Starting out with Nmap

Nmap is one of those programs that I can’t live without.  Whether I’m using it to learn more about my own network, or somebody else’s network, it really gives me a better picture of what other devices are on the network without actually having to actually physically see the device.

Scanning your network

One of the basic ways to discover devices is to use a ping sweep with Nmap.  This sends out a ping to a single device or a range of devices. It used to be that hosts that dropped ICMP echo requests (ping) would up show as being down in Nmap. It seems that newer versions of Nmap are able to detect if a host is up if it doesn’t respond to a ping. (Try ping microsoft.com and see what it responds with.)

Pinging a single device

nmap -sP 192.168.0.1

Results

Nmap scan report for 192.168.0.1
Host is up (0.055s latency).

Pinging a range of IP addresses

nmap -sP 192.168.0.1-5

Results

Nmap scan report for 192.168.0.1
Host is up (0.0046s latency).
Nmap scan report for 192.168.0.3
Host is up (0.016s latency).
Nmap scan report for 192.168.0.5
Host is up (0.000098s latency).

Pinging the entire network

nmap -sP 192.168.0.0/24

Results

Nmap scan report for 192.168.0.1
Host is up (0.055s latency).
Nmap scan report for 192.168.0.3
Host is up (0.014s latency).
Nmap scan report for 192.168.0.5
Host is up (0.00029s latency).
Nmap scan report for 192.168.0.100
Host is up (0.0090s latency).

The last command will send a ping out to any device that has their IP address starting with 192.168.0.x.  (The /24 is short-hand for the subnet mask of 255.255.255.0.)

Device Enumeration

Once we have a list of devices on our network we may want to know some information about it.  Simply typing the command nmap along with the IP address or name of the device, will return what ports are open on the device and guess what service is running on the device.  For example, when I run nmap on my own machine I get the following:

nmap 192.168.0.5

Results

PORT     STATE SERVICE
22/tcp   open  ssh
88/tcp   open  kerberos-sec
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
515/tcp  open  printer
631/tcp  open  ipp
3689/tcp open  rendezvous

What if I want some more information like what version of ssh am I running?  Use the -sV flag.

nmap -sV 192.16.0.5

Results

PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 5.2 (protocol 2.0)
88/tcp   open  kerberos-sec Mac OS X kerberos-sec
139/tcp  open  netbios-ssn  Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn  Samba smbd 3.X (workgroup: WORKGROUP)
515/tcp  open  printer
631/tcp  open  ipp          CUPS 1.4
3689/tcp open  daap         Apple iTunes DAAP 9.0.3
Service Info: OS: Mac OS X

Also notice we get some extra information such as the OS I’m running and the workgroup my samba shares are on.

Now let’s take what we learned and put them together.  How would I get information on all devices on my network?

nmap -sV 192.168.0.0/24

The output of this is too long for here, but I think you get the idea; it’ll display all the service information (along with service versions) for all hosts on the network.

That’s the basics of using nmap.  With the ideas presented here, you should be able to find out most information about about devices on the network you are currently connected to.

Leave a Reply

Your email address will not be published. Required fields are marked *