Anyone in a business or home environment needs to be able to understand and check the security of their network. Whether your network is one machine or a few thousand or more, security is an issue for everyone. What should be remembered is the Strategic Offensive principle of war which states: 'the best defense is a good offense'. If you understand how hackers and the like can infiltrate your network then you should be able to devise a plan to stop them. NOTE: With any information based on security issues please use this information responsibly. NMAP stands for 'Network Mapper'. NMAP can be used to scan a network of hosts and services and audit security. Further detailed information can be gained to produce complete 'network map'. NMAP was originally written for Linux but can be operated on Windows, Solaris, HP-UX, BSD, AmigaOS and IRIX. The main website for the NMAP application and documentation can be found at https://nmap.org/. The NMAP application can be downloaded to a Linux system from the normal repository using the following commands for you distro type. NOTE: With either type of Linux distro you may want to also download a Graphical User Interface (GUI) for the command-line based NMAP utility. The GUI is named 'ZeNMAP'. The following include NMAP and ZeNMAP. To install the two on a Debian system use the following commands: sudo apt-get install nmap sudo apt-get install zenmap sudo apt-get upgrade To install on a Red Hat based system use the commands: yum install nmap yum install zenmap yum update NOTE: At the time of writing this article the most up-to-date version of NMAP was 7.40. The repository contains version 6.40 or 7.10. To get the latest version of NMAP go to https://nmap.org/download.html. The RPM versions can be downloaded for Red Hat distros (nmap, nping, ncat and zenmap). For Debian based systems perform the following: sudo apt-get-install alien download the RPM file for your architecture (32-, 64-bit) sudo alien [filename from previous step 2] sudo dpkg --install [filename from previous step 3] NOTE: When using the file 'alien' for RPM to DEB conversions any errors usually result from lack of permissions. Move the RPM files to your HOME folder in temporary folder and try there. For any screen shots I use in this and following articles I will be using NMAP 7.10. To test the currently installed version of NMAP use the command 'nmap --version'. If you are moving to version 7.40 that should be fine, but some screen shots may differ. NOTE: You can also test the other utilities with the option '--version' after the utility name. The commands are: 'ncat --version', 'nping --version' and 'zenmap --version'. To start using NMAP we need to open 'zenmap'. When opening 'zenmap' it should be started with root permissions. From a terminal, type the command 'sudo zenmap' and then enter the root password when prompted. After 'zenmap' starts you should see a program as shown in Figure 1. FIGURE 1 Figure 1 shows a few areas which can be changed by you when using the program. The first item to be aware of is the Target. The Target is used to specify a single system or a group of systems to scan with NMAP. A group of systems can be entered with the addressing of '192.168.0.1-200' to scan the 200 IP Addresses. IP Addresses which are not used or the system is not powered on will be bypassed. The next main item you can set is the Profile. Initially, Zenmap has ten basic Profiles which are: Intense Scan (-T4 -A -v) Intense Scan plus UDP (-sS -sU -T4 -A -v) Intense Scan, all TCP Ports (-p 1-65535 -T4 -A -v) Intense Scan, no PING (-T4 -A -v -Pn) Ping Scan (-sn) Quick Scan (-T4 -F) Quick Scan Plus (-sV -T4 -O -F --version-light) Quick Traceroute (-sn --traceroute) Regular Scan (no options are used) Slow Comprehensive Scan (-sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)") There is a 'Command' line which shows the parameters being sent to NMAP after selecting a Profile. The Regular Scan (number 9) has no options sent to NMAP. To finish the article I will cover the various parameters and what they cause NMAP to do. Intense Scan -T4 – uses second highest timing template (1-5) -A – Enable OS detection, version detection, script scanning, and traceroute -v – enable verbosity Intense Scan plus UDP -sS – TCP SYN scan -sU – UDP scan -T4 – uses second highest timing template (1-5) -A – Enable OS detection, version detection, script scanning, and traceroute -v – enable verbosity Intense Scan, all TCP Ports -p 1-65535 – scan ports 1 to 65,535 (all ports) -T4 – uses second highest timing template (1-5) -A – Enable OS detection, version detection, script scanning, and traceroute -v – enable verbosity Intense Scan, no PING (-T4 -A -v -Pn) -T4 – uses second highest timing template (1-5) -A – Enable OS detection, version detection, script scanning, and traceroute -v – enable verbosity -Pn – acts as if all Hsts are online, no discovery Ping Scan -sn – Ping scan, but disable Port scan Quick Scan -T4 – uses second highest timing template (1-5) -F – perform a fast mode which scans fewer ports than the default scan Quick Scan Plus -sV – Probe open ports to determine service/version info -T4 – uses second highest timing template (1-5) -O – detect Operating System (OS) -F – perform a fast mode which scans fewer ports than the default scan --version-light – Limit to the most likely probes (0-9; 2) Quick Traceroute -sn – Ping scan, but disable Port scan --traceroute – Trace hop path to each host Regular Scan (no parameters) Slow Comprehensive Scan -sS – TCP SYN scan -sU – UDP scan -T4 – uses second highest timing template (1-5) -A – Enable OS detection, version detection, script scanning, and traceroute -v – enable verbosity -PE – ICMP Echo request -PP – ICMP Timestamp request -PS80,443 – TCP SYN discovery on ports 80 and 443 -PA3389 – TCP ACK discovery on Port 3389 -PU40125 – UDP discovery on Port 40125 -PY – SCTP discovery -g 53 – use Host source Port 53 --script "default or (discovery and safe)" – use the default script or the “discovery and safe” script You should be able to see that the basic Profiles will help you in making basic scans. Make sure you install both NMAP and ZeNMAP and try them out a little. More articles will follow to show how better to use the programs. NOTE: Previous versions of ZeNMAP included a 'Comprehensive Full Port Scan' which had the following parameters: 'Comprehensive Full Port Scan (-sV -p 1-65535 -T5 -O -A -v -v)'. The profile can be added to the existing list if you wish.