The Nmap Security Scanner written by Fyodor is a widely used security and network administration tool that can be used to perform a port scan of remote systems. A port scan of a system can let the Nmap user know which services are available on a system as well as if these services are accessible through a firewall.
This article discusses features that are available in Nmap 5.0 and higher. To download Nmap and access other related security resources, please visit www.insecure.org
Conducting a Basic Nmap Scan from the Command Line
While a GUI front-end (Zenmap) now exists, Nmap has traditionally been used by administrators from the command line in both Windows and Unix/Linux environments. When a basic Nmap scan is performed without any additional options, the following will occur:
- Your system will scan the 1,000 most commonly used TCP ports on your target(s). These ports were enumerated by Fyodor when he conducted an Nmap scan against every host on the Internet and compiled the end results. The scan type conducted is a standard SYN scan.
- Nmap will randomize the order in which the ports are scanned. If you wish for the ports to be scanned in sequential order, perhaps to test your IDS/IPS capabilities, use the r option.
- In addition to scanning ports, Nmap will attempt to retrieve the MAC address associated with the remote IP address(es) being scanned and resolve the MAC address to its associated manufacturer.
- If an IP address is specified as the scan target, Nmap will attempt to perform a reverse DNS lookup to identify the FQDN of the scanned host(s).
In the following example, Nmap is used to conduct a basic port scan of the system at 192.168.2.38.
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-06 23:12 Eastern Standard Time
Interesting ports on webserver.company.net (192.168.2.38):
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-term-serv
MAC Address: 00:1C:23:55:55:55 (Dell)
Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds
As you can see, the above scan discovered that two TCP ports were running on the system noted by the open state. The remaining 998 scanned ports were reported as closed as no services were running on the system. By default, Nmap will guess which services are running on each of these ports based on the common usage of each port number.
In our example, based on the Nmap determining that TCP 80 and TCP 3389 are open on the system, Nmap will report that the two services that appear to be running on the system are HTTP (to act as a web server on TCP port 80) and Microsofts Terminal Services (for remote access to the system on TCP port 3389). To have Nmap perform additional tests on open ports to determine which service is truly running on a port, use the sV (Service) scan option.
Each system has 65,535 TCP and 65,535 UDP ports. The standard Nmap scan only scans the 1,000 most commonly used ports to help expedite scan times.
In addition to the discovered services that were running on the system, the system was determined to be a Dell system based on its MAC address (00:1C:23:55:55:55). Nmap also performed a reverse DNS lookup to resolve the targets IP address of 192.168.2.38 to webserver.company.net.
If you do see a result state as filtered, this means that access to the port by Nmap has been blocked. Typically, this result indicates that a firewall has prevented the Nmap scan from reaching the system on the filtered ports.
As you can see, Nmap can perform a basic scan in order to determine common services that are running on a remote system.