Tag Archives: nmap

UbuntuVideCast: Scan a network or Systems with nmap

Share Button

This Article introduce popular port-scanner nmap and shows the basic usage of it. Who ever has to deal with networks will stumble across the phrase port-scanner, a branch of software which makes it possible to figure out what kind of services are offered on the network and what ports are being used. To use a port-scanner to check networks is a vital task but you should not scanning public networks just your own or the one you are responsible for.

There is almost no Linux Distribution available where it is not possible to install nmap with a packet-manager like apt-get or such. In general you should install nmap with your distributions packet manager.

Because the scanner has way more functionality then just scan systems it has dependencies of packages like openssl, libpcap and pcre. But those packages are available as adjusted nmap source code, so additional installation if not really necessary.

Who ever would like to make use of the graphical user interface zenmap needs to install python and pygtk.

First steps

For a simple scan of the first 1000 ports the only thing you need to do is to execute nmap with the desired target. You can enter just the hostname or just a simple IP address. As IP-Adresses are still IPv4-Adresses the standard; on the other hand if you would like to scan IPv6-Adresses, you need to use the switch -6 but I am showing just Ipv4. A scan of your own system can be done with the following:

nmap localhost

But the last command will scan the addresses from to
The output of a scan with address of your own system could deliver the following:

$ nmap

Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-28 02:11 CET
Nmap scan report for localhost.localdomain (
Host is up (0.00024s latency).
Not shown: 998 closed ports
22/tcp open ssh
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

Like you can see from the output data, the SSH Service is available on this system. With systems scans like this one you can build your self a picture about the configuration of a system.

Read System-information

Different then the other port scanners nmap offers more information about a system and the services running on it. You can receive version information about services by using the -sV switch and to receive information about the Operating System you need to use the -O switch and for that you need to run it with root rights:

# nmap -O -sV

Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-28 03:22 CET
Nmap scan report for localhost.localdomain (
Host is up (0.000027s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
631/tcp open ipp CUPS 1.4
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.19 – 2.6.31
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results
at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.97 seconds

Set up scan ranges

In order to set up a range of ports there are different arguments for the -p switch. To scan the ports 1000 to 1010 use:

nmap -p 1000-1010

If you like to scan specific ports you can separate them with a comma:

nmap -p 22,80,443

In case you would like to scan all 65536 ports just set the dash right behind the -p switch:

nmap -p-

Furthermore nmap offers more possible ways to scan for ports for example the -F switch, with that switch nmap will scan the most 100 possible open ports. But to secure a system those are not pressing necessary.

Scan-timings and Host Discovery

For testing your own firewall you should make use of different scan timings. Nmap delivers for that reason the -Tx switch, were x is for the timing mode:

# Alias
0 paranoid
1 sneaky
2 polite
3 normal
4 aggressive
5 insane

A so called quick scan can be done with:

nmap -T4 -F

You don’t have to try all 6 timings but you should try 2 different timings to see the behavior of the firewall for example. Because some systems block pings it is recommended to use the switch -PN where Nmap scans every system regardless of ping response.

For more information about scan timing you will find on the Nmap-Projectpage.