Nmap is one of the most accessible and most popular cybersecurity tools. It's the best port scanner on the market and open-source. It comes pre-installed in security-focused Linux distributions such as Kali Linux and Parrot OS. Nmap also comes as a python library, which can be used for implementing the functionality of Nmap in your computer scripts.
While Nmap is simple to start using, many features are not known to beginners. To help you master this tool, here is a list of the top tips and tricks you can use to improve your expertise with Nmap:
Zenmap is a graphical user interface (GUI) created for Nmap. By itself, Nmap is a command-line tool, which means it must be used in the terminal. This can make it more difficult to use because you must manually add the appropriate flags to create the type of scan you want. This tool eliminates the problem by offering a GUI, which provides much more intuitive usage than the traditional Nmap software. It gives you the option of storing scan results to be viewed later, which is not available with the command line.
Top Nmap commands you should know
Using Nmap flags
The default Nmap scan is " Nmap". However, you can get additional information by using flags at the end of the command. So one example of this would be "Nmap -O." The flag "-O" will attempt to identify the operating system of the target. This is important because different operating systems have different structures, vulnerabilities, and allow commands.
- A: This flag get OS fingerprinting and version detection
- Sv: This flag enables version detection
- Ss: Enables stealth scanning, which is important if you want to avoid alerting the owner of the system to the fact that you are scanning the system
- Sp: This does a ping to the target, commonly used to identify if the system is active or not
Perform a ping sweep using Nmap
A ping sweep is commonly used across a wide range of IP addresses to determine active and responsive ones. This is one of the first things you would do in a black box penetration test to figure out the target's network. The command is as follows:
Nmap -sP 192.168.0.* or Nmap -sP 192.168.0.0/24
Scan for servers with a specified port open
Say you suspect that a specific port will be open on a set of computers, Nmap gives you the option of scanning all servers in a range of IP addresses for a specific port using the command below (the example uses port 443):
nmap -sT -p 443 -oG – 192.168.1.* | grep open
Scan using a decoy IP address
The app offers a feature to scan a range of IP addresses using a decoy IP address. This way, your IP address won't show up in the security logs. This is important because if you're doing a security test without the awareness of the security staff, you want to go undetected for as long as possible. This will ensure your IP address isn't blocked, and you're able to continue the test undetected as long as possible. The first IP address is the target, and the second is the decoy IP address.
sudo nmap -sS 192.168.0.3 -D 192.168.0.21
Nmap vulnerability scan
Nmap has expanded past being just a port scanner, and now you can use it as a vulnerability scanner as well. It does this by searching for something called a CVE, which stands for common vulnerabilities and exposures. It has two very popular types of scripts called vulners and vulscan, which can be used along with its commands to scan remote and local targets for CVEs. You can find an example of the output here.
Nmap has a huge amount of features when it comes to information gathering. Not only is it open source and free to use, but it also comes with a GUI option for people that aren't comfortable with using the command line. Secondly, it can perform many different types of scans, all while hiding your IP address from possible detection. Lastly, it has expanded beyond being a simple port scanner to being a full-fledged vulnerability scanner.