Network Mapper (Nmap) is an indispensable, open-source network discovery and security auditing tool used by system administrators, DevOps engineers, and penetration testers worldwide. This comprehensive 2600+ word guide will cover the fundamentals of scanning subnets using Nmap while also highlighting some advanced functionality.

Overview of Nmap Capabilities

First released in 1997 by Gordon Lyon under the pseudonym Fyodor, Nmap has grown over the past 25 years to become likely the most powerful and versatile network scanner available today. Some key capabilities include:

Host Discovery: Nmap can rapidly sweep networks for live hosts even in complex, diverse environments. Through raw packet crafting and analysis, Nmap provides insights well beyond simple ping sweeps.

Port Scanning: Nmap accurately detects open ports on discovered hosts by sending specially structured packets and analyzing response patterns. Common scans like TCP connect, SYN, and UDP scans provide flexibility to probe firewall rulesets.

Version Detection: Nmap can interrogate open ports to match banner grabs and behavior against fingerprints for over 16,000 applications to derive version numbers and other metadata.

Operating System Detection: By examining subtle OS behavioral phenomena in responses, Nmap can guess the OS family, generation, version and even patch level with surprisingly high accuracy.

Scriptable Scanning: Nmap‘s scripting engine with over 600 scripts allows extensive vulnerability scanning, advanced recon and automation of common networking tasks.

These capabilities and thousands of advanced options make Nmap invaluable for exploring internal and external networks alike.

Obtaining the Subnet Range

To scope out a subnet scan, first you need to determine the actual subnet mask, defining the IP address range to scan through.

On Linux/macOS this mask can be obtained using the ifconfig command:

user@linux$ ifconfig | grep netmask
inet 192.168.0.14 netmask 255.255.255.0 broadcast 192.168.0.255

Here the mask is 255.255.255.0 – meaning the associated IP subnet has host addresses ranging from 192.168.0.1 to 192.168.0.254 available to scan.

On Windows ipconfig can be used instead to examine interface details:

> ipconfig

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix:. :
   Link-local IPv6 Address......... : fe80::3d8b:e175:a324:f19e%4
   IPv4 Address.................. : 192.168.0.101
   Subnet Mask................... : 255.255.255.0
   Default Gateway............... : 192.168.0.1

This shows the Windows host IP address, subnet mask and gateway IP.

Now with the scope defined Nmap can scan the range.

Basic Host Discovery in Subnets

The most basic Nmap subnet scan simply pings each address to discover live hosts. This leverages ICMP echo requests and replies to detect target responsiveness:

nmap -sP 192.168.0.1/24

By specifying the -sP flag for a ping scan combined with the subnet range as input, Nmap will issue ICMP echo requests to every address and aggregate results showing which IPs respond:

Starting nmap 7.92 (https://nmap.org) 
Nmap scan report for 192.168.0.1
Host is up (0.0025s latency).
MAC Address: 44:32:C8:70:29:7E (Technicolor CH USA)
Nmap scan report for 192.168.0.14
Host is up (0.0030s latency).   
Nmap scan report for 192.168.0.205
Host is up (0.0049s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.48 seconds

In addition to noting responsive IPs, Nmap also prints MAC vendor information if it can link observed mac addresses to known manufacturer prefixes.

Now we have a simple list of occupied IPs on the network. But Nmap offers far richer host discovery capabilities using raw packet manipulation we can explore.

Advanced Host Discovery

Beyond simple ping sweeps, Nmap has advanced host discovery functions encompassing a variety of packet types including:

  • TCP ACK probes on common ports (80, 443 etc)
  • TCP SYN probes to scan ports stealthily
  • UDP probes on commonly available services
  • SCTP INIT packets for firewall rule detection
  • ICMP address mask requests

For example, we can scan slower stealthier with just TCP SYN probes:

nmap -sS 192.168.0.1/24

Or perhaps scan even more lightly using just UDP only:

nmap -sU --top-ports 25 192.168.0.1/24

Top port specification, throttling, and parallelization allow highly customized scans tailored to specific environments.

Nmap will combine these approaches under the hood with ping sweeps to provide extremely reliable host discovery. If a host shows signs of life from even one probe type, Nmap will detect and report it as "up".

This packet wizardry extracts maximum knowledge of the network footprint prior to any intrusive traffic that may set off alarms prematurely. Understanding what systems exist on the network also informs exploit and penetration decisions later on.

Granular Port Scans

Once we know addresses of live hosts, further probing specific ports can reveal services. By default Nmap scans TCP ports 1-1000 but this is configurable.

We can choose specific ports to check connectivity status:

nmap -p22,80,443 192.168.0.1/24

Or scan a custom port range:

nmap --top-ports 5000 192.168.0./24

Will scan the 5000 most common TCP ports derived from Internet traffic studies.

Port specifications can get quite advanced, leveraging expressions like ranges, wildcards etc:

nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.0.1/24

Breaking down the syntax here:

  • U: prefixed ports use UDP rather than TCP
  • T: equates to standard TCP (the default)
  • Ports separated by commas are discrete values
  • Port ranges indicated by dash

This lets us tune scans very precisely to utilize appropriate protocols depending on service likelihood.

Understanding open ports and associated services in a network is crucial during penetration tests and attack surface evaluation. This intelligence guides exploitation approaches.

Operating System Fingerprinting

Beyond addresses and ports, Nmap has an advanced capability to detect underlying operating system versions by examining nuanced protocol behaviors of responses.

By default OS scan is disabled, activate it with: 

nmap -O 192.168.0.1/24

This leverages an constantly updated fingerprint database, currently covering over 16,000 applications, devices and OS flavors.

Sample output often highlights the highest accuracy guesses:

Nmap scan report for 192.168.0.23
Host is up (0.0015s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
3389/tcp  open  ms-wbt-server
Device type: general purpose
Running (JUST GUESSING): Linux 2.6.X (95%)
OS CPE: cpe:/o:linux:linux_kernel:2.6

While not perfect, accuracy substantially above 90% is achievable for common platforms. This comprehension of the OS landscape on a network guides exploit selection and customization for advanced penetration testers.

Granular Version Scanning

Nmap‘s powerful version scanning takes the previous OS detection a step further to identify application versions specifically. This leverages protocol behavior profiling and banner grabbing fingerprint matching just like OS detection.

Activate using:

nmap -sV 192.168.0.1/24

Against an Apache web server this might produce:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.6 ((CentOS))

Through exhaustive behavioral analysis, Nmap matched observed protocol quirks against its fingerprint database updated with 16,000+ application profiles.

Additional details like OS, running service, CORS policies, cookies and subdomain enumeration provide immense detail:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-cors: 
|_      No CORS detected.
| http-enum: 
|   /wordpress/: Blog
|   /index.php: Wordpress version: 4.6.1
|_  /server-status: Apache
| http-headers: 
|   Date: Wed, 21 Sep 2022 07:48:54 GMT; Content-Type: text/html; charset=UTF-8
|   Server: Apache/2.4.6 (CentOS) PHP/5.4.16
|   X-Powered-By: PHP/5.4.16
| http-server-header: 
|   Apache/2.4.6 (CentOS) PHP/5.4.16
|_  X-Powered-By: PHP/5.4.16
| http-title: Welcome | WordPress
|_Requested resource was /login.php
|_http-trane-info: Problem with XML parsing of /evox/about

This actionable service insight empowers penetration testing workflows.

Vulnerability Scanning with NSE Scripts

Nmap‘s scripting engine provides over 600 scripts for advanced detection, vulnerability scanning and automation. Script categories like vuln detect security issues, while safe scripts improve recon and intrusive ones test defenses.

Scripts are invoked with the --script flag like: 

nmap --script vuln 192.168.0.1/24

This will run all vulnerability checking scripts across the subnet, probing things like:

  • Missing patches
  • Configuration issues
  • Broken authentication
  • Known malware infections
  • Potential zero days

Scripts can also be chained to form a custom workflow. Here we first discover MongoDB instances, then check for authentication enforcement: 

nmap -p 27017 --script mongodb-info.nse,mongodb-brute 192.168.0.1/24

The power here is automation of checks, centralization of outputs and flexibility to evolve scanning pipelines programmatically through Nmap‘s Lua-based scripting.

Advanced Nmap users can author their own .nse scripts tailored closely to the target environment and specifics of an engagement.

Responsible Disclosure & Applicable Laws

While Nmap provides excellent capabilities, remember that active network scanning raises operational, ethical and legal considerations. Be sure you:

  • Have explicit permission before scanning networks not your own
  • Throttle scans and use timing templates to avoid overload
  • Observe service policies – scanning restrictions, responsible disclosure etc
  • Understand regional laws regarding "unauthorized access", data protection etc
  • Use firewall rule evasion and spoofing only when necessary

It helps enormously to be transparent in your efforts and notify parties in advance whenever possible. Providing scan reports to IT staff afterwards also builds trust.

In legally grey areas, restrict scans to just host discovery and open port detection. Avoid launching potential exploits or leverage credentials without engagement approval.

Nmap is designed comprehensively for responsible disclosure, but it still takes thoughtful practitioners to wield properly.

Conclusion

Nmap provides immense flexibility for subnet scanning – host enumeration, granular port analysis, service fingerprinting, scriptable assessment and beyond. This guide covered core concepts as well as some advanced features befitting Nmap‘s extensive capabilities nurtured over 25 years of development.

What makes Nmap shine is the intricate packet crafting and behavioral analysis empowering insightful network reconnaissance. Combine this with the vibrant ecosystem of scripts and companion tools, and Nmap delivers immense value for network administrators, penetration testers and security practitioners everywhere.

There is still more beneath the surface to explore – integrated attacks leveraging Metasploit integration, sifting outputs with NDiff, mastering packet tracing with Nping and more. Hopefully this provides a solid primer for applying this tool effectively across your network environments.

Related posts:

  1. Finding Text in Files on Linux
  2. Harnessing the Power of Nstat for Enhanced Linux Network Analytics
  3. Grep Minus a Binary Files: A Comprehensive Guide for Developers
  4. The Essential Guide to ZFS Deduplication
  5. Mastering the Linux Column Command for Effective Data Display
  6. Finding the Oldest Files in a Linux Directory: A Complete Guide for Developers
  7. Harnessing the Power of ldapsearch for Linux LDAP Mastery
  8. Reviving Old Computers: A Full Guide to Installing Chrome OS Flex from USB

Similar Posts