Using Nmap for Network Mapping

Using nmap for network mapping. Nmap it is most commonly used port scanner, but it actually started its life as a network-mapping tool for discovering hosts. nmap stands for Network Mapper. It uses ICMP, UDP, and TCP for doing network mapping.

installing nmap

If you have yum repository configured in RHEL its very easy to install nmap. In case you are using Centos or other Linux distro’s you can use their online repositories for installing nmap.

installing nmap on rhel 7

using nmap to detect systems in network

Using nmap for network mapping. We will do a simple ICMP sweep of the network to see how many systems are alive and responding.

Nmap allows you to scan IP addresses by specifying an IP Address, a CIDR block, or a range (for example, 172.16.0.1-200). You can even specify multiples of each on the command line in order to increase the number of targets of your scan.

The –s argument allows you to specify the scan type. We are using –sP, which tells nmap to do a ping scan. Also supported are SYN scans, TCP Connect scans, UDP scans, and so on.

During a ping scan of a remote network, nmap sends ICMP echo requests to all of the target hosts, listening for ICMP echo responses from the target. For each host that responds from within the specified ranges, the latency is provided.

nmap to scan network

nmap for scanning TCP ports

Now that we have identified which systems are live in our network, we can look at what services exist on those hosts. We will start with TCP services, since they are much easier to understand the results for.

There are a number of different types of TCP scans, but we are going to look at the two most common ones, the Connect scan and the SYN scan.

The two most common types of scans used for detecting open TCP ports are TCP Connect Scans, and SYN scans. SYN scans are the stealthier and potentially safer option, but require root privileges to run.

Lets first do a TCP Connect scan using nmap.

nmap tcp connect scan

The TCP Connect scans are the default type of scan if you are running as a non-root user. Much like any other application attempting to connect to a TCP port, it issues a connect request that tells the operating system to do a normal 3-way TCP handshake, closing the connection if it is accepted.

SYN scans are a stealthier scan, opting to complete only steps 1 and 2 of the TCP handshake before sending a reset packet in order to abort the attempt. This means that the application, which is bound to the port, does not ever see an established connection, so it will not log the connection attempt. It is also potentially safer, since historically, some applications have not dealt well with connections being opened and then closed by a port scan.

Now lets do a TCP sync scan for the host.

nmap tcp sync scan

identifying services

Another useful piece of functionality that nmap provides is the ability to identify services by attempting to grab application banners or issue various types of known requests and determine the service based upon how it responds.

We can use -sV to probe for service/version information from the host.

scanning services on remote host using nmap

identifying operating system

Nmap can be used to identify the Operating System running on a particular system. This type of scan typically requires at least one open and one closed port to be reached.

We can use nmap -O to do OS fingerprint.

nmap for scanning operating system