If you give Nmap no options at all and just point it at a given host it will scan for open ports and report back those that are open, and what service is running on them. If you have hostnames instead of IP addresses, you can separate them with a space on the command line, like so: nmap -O
For example, to scan 10.0.0.1 through 10.0.0.42 to learn what OS they might be running I’d use nmap -O 10.0.0.1-42. Using the /24 notation would scan the whole range of hosts from 10.0.0.0 to 10.0.0.255. If you’re using IP addresses, you can specify a range like 10.0.0.1-6 or a range like 10.0.0.0/24. You can scan more than one host at a time using nmap. It may also be against your ISP’s terms of service to use some of Nmap’s more aggressive scan features, so be careful out there! Some admins don’t appreciate unexpected scans, so use best judgment and restrict scans to hosts that are on your own network or that you have permission to scan. The Nmap folks have a test host at that can be used for testing, so long as you’re not running any tests of exploits or Denial of Service (DoS) attacks. However, it’s a bad idea to run many scans against hosts you’re not in control of or don’t have permission to scan. You can use Nmap to scan virtually any host.
In the examples above, I chose a local router and one of my workstations in part because I have the permission to scan them. You may not be able to get an explicit identification of the operating system down to the version of Linux. Here we see that the system has an HP NIC (it’s an HP workstation), running the Linux kernel somewhere between Linux 2.6.19 and 2.6.31. Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds Here’s the result of another scan, against a desktop machine running Ubuntu 9.10: Starting Nmap 5.21 ( ) at 00:00 EST
As an added bonus, Nmap tells me that the device is one hop away, the MAC address of the device and manufacturer of the NIC, the open ports, and how long the scan took. I ran this particular scan against an Apple Airport Extreme router. Here it takes a guess at the operating system that might be running on the system.
Nmap done: 1 IP address (1 host up) scanned in 10.21 secondsĪs you can see, Nmap provides a lot of data. OS details: VxWorks: Apple AirPort Extreme v5.7 or AirPort Express v6.3 Canon imageRUNNER printer (5055, C3045, C3380, or C5185) Kyocera FS-4020DN printer or Xerox Phaser 8860MFP printer Running: Apple embedded, Canon embedded, Kyocera embedded, Xerox embedded When it finishes, you’ll see something like this: Starting Nmap 5.21 ( ) at 23:52 EST The scan might take a minute or so to run, so be patient. Note that Nmap requires root privileges to run this type of scan. Let’s say you want to scan a host to see what operating system it is running. The basic syntax for Nmap is Nmap Scan Type Options target.
You can find the sources and some binaries on the download page. The most recent release of Nmap came out in early 2010, so the most recent version (5.21) might not be in the current stable releases. You’ll find Nmap packaged for most major Linux distros. In this tutorial, I’ll cover some of the basics of using Nmap and provide some examples you can use quickly. Once you get to know Nmap a bit, you’ll notice that it makes all types of cameo appearances in movies. It is, in short, a very good tool to know. It can be used for security scans, simply to identify what services a host is running, to “fingerprint” the operating system and applications on a host, the type of firewall a host is using, or to do a quick inventory of a local network. What is Nmap? Short for “network mapper,” nmap is a veritable toolshed of functionality to perform network scans.
Ever wondered how attackers know what ports are open on a system? Or how to find out what services a computer is running without just asking the site admin? You can do all this and more with a handy little tool called Nmap.