

Common NSE Categories:

• auth: Scripts related to authentication.
• broadcast: Scripts that use broadcast packets to discover hosts or services.
• brute: Scripts for brute-force password guessing (use responsibly and with permission).
• default: The default set of scripts; generally safe and useful.
• discovery: Scripts focused on discovering more about the network or target.
• dos: Scripts related to denial-of-service (use with extreme caution and only on authorized systems).
• exploit: Scripts that attempt to exploit known vulnerabilities (use with extreme caution and only on authorized systems).
• external: Scripts that might send data to third-party services.
• fuzzer: Scripts for sending unexpected or random data to discover flaws.
• intrusive: Scripts that are considered intrusive and might crash services or be easily detected.
• malware: Scripts that test for malware infections.
• safe: Scripts that are generally considered safe and unlikely to cause adverse effects.
• version: Scripts used by version detection (-sV).
• vuln: Scripts that check for specific known vulnerabilities.

8. Firewall and IDS Evasion Techniques (Advanced)#

Attempting to bypass firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) is an advanced topic and should be approached with caution and proper authorization.

• Fragment Packets: -f
  • Splits packets into smaller fragments, which can sometimes bypass less sophisticated firewalls or IDS.
  • --mtu <offset> can also be used to specify a custom MTU.
• Decoys: -D <decoy1,decoy2,ME,...>
  • Makes the scan appear to come from multiple IP addresses (decoys), making it harder to determine the true source. ME indicates your actual IP address.
  • Example: nmap -D RND:10,ME 192.168.1.1 (uses 10 random decoys plus your IP)
• Source Port Spoofing: -g or --source-port <portnum>
  • Specifies the source port Nmap uses for its probes. Some firewalls might be configured to allow traffic from specific source ports (e.g., 53 for DNS, 80 for HTTP).
• Idle Scan (Zombie Scan): -sI <zombie_host[:probeport]>
  • A very stealthy scan that uses a “zombie” host (an idle machine with a predictable IP ID sequence) to send probes, making the scan appear to originate from the zombie. This is a complex technique.
• Data Length: --data-length <number>
  • Appends random data to most packets sent by Nmap.
• Bad Checksums: --badsum
  • Sends packets with incorrect TCP/UDP checksums. Some systems might drop these, while others might process them, potentially revealing OS characteristics.

9. Output Formats#

Nmap provides several ways to save scan results:

• Normal Output: -oN <filename.nmap>
  • Saves the standard output you see on the screen.
• XML Output: -oX <filename.xml>
  • Saves output in XML format, which is easily parsable by other tools or scripts. This is often the most useful format for programmatic processing.
• Script Kiddie Output: -oS <filename.skriptkiddie>
  • Saves output in a “l33t” (leet speak) format. Mostly for amusement.
• Grepable Output: -oG <filename.gnmap>
  • Saves output in a format that’s easy to parse with command-line tools like grep, awk, or cut. Each host is on a single line.
• All Formats: -oA <basename>
  • Saves output in Normal, XML, and Grepable formats using the specified basename (e.g., scan_results.nmap, scan_results.xml, scan_results.gnmap).
• Verbosity: -v (increase verbosity), -vv (even more verbosity), -d (debugging level), -dd (more debugging)
  • Provides more detailed information about the scan process.

10. Combining Options and Practical Examples#

The real power of Nmap comes from combining its various options.

• Standard Comprehensive Scan:

  nmap -A -T4 192.168.1.1
  nmap -sS -sV -O -sC -T4 192.168.1.1 # Similar to -A but more explicit
  

  This performs an aggressive scan with OS detection, version detection, default scripts, and a fast timing template.

• Scan a Subnet for Web Servers and Get HTTP Titles:

  nmap -p 80,443 --script http-title -T4 192.168.1.0/24 -oX web_servers.xml
  

• Discover Live Hosts on a Network and Save to a File:

  nmap -sn 192.168.1.0/24 -oG live_hosts.gnmap
  

• Scan for Common UDP Services with Version Detection:

  nmap -sU -sV --top-ports 20 192.168.1.1
  

  (--top-ports <number> scans the N most common ports for the chosen protocol).

• Check for a Specific Vulnerability (e.g., Heartbleed, with appropriate NSE script):

  nmap -p 443 --script ssl-heartbleed 192.168.1.1
  

  (Note: Ensure you have the ssl-heartbleed.nse script and understand its implications).

11. Nmap Best Practices and Ethical Considerations#

• Always Get Permission: Unauthorized scanning is illegal and unethical. Ensure you have explicit written permission from the network owner before conducting any scans.
• Start with Less Intrusive Scans: Begin with host discovery (-sn) before launching more aggressive port or vulnerability scans.
• Understand Scan Types: Know what each scan type does and its potential impact on the target network and services.
• Be Mindful of Network Bandwidth: Aggressive scans (especially -T5 or scanning all ports on many hosts) can consume significant bandwidth and potentially disrupt network services.
• Use Timing Templates Appropriately: Choose a timing template that matches the network conditions and your objectives. -T4 is a good general-purpose choice for friendly networks.
• IDS/IPS Evasion is Noisy: Techniques designed to evade firewalls or IDS can sometimes be even more noticeable to sophisticated monitoring systems.
• Keep Nmap Updated: New versions include updated service probes, OS fingerprints, NSE scripts, and bug fixes.
• Use Output Formats: Save your scan results, especially in XML (-oX) or Grepable (-oG) format, for later analysis and reporting.
• Consult Nmap Documentation: The official Nmap documentation (accessible via man nmap or on the nmap.org website) is an invaluable resource for detailed information on all options and features.

This guide provides a solid foundation for using Nmap. As you become more familiar with the tool, you’ll discover its vast capabilities for network exploration and security auditing. Remember to always use Nmap responsibly and ethically.