What Is Nmap and How to Use It to Enhance Network Security
Nmap is short for Network Mapper, an open-source tool used for port and IP scanning and app detection. Network and system administrators use it for network inventory, managing service upgrade schedules, and monitoring service uptime. At first, it was developed as a Linux tool but is now available also for Windows and MacOS.
Users can also employ Nmap on less common systems: Solaris, AIX, or Amiga OS. The source code is available in C, C++, Perl, and Python and the tool can be customized to work in different environments.
Admins use it for penetration testing, to check what devices are running on their network. Nmap also enables them to see what ports are open and discover potential vulnerabilities.
What Is Nmap Used For?
Basically, Nmap enables the user to do fast network mapping and can help a team optimize and protect networks and data. It is used for penetration testing, ethical hacking, and, of course, more ignoble purposes. One of its most recent employs is to analyze the traffic between web servers and IoT devices. Nmap was created by the American network security expert Gordon Lyon.
Here below is a list of the most important Nmap tool functionalities:
Nmap shows the user what types of devices are connected to the network and use the scanned ports. With this command, they see how servers, routers, switches, and other devices are connected. They also learn how they work together and can further imagine a network map.
You can use Nmap to check which ports are open and which are closed. This feature comes in handy to IT teams who use it to see if the firewalls work properly. It also comes in handy for those who want to prepare against a port scan attack.
Nmap also helps discover how vulnerable the network is to a specific threat. When a new vulnerability is discovered to affect a specific software or version of the software, Nmap can show if any of the connected machines use that app. The IT team then has a heads-up and can avoid the cyberattack by patching the system in a timely manner.
Helps the IT team discover all the types of OS-s that run on a device. By this process, they find also find out what brand (Dell, Acer, Lenovo, etc.) the machine is. But more interestingly, they can also determine the patch level of the OS and the estimated uptime of the endpoint.
Check for Shadow IT
Nmap shows both the type and the location of machines connected to the network. This helps admins discover any officially unauthorized device – shadow IT – connected to their network. Shadow IT is often hidden and even if these machines are not necessarily malicious, they can be a risk factor for the system. The danger resides in that the devices are not included in the cybersecurity program, do not benefit the patch management policy, etc.
Unlike other mapping tools, Nmap helps discover the role of each of the devices in the network. It shows which one is a mail or a web server, a storage device, a database repository, etc. In addition, Nmap also shows what apps are running, and even the app version in use.
How to Use Nmap in Linux
Linux users can either use binary packages from Insecure.Org or install their distro’s source code.
- Binary packages are usually a quicker and easier-to-install choice. But they have to be slightly customized to use the distribution’s standard directory paths. In addition, these packages enable regular management for upgrading, uninstalling, or auditing software on the system. However, packages created by the distributions always lag behind Nmap.Org source releases. And this is clearly a downside, even if most Linux distros keep them fairly up to date.
- Using the source install gives you more control over how Nmap is developed and tailored for your system. You can find out more about this on the official Nmap page.
How to Run Nmap on Windows
Since its release in 2000, the Windows version has become the second most popular platform for using Nmap. As a Windows user, you get to choose between three instances of installing Nmap:
- Windows Self-installer – This is the easiest-to-employ option; therefore, it is most users` favorite. It also enables the user to install the Zenmap GUI and other tools.
- Command-line Zip Binaries – Nmap releases have Windows command-line binaries incorporated and associated files in a Zip archive. On the other hand, there is no graphical interface, so the user has to open a DOS/command window to run exe.
- Compile from Source Code – For those willing to help develop Nmap, compilation from source code is the best option. For this, you`ll need Microsoft Visual C++ 2019. Any of the Visual Studio 2019 editions should work, including the free Visual Studio 2019 Community.
You can find more information and installation steps for all three options here.
How to Run Nmap on MacOS
Nmap binaries are available for Apple macOS (x86-64) as a disk image file containing an installer. The installer supports Nmap, Zenmap, Ncat, and Ndiff. The programs were tested on Mac OS X 10.9 and other newer versions.
MacOS users also have more options for installing Nmap:
- Executable installer – This is the easiest way to install Nmap or Zenmap on a Mac device.
- Compile from source code – For this, you`ll need Xcode, which is Apple`s developer tool. Since it`s not a default install, you have to download it from the Mac App Store. Good news: it`s free of charge.
- Use third-party packages – The third option for installing Nmap on MacOS is to employ a system that packages Unix software. The Nmap official page recommends either Fink or MacPorts.
5 Other Open-Source Network Scanning Tools Besides Nmap
Nmap may be the most famous network scanning tool, but it sure isn`t the only one. See below some of the other mainstream similar options:
- Metasploit Framework
Metasploit started as an open-source penetration testing tool. It is now a commercial network scanning tool, used for network exploit detection.
Snort is an open-source, free network intrusion detection tool. Based on protocol analysis and content checking, it detects different kinds of network exploits, such as worms and port scans.
This open-source tool is dedicated to the UNIX environment. SSH, which is short for Secure Shell establishes secure and encrypted communication over an insecure network link between untrusted hosts. It removes network problems: eavesdropping, untrustworthy connections, and connection hijacking between two hosts by encrypting network traffic.
Here is another free network security scanning tool. It provides full network scanning, web server and app scanning, and WordPress scanning too.
- Angry IP Scanner
Also, an open-source tool, Angry IP Scanner provides, not only IP address scanning but also port scans too. Employing this tool gives you access to information like hostname, NetBIOS, MAC address, workgroup information, etc.
Top 5 Most Used Nmap Commands for System Administrators
- Ping scan — Use > nmap -sp 192.168.1.1/24 to reveal the list of devices connected to the network
- Scan a single host — Use > nmap scanme.nmap.org to scan one host only for 1000 of intensively employed ports that are used by services like SQL, SMTP, apache, etc.
IT team need to find out what application versions are in use when pen testing. Then they can search for existing vulnerabilities in the Common Vulnerabilities and Exploits (CVE) database for a certain version of the service and proceed to test the network`s response to it.
Use the `-sV` command to do a version scan: > nmap -sV scanme.nmap.org.
The `-A` argument permits OS detection, version detection, script scanning, and traceroute. Although aggressive scans provide better information than regular ones, they send out more probes. For sysadmins, it`s easier to detect them during security audits. To perform an aggressive scan use > nmap -A scanme.nmap.org.
Scanning Multiple Hosts
Multiple host scanning helps those who manage a large network infrastructure. There are four ways you can use this option:
- Input all IP addresses in a row, so you can scan all hosts at once: > nmap 220.127.116.11 18.104.22.168 22.214.171.124
- Input asterisk (*) for scanning all subnets at once > nmap 192.164.1.*
- Don`t type the whole domain, use commas to separate the addresses endings: > nmap 126.96.36.199,2,3,4
- Input a hyphen to indicate a range of IP addresses: > nmap 188.8.131.52–255
Since port scanning is one of the main features of Nmap, there are more than one way to do it:
- Use the `-p` param for single port scanning: > nmap -p 973 184.108.40.206
- Nmap enables you to scan for data about a particular type of connection, if you indicate the type of port: > nmap -p T:7777, 973 220.127.116.11
- If you want to scan for a whole range of ports, differentiate them with a hyphen: > nmap -p 76–973 18.104.22.168
- Use the `-top-ports` flag to indicate the top n ports to scan: > nmap –top-ports 10 scanme.nmap.org
Heimdal® Network DNS Security
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
How Can Heimdal® Help Secure Your Network
Nmap is a great tool for any System Administrator that wants to test his network. It`s been in use since 1997 and is still rolling. But there`s also a dark part about this network scanning tool: threat actors appreciate and use it just as well as „the good guys”. So, keep your network safe from potential attacks that target zero-day vulnerabilities. Choose the most up to date and performant cybersecurity solution that exists on the market.
Heimdal DNS Network security enables you to properly secure not only the endpoints but any device connected to your network.
Merging local and cloud filtering, we succeeded to create a solution that has a minimal system footprint. But that`s not all that`s special about our product. Heimdal`s Machine Learning (ML) engineers managed to build and train a neural network for DarkLayer Guard – Network that makes prediction of malicious DNS possible.
This state-of-art solution has doubled Heimdal`s rate of correct detections and released the algorithm’s capacity to detect malicious domains that usually the human eye overlooks.