LabEx
Log In Join For Free

Linux nmap Command with Practical Examples

LinuxLinuxBeginner
Practice Now

Introduction

In this lab, we will explore the Linux nmap command, a powerful network discovery and security auditing tool. We will start by understanding the basics of nmap, including how to install it and perform simple network scans. Then, we will dive into more advanced nmap features, such as version detection and OS fingerprinting.

The lab covers the following steps:

  1. Understand the Basics of nmap
  2. Perform Network Scanning with nmap
  3. Utilize Advanced nmap Features

In this lab, we will be using the nmap command on an Ubuntu 22.04 Docker container. If you need to install nmap, the lab provides the necessary command. Overall, this lab aims to equip you with the knowledge and skills to effectively use nmap for network exploration and security assessment.

Linux Commands Cheat Sheet

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("`Linux`")) -.-> linux/PackagesandSoftwaresGroup(["`Packages and Softwares`"]) linux(("`Linux`")) -.-> linux/RemoteAccessandNetworkingGroup(["`Remote Access and Networking`"]) linux/PackagesandSoftwaresGroup -.-> linux/apt("`Package Handling`") linux/RemoteAccessandNetworkingGroup -.-> linux/ssh("`Secure Connecting`") linux/RemoteAccessandNetworkingGroup -.-> linux/netstat("`Network Monitoring`") linux/RemoteAccessandNetworkingGroup -.-> linux/ping("`Network Testing`") subgraph Lab Skills linux/apt -.-> lab-422842{{"`Linux nmap Command with Practical Examples`"}} linux/ssh -.-> lab-422842{{"`Linux nmap Command with Practical Examples`"}} linux/netstat -.-> lab-422842{{"`Linux nmap Command with Practical Examples`"}} linux/ping -.-> lab-422842{{"`Linux nmap Command with Practical Examples`"}} end

Understand the Basics of nmap

In this step, we will learn the basics of the nmap (Network Mapper) command, a powerful tool used for network discovery and security auditing. Nmap is a free and open-source utility that can be used to scan networks and hosts, identify running services, and detect potential vulnerabilities.

First, let's start by installing nmap on our Ubuntu 22.04 Docker container:

sudo apt-get update
sudo apt-get install -y nmap

Example output:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  liblinear6 libpcap0.8 libpcre2-8-0 libsqlite3-0 libssl-dev libssl1.1 zlib1g
Suggested packages:
  nmap-frontend
The following NEW packages will be installed:
  liblinear6 libpcap0.8 libpcre2-8-0 libsqlite3-0 libssl-dev libssl1.1 nmap zlib1g
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.

Now that we have nmap installed, let's explore some basic usage:

  1. Performing a simple TCP connect scan on a target host:
nmap 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
  1. Performing a more detailed scan with version detection and OS fingerprinting:
nmap -sV -O 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4.1 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
443/tcp  open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
OS CPE: cpe:/o:linux:linux_kernel
OS details: Linux 5.4.0 - 5.15.0

In this step, we've learned the basic usage of the nmap command, including performing a simple TCP connect scan and a more detailed scan with version detection and OS fingerprinting. In the next step, we'll explore more advanced nmap features and techniques.

Perform Network Scanning with nmap

In this step, we will dive deeper into network scanning using nmap and explore some of its advanced features.

First, let's try a SYN scan, which is a stealthy way to scan a network:

sudo nmap -sS 192.168.1.1-254

Example output:

Starting Nmap scan on 192.168.1.0/24
Nmap scan report for 192.168.1.1
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

Nmap scan report for 192.168.1.100
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

Next, let's perform a UDP scan to identify open UDP ports:

sudo nmap -sU 192.168.1.100

Example output:

Starting Nmap UDP scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT    STATE SERVICE
123/udp open  ntp

We can also use nmap to scan a specific port range:

sudo nmap -p 1-1000 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

Finally, let's try a TCP SYN scan with version detection and OS fingerprinting:

sudo nmap -sS -sV -O 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4.1 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
443/tcp  open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
OS CPE: cpe:/o:linux:linux_kernel
OS details: Linux 5.4.0 - 5.15.0

In this step, we've learned how to perform various network scans using nmap, including SYN scans, UDP scans, port range scans, and scans with version detection and OS fingerprinting. These techniques can be useful for network discovery, security auditing, and troubleshooting.

Utilize Advanced nmap Features

In this final step, we will explore some advanced features of nmap and how they can be used for more sophisticated network scanning and analysis.

Let's start by performing a script scan to detect potential vulnerabilities on our target host:

sudo nmap -sV --script=vuln 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4.1 (protocol 2.0)
| ssh-hostkey:
|   3072 c4:f8:9c:0c:cb:8a:d0:95:87:04:a9:44:b2:2e:ac:e5 (RSA)
|   256 ac:00:66:17:63:c0:80:9d:43:bd:ee:e9:a6:ca:e5:84 (ECDSA)
|_  256 f5:90:d8:9e:6b:b3:19:e5:7c:ab:02:5a:c1:4b:08:e4 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: VULNERABLE
|     IDs:  CVE-2007-6750, CWE-476
|       Slowloris tries to keep many connections to the target web server open and hold
|       them for as long as possible.  This can effectively starve the web server of
|       resources, slowing it down or causing it to crash.
|
|     Disclosure date: 2009-09-03
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
443/tcp  open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: VULNERABLE
|     IDs:  CVE-2007-6750, CWE-476
|       Slowloris tries to keep many connections to the target web server open and hold
|       them for as long as possible.  This can effectively starve the web server of
|       resources, slowing it down or causing it to crash.
|
|     Disclosure date: 2009-09-03
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/

We can also use nmap to perform a TCP connect scan and save the results to a file:

sudo nmap -oA nmap_results 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

The results are saved in the following files:

  • nmap_results.nmap
  • nmap_results.gnmap
  • nmap_results.xml

Finally, let's try a TCP SYN scan with service and version detection, OS fingerprinting, and script scanning:

sudo nmap -sS -sV -O -sC 192.168.1.100

Example output:

Starting Nmap scan on 192.168.1.100
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4.1 (protocol 2.0)
| ssh-hostkey:
|   3072 c4:f8:9c:0c:cb:8a:d0:95:87:04:a9:44:b2:2e:ac:e5 (RSA)
|   256 ac:00:66:17:63:c0:80:9d:43:bd:ee:e9:a6:ca:e5:84 (ECDSA)
|_  256 f5:90:d8:9e:6b:b3:19:e5:7c:ab:02:5a:c1:4b:08:e4 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-server-header:
|   Apache/2.4.41 (Ubuntu)
|_  Server: Apache/2.4.41 (Ubuntu)
443/tcp  open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
| http-server-header:
|   Apache/2.4.41 (Ubuntu)
|_  Server: Apache/2.4.41 (Ubuntu)
OS CPE: cpe:/o:linux:linux_kernel
OS details: Linux 5.4.0 - 5.15.0

In this final step, we've explored some advanced nmap features, including script scanning for vulnerability detection, saving scan results to files, and performing a comprehensive scan with service and version detection, OS fingerprinting, and script scanning. These techniques can be invaluable for network security assessment and troubleshooting.

Summary

In this lab, we learned the basics of the nmap (Network Mapper) command, a powerful tool used for network discovery and security auditing. We started by installing nmap on our Ubuntu 22.04 Docker container and then explored its basic usage, including performing a simple TCP connect scan and a more detailed scan with version detection and OS fingerprinting. We learned how to use the nmap command to identify running services and detect potential vulnerabilities on a target host. In the next step, we will explore more advanced nmap features to further enhance our network scanning and security assessment capabilities.

Linux Commands Cheat Sheet

Other Linux Tutorials you may like

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

LinuxShell
Beginner
Linux for Noobs

Linux for Noobs

LinuxShell
Intermediate
Practice Linux Commands

Practice Linux Commands

LinuxShell
Beginner

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy