Using different scanning techniques, Nmap can help you identify the devices, services, and operating systems active on the network. With this information, you can perform a more comprehensive penetration test to uncover any vulnerabilities in the system.
This article will show you how to use Nmap to scan a network and explain the different scan types and options. We will then walk you through scanning an entire network and show you which scans and options to use.
Finally, we will touch on mitigating disruption while performing these Nmap scans.
Table Of ContentsSome of the most common penetration testing distributions, such as Kali, Parrot, and Black Arch, already include Nmap in their list of tools. If you need to install Nmap on something like Ubuntu, refer to our article “How to Install Nmap on Ubuntu: A Comprehensive Guide.” You can also install Nmap on Windows or MacOS.
Say goodbye to the hassle of trying to remember the exact syntax for your Nmap commands! With our Nmap Command Generator, you can simply say what you need Nmap to do, and we will generate the command for you.
Before scanning a network with Nmap, you will need explicit permission from the network owner, or if performing a penetration test, you will need a clearly defined scope of work. This scope of work, often detailed in a “Rules of Engagement,” outlines what systems can be tested, what types of tests can be performed, and any limitations or restrictions on the testing activities. Also, before beginning, ensure you have the correct IP addresses for the network you are authorized to test. Misconfigurations or misunderstandings about the target IP range can lead to scanning or testing systems outside your authorized scope, which could lead to legal issues or unintended disruptions.
Once you have the correct permissions to scan the network with Nmap, your next step is to ensure you have the correct IPs. This could be a specific list of addresses or the whole network, also known as a subnet. An example of a subnet is 192.168.1.0/24, represented as a CIDR (Classless Inter-Domain Routing) notation. CIDR notation, in simple terms, is a way to describe a group of IP addresses. In our example, 192.168.1.0 is the beginning of the group, and the /24 tells you how many addresses are included in the subnet. Our subnet has 256 addresses, 254 of which are usable for hosts.
Now, we will show you a few scan types that can be used, what they do, and when they would be useful.
| Scan type | What does it do? | Useful for? |
|---|---|---|
| TCP Connect Scan (-sT) | Establishes a full TCP connection with each target port to determine whether the port is open. | When you want a reliable method to identify open ports on a target system, you're not as concerned about being stealthy. |
| SYN Scan (-sS) | Sends a TCP SYN packet to each target port and analyzes the responses to determine whether the port is open. | When you want to quickly and discreetly identify open ports on a target system without alerting intrusion detection systems or disrupting normal operations. |
| Comprehensive (-sS -sU -sV -A -p-) | Performs a thorough scan of the target, checking all possible ports, identifying the OS and service versions, and running additional checks through script scanning. | When you want to conduct an in-depth analysis of a target system, identify open ports and the operating system service versions across all possible ports. |
For more information on the TCP Connect Scan and the SYN Scan, see our article “Nmap Host Discovery: Your First Step in Ethical Hacking.” And for more detail on the flags used in the Comprehensive Scan, see “The Top 20 Nmap Commands You Must Know.”
Next, we will demonstrate how to scan an entire network. We'll check for live IP addresses, determine OS versions, identify common services, and uncover any existing vulnerabilities. We'll also output the scan results to files for future reference.
Throughout this process, we'll strive to minimize network disruption as much as possible. For our example, we will be using the subnet of 192.168.52.0/24.
Our first step is to check the network for any live hosts, as this will enable us to focus our scanning on only the necessary hosts. We will do this by sending a ping to each host on the network. If we get a response, we can assume the host is live.
sudo nmap -sn 192.168.52.0/24 -oN live_hosts.txt
As you can see from the Nmap scan report, we have discovered six live hosts that we can use to investigate further.
Now that we have our list of live hosts, our next step is to check for operating systems. We need to extract the IP addresses from the saved file and create a new one. You can use the following command to create a new file called ip-addresses.txt that will include only the live IP addresses.
grep "Nmap scan report for" live_hosts.txt | awk '' > ip-addresses.txt
Now we can run our Nmap OS detection scan with the following:
sudo nmap -iL ip-addresses.txt -O -oN os_detection.txt
Our Nmap scan results show us what it believes is the host's operating system. This information is important as it can help us understand potential vulnerabilities of the OS.
Nmap checks for the OS of each target by sending a series of specially crafted TCP and UDP packets and then analyzes the responses. Different operating systems send different types of responses. Nmap uses a database of known profiles to compare the response it receives.
However, it’s important to note that Nmap makes a best guess and may not always be accurate.
Now that we have determined what operating systems are running on some of the hosts, we can move on to checking for common services running. This is beneficial because it allows you to identify the specific services and versions running on the target, providing valuable context about potential vulnerabilities.
nmap -iL ip-addresses.txt -sV -oN common_services.txt
Our Nmap scan reveals the different services and even versions of those services running on the host. This is incredibly valuable information, as different versions of services can have different vulnerabilities. With this information, you can create a plan moving forward.
Nmap checks for service info by probing each port for responses. Each service responds differently, and Nmap can then use these responses to identify the type of service and even the version.
Next, we will run a vulnerability scan on our live hosts to identify potential weaknesses that could be exploited. This scan will leverage the Nmap scripting engine to check for a wide range of known vulnerabilities.
nmap -iL ip-addresses.txt -script vuln -oN vulnerabilities.txt
As you can see, the Nmap scripting engine provides us with a wealth of information that we can use better to understand our target system and its potential vulnerabilities. Whether it's outdated software, detecting misconfigurations, or even potential entry points into the system, the Nmap vuln scan can help us create a plan of attack.
To learn more about vulnerability scanning with Nmap, see our article “How to Scan Vulnerabilities With Nmap: A Comprehensive Guide.”
Let’s discuss ways you can mitigate disruption to a network when performing different types of Nmap scans.
We need to first warn you about the potential risks involved while performing Nmap scans. While these tasks are essential to a penetration test, they can also overwhelm or disrupt a network if not done properly.
This can lead to downtime, so understanding the impact of any scans you perform is important.
Here is some advice that can help you avoid network disruption.
Learning to use Nmap to scan a network entails many different elements. We have discussed ensuring you have the correct permission to perform your scans, selecting your network range, and showing you different scan types and options.
We walked you through scanning an entire network, from checking for live hosts to OS detection, service, and vuln scans.
Finally, we discussed avoiding network disruption by following basic guidelines and using the appropriate flags.
With all this information, you should be well on your way to using Nmap to scan a network,
