Nmap is one of those programs that I can’t live without. Whether I’m using it to learn more about my own network, or somebody else’s network, it really gives me a better picture of what other devices are on the network without actually having to actually physically see the device.
Scanning your network
One of the basic ways to discover devices is to use a ping sweep with Nmap. This sends out a ping to a single device or a range of devices. It used to be that hosts that dropped ICMP echo requests (ping) would up show as being down in Nmap. It seems that newer versions of Nmap are able to detect if a host is up if it doesn’t respond to a ping. (Try ping microsoft.com and see what it responds with.)
Pinging a single device
nmap -sP 192.168.0.1
Results
Nmap scan report for 192.168.0.1 Host is up (0.055s latency).
Pinging a range of IP addresses
nmap -sP 192.168.0.1-5
Results
Nmap scan report for 192.168.0.1 Host is up (0.0046s latency). Nmap scan report for 192.168.0.3 Host is up (0.016s latency). Nmap scan report for 192.168.0.5 Host is up (0.000098s latency).
Pinging the entire network
nmap -sP 192.168.0.0/24
Results
Nmap scan report for 192.168.0.1 Host is up (0.055s latency). Nmap scan report for 192.168.0.3 Host is up (0.014s latency). Nmap scan report for 192.168.0.5 Host is up (0.00029s latency). Nmap scan report for 192.168.0.100 Host is up (0.0090s latency).
The last command will send a ping out to any device that has their IP address starting with 192.168.0.x. (The /24 is short-hand for the subnet mask of 255.255.255.0.)
Device Enumeration
Once we have a list of devices on our network we may want to know some information about it. Simply typing the command nmap along with the IP address or name of the device, will return what ports are open on the device and guess what service is running on the device. For example, when I run nmap on my own machine I get the following:
nmap 192.168.0.5
PORT STATE SERVICE 22/tcp open ssh 88/tcp open kerberos-sec 139/tcp open netbios-ssn 445/tcp open microsoft-ds 515/tcp open printer 631/tcp open ipp 3689/tcp open rendezvous
What if I want some more information like what version of ssh am I running? Use the -sV flag.
nmap -sV 192.16.0.5
Results
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.2 (protocol 2.0) 88/tcp open kerberos-sec Mac OS X kerberos-sec 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 515/tcp open printer 631/tcp open ipp CUPS 1.4 3689/tcp open daap Apple iTunes DAAP 9.0.3 Service Info: OS: Mac OS X
Also notice we get some extra information such as the OS I’m running and the workgroup my samba shares are on.
Now let’s take what we learned and put them together. How would I get information on all devices on my network?
nmap -sV 192.168.0.0/24
The output of this is too long for here, but I think you get the idea; it’ll display all the service information (along with service versions) for all hosts on the network.
That’s the basics of using nmap. With the ideas presented here, you should be able to find out most information about about devices on the network you are currently connected to.