Introduction

Network Mapper (Nmap) is a free, open-source network security scanning tool. By sending IP packets and analyzing the responses, Nmap can discover information about hosts and services on remote computer networks.

Nmap can also audit the security of a device, identify the vulnerabilities of your network, or perform an inventory check with relative ease.

This tutorial shows how to install Nmap on Linux and explains Nmap’s most important features.

NMap and Linux introductory logo

Prerequisites

  • A user with sudo privileges
  • Access to a command line

Installing Nmap on Linux

The installation process of NMAP is simple and straightforward, requiring only a single command.

How to Install Nmap on Debian / Ubuntu

1. Install Nmap on Ubuntu by entering the following command:

sudo apt-get install nmap

2. The system prompts you to confirm the installation by typing y.

Command to install nmap on ubuntu and debian

3. After the installation is finished, verify the installed version of Nmap by entering:

nmap –version

In this example, the version is 7.60.

example output of checking Nmap version with output version 7.60

How to Install Nmap on CentOS / RHEL

1. To install Nmap on an RHEL based Linux distribution type the following command:

sudo yum install nmap

This is an example of the output in CentOS 7.

Command to install nmap on CentOS and RHEL based systems.

2. Confirm the installation by typing y.

Confirming the installation of Nmap by selecting y

3. Like in other Linux distributions, once the installation is completed, check the version of Nmap by entering:

nmap –version

In this example, the installed version for CentOS 7 is 6.40.

Command to check nmap version on CentOS

How to use NMAP Security Scanner on Linux

Once you complete the installation process, Nmap commands are identical regardless of the Linux distribution. Nmap provides a list of scanned targets along with supplemental information, based on the options and arguments used.

The article covers the basic options this tool has to offer. For a full list of options visit the Nmap official page or access the manual from your command line:

man nmap

Note: It is important to emphasize that aggressive port scanning to find open ports without permission can be interpreted as malicious by third-party organizations.


Scan IP range or subnet

To obtain general information of a remote system type:

sudo nmap target_IP or domain.com

Instead of scanning individual IPs, scan a whole IP range by defining it in your command line:

sudo nmap 185.52.53.2-222

The following command scans the entire specified subnet:

sudo nmap 185.52.53.0/24

Port Scanning with Nmap

Nmap is an efficient port scanner that recognizes six port states:

  • open – actively accepting TCP connections, UDP datagrams or SCTP associations
  • closed – accessible; however, no application is listening on the port
  • filtered – nmap cannot determine whether the port is open due to packet filtering
  • unfiltered – the port is accessible; however, nmap is unable to determine if it is open or closed
  • open|filtered – nmap cannot determine if a port is open or filtered
  • closed|filtered – nmap cannot establish if a port is closed or filtered

Port Specification and Scan Order

By default, Nmap scans the thousand most common ports for each protocol. It also offers options for specifying which ports are to be scanned, and whether the scan is random or ordered.

The -p option allows you to specify port ranges and sequences:

sudo nmap –p 80,443 185.52.53.222

This command scans ports 80 and 443 for the defined host.

TCP SYN scan

Initiate TCP SYN for a fast and unobtrusive scan. Since this type of scan never completes TCP connections, it is often referred to as half-open scanning.

To run a TCP SYN scan, use the command:

sudo nmap -sS 185.52.53.222

Nmap: Scan Speed, Aggression, and Verbosity

Scan Speed

Scanning a large number of hosts is a time-consuming process. Nmap has an option to define the speed and thoroughness of the scan. Understandably, scans that need to avoid IDS alerts are slower.

Scan speeds designations start at T0 and span to T5. The higher the speed of the scan the more aggressive it is deemed.

Scan Output

The results of sophisticated tests and algorithms need to be presented in an understandable and structured manner to be useful. The –v command increases verbosity and forces Nmap to print more information about the scan in progress.

Open ports are shown in real-time and completion time estimates are provided.

Aggressive Scan

The -A option enables a comprehensive set of scan options. It enables:

  • OS (Operating System) detection, also available with the -O command
  • version scanning, also available with the -sV command
  • script scanning, also available with the -sC command
  • traceroute, also available with the –traceroute command

Since Nmap accepts multiple host specifications on the command line, they do not need to be of the same type.

We can combine the options listed to detect the OS and version, script scanning, and traceroute. We can also use –A and –T4 for faster execution. Additionally, the –Pn option to tell the Nmap tool not to initiate a ping scan:

sudo nmap –A –T4 –v –Pn phoenixnap.com

The output compiles and presents the information from the scan we requested.

Overview of a nmap scan iAn Centos

Conclusion

Now you know how to install and use Nmap on your Linux system. Nmap has many available options and can be a powerful and versatile scanning tool to discover network vulnerabilities.

Learn 17 more Nmap Commands with examples in this article!


Next you should also read