Nmap Tutorial: Installation, Basic Scanning, and Output Management

Introduction

In this lab, we will explore the installation and basic usage of Nmap, a powerful network scanning and security auditing tool. Nmap, short for Network Mapper, is an open-source utility used by system administrators and security professionals to discover hosts, services, and vulnerabilities on a network. This lab will guide you through the process of installing Nmap, setting up a local service to scan, and performing basic scans to understand Nmap's capabilities.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("`Linux`")) -.-> linux/PackagesandSoftwaresGroup(["`Packages and Softwares`"]) linux(("`Linux`")) -.-> linux/FileandDirectoryManagementGroup(["`File and Directory Management`"]) linux(("`Linux`")) -.-> linux/BasicFileOperationsGroup(["`Basic File Operations`"]) linux(("`Linux`")) -.-> linux/ProcessManagementandControlGroup(["`Process Management and Control`"]) cysec(("`Cyber Security`")) -.-> cysec/NmapGroup(["`Nmap`"]) linux/PackagesandSoftwaresGroup -.-> linux/apt("`Package Handling`") linux/FileandDirectoryManagementGroup -.-> linux/mkdir("`Directory Creating`") linux/BasicFileOperationsGroup -.-> linux/touch("`File Creating/Updating`") linux/ProcessManagementandControlGroup -.-> linux/bg_process("`Background Management`") cysec/NmapGroup -.-> cysec/nmap_installation("`Nmap Installation and Setup`") cysec/NmapGroup -.-> cysec/nmap_basic_syntax("`Nmap Basic Command Syntax`") cysec/NmapGroup -.-> cysec/nmap_common_ports("`Nmap Common Ports Scanning`") cysec/NmapGroup -.-> cysec/nmap_output_formats("`Nmap Output Formats`") cysec/NmapGroup -.-> cysec/nmap_save_output("`Nmap Save Output to File`") cysec/NmapGroup -.-> cysec/nmap_port_scanning("`Nmap Port Scanning Methods`") cysec/NmapGroup -.-> cysec/nmap_service_detection("`Nmap Service Detection`") subgraph Lab Skills linux/apt -.-> lab-280251{{"`Nmap Installation and Setup`"}} linux/mkdir -.-> lab-280251{{"`Nmap Installation and Setup`"}} linux/touch -.-> lab-280251{{"`Nmap Installation and Setup`"}} linux/bg_process -.-> lab-280251{{"`Nmap Installation and Setup`"}} cysec/nmap_installation -.-> lab-280251{{"`Nmap Installation and Setup`"}} cysec/nmap_basic_syntax -.-> lab-280251{{"`Nmap Installation and Setup`"}} cysec/nmap_common_ports -.-> lab-280251{{"`Nmap Installation and Setup`"}} cysec/nmap_output_formats -.-> lab-280251{{"`Nmap Installation and Setup`"}} cysec/nmap_save_output -.-> lab-280251{{"`Nmap Installation and Setup`"}} cysec/nmap_port_scanning -.-> lab-280251{{"`Nmap Installation and Setup`"}} cysec/nmap_service_detection -.-> lab-280251{{"`Nmap Installation and Setup`"}} end

Installing Nmap

In this step, we will install Nmap on your Ubuntu Linux system. Nmap is available in the default Ubuntu repositories, making the installation process straightforward.

First, open your terminal. By default, you should be in the /home/labex/project directory. If not, navigate there using the following command:

cd /home/labex/project

Now, let's update the package list and install Nmap:

sudo apt update
sudo apt install nmap -y

The sudo command allows you to run commands with administrative privileges. The -y flag automatically answers "yes" to any prompts during the installation process.

After the installation is complete, verify that Nmap was installed correctly by checking its version:

nmap --version

You should see output similar to this (note that your version might be different):

Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

This output confirms that Nmap is installed and provides information about the version and compilation options.

Setting Up a Local Service for Scanning

Before we start scanning with Nmap, it's useful to have a service running that we can target. In this step, we'll set up a simple HTTP server using Python's built-in http.server module.

First, let's create a new directory for our HTTP server:

mkdir -p /home/labex/project/http-server
cd /home/labex/project/http-server

Now, let's create a simple HTML file that our server will serve:

echo "<html><body><h1>Welcome to the Nmap Lab</h1></body></html>" > index.html

This command creates a file named index.html with a basic HTML structure and a welcome message.

Next, we'll start the Python HTTP server:

python3 -m http.server 8000

This command starts a simple HTTP server on port 8000.

Open a new terminal tab or window to continue.

To verify that the server is running, you can use the curl command:

curl http://localhost:8000

You should see the HTML content we created earlier:

127.0.0.1 - - [13/Sep/2024 15:24:21] "GET / HTTP/1.1" 200 -
<html><body><h1>Welcome to the Nmap Lab</h1></body></html>

Basic Nmap Scanning

Now that we have Nmap installed and a local service running, let's perform some basic scans to understand how Nmap works.

First, let's perform a simple TCP connect scan on our local HTTP server:

nmap -sT -p 8000 localhost

In this command:

-sT specifies a TCP connect scan
-p 8000 tells Nmap to scan only port 8000
localhost is the target of our scan

You should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-13 15:27 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
8000/tcp open  http-alt

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

This output shows that port 8000 is open and running an HTTP service.

Now, let's perform a more detailed scan that attempts to determine the version of the service running:

nmap -sV -p 8000 localhost

The -sV option tells Nmap to probe open ports to determine service/version info.

You should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-13 15:27 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE VERSION
8000/tcp open  http    SimpleHTTPServer 0.6 (Python 3.10.12)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds

This output provides more detailed information about the service running on port 8000, including the fact that it's a Python SimpleHTTPServer.

You can view the Nmap requests in the logs of the terminal where you started the Python HTTP server.

Scanning Multiple Ports

In real-world scenarios, you often need to scan multiple ports or even entire port ranges. Let's explore how to do this with Nmap.

First, let's scan the most common 1000 ports on localhost:

nmap localhost

Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-13 15:29 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00016s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3001/tcp open  nessus
8000/tcp open  http-alt

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

This command, without any port specification, will scan the top 1000 most common ports. You should see a list of open, closed, and filtered ports.

Now, let's scan all 65535 ports:

nmap -p- localhost

The -p- option tells Nmap to scan all ports from 1 to 65535. This scan will take longer to complete.

Finally, let's scan a specific range of ports:

nmap -p 1-1000 localhost

This command scans ports 1 through 1000.

Output Formats and Saving Results

Nmap provides various output formats that can be useful for different purposes. In this step, we'll explore some of these formats and learn how to save scan results.

First, let's perform a scan and save the output in normal format:

nmap -oN normal_output.txt localhost

The -oN option tells Nmap to save the output in normal format to the specified file.

Now, let's save the output in XML format:

nmap -oX xml_output.xml localhost

The -oX option saves the output in XML format, which can be useful for parsing with scripts or importing into other tools.

Finally, let's save the output in grepable format:

nmap -oG grepable_output.txt localhost

The -oG option saves the output in a format that's easy to parse with tools like grep.

You can view the contents of these files using the cat command, for example:

cat normal_output.txt

Summary

In this lab, we explored the fundamental aspects of Nmap, a powerful network scanning and security auditing tool. We began by installing Nmap on an Ubuntu Linux system and verifying its installation. We then set up a local HTTP server to provide a target for our scans, demonstrating how to create a simple service for testing purposes.

We progressed through various scanning techniques, starting with basic port scans and moving on to more detailed service version detection. We learned how to scan specific ports, port ranges, and even all 65535 ports on a system. This knowledge is crucial for understanding the network landscape and identifying potential vulnerabilities.

Finally, we explored Nmap's output options, learning how to save scan results in different formats including normal text, XML, and grepable output. These output formats are essential for documentation, further analysis, and integration with other security tools.

Through this lab, you've gained practical experience with Nmap, setting a foundation for more advanced network scanning and security auditing tasks. Remember, while Nmap is a powerful tool for understanding network structures and identifying potential security issues, it should always be used responsibly and with proper authorization.

Nmap Installation and Setup