The open source security tool, Nmap, originally focused on port scanning, but a robust community continues to add features and capabilities to make Nmap a formidable penetration testing tool. Almost all cybersecurity professionals have familiarity with Nmap and most use it frequently — it is the hammer of the pentesting toolbox.
This article will delve into the power of Nmap, how attackers use Nmap, and alternative penetration testing (pentesting) tools.
- Nmap Pros and Cons
- Who Uses Nmap and Why
- Installing Nmap
- Basic Nmap Commands
- How do Attackers Use Nmap
- How to Detect, Slow, or Block Nmap Scans
- Nmap Alternatives
- Bottom Line: Learn Nmap to Master Pentesting
Pros and Cons of Using Nmap
Although widely used as a penetration tool, even the most dedicated Nmap user recognizes the limitations of the tool. The most significant issues for most users will be the dated graphical user interface (GUI) or the learning curve to master the command line interface (CLI) and scripts. Experts with programming experience love the power and flexibility of Nmap, which will simply not be available to new users with less capabilities.
Who Uses Nmap and Why
Nmap appeals to highly technical users with specific needs and students:
- Ethical hackers use Nmap to quickly map out networks and target potential vulnerabilities
- Malicious hackers use Nmap to quickly evaluate systems for targets and to incorporate the lightweight code into malware
- IT staff members use Nmap as an inexpensive network security solution to detect rogue devices, check for open ports, to discover other vulnerabilities, and more
- IT learners use Nmap to explore networks and understand networking concepts such as IP addresses, ports, services, and more
Nmap performs many tasks covered by commercial tools, but most commercial tools will only cover a portion of the features within Nmap. However, although Nmap offers more coverage, the output will be text or xml files that can be very difficult to interpret for new users, or even expert users when the report is very large.
Common use cases for Nmap include:
- Accessing networks or devices
- Asset discovery and shadow IT detection
- Network change tracking
- Network device troubleshooting
- Vulnerability detection
While malicious attackers will blissfully ignore the legality of hacking or even scanning a system without permission, students, ethical hackers and IT learners need to keep in mind the possible legal consequences. If performed without permission, hacking, and even port scanning might lead to attempts to impose legal penalties such as fines or jail time based upon local legislation such as:
- Canada: Sections 184, 342.1, 380, and 430 of the Criminal Code of Canada
- Germany: Sec. 202a and 202b of the German Criminal Code
- India: Information Technology Act Sec. 43 and 66
- Japan: The Act on the Prohibition of Unauthorised Computer Access
- United Kingdom: Computer Misuse Act 1990
- United States of America: The Computer Fraud and Abuse Act
Nmap began as a Linux utility, but it’s now compatible with many operating systems, including Windows or macOS. Nmap comes pre-installed on several versions of Linux including Kali Linux, but other Linux systems users can use the command “apt-get install nmap” to install Nmap.
Users of all operating systems can download Nmap or the Zenmap graphical user interface (GUI) version of Nmap. Those that prefer to use GitHub can clone the official git repository by using the command:
git clone https://github.com/nmap/nmap.git
Many open source software packages have been infected with malware. To avoid malware-infected versions of Nmap, an organization can compare the hash value and file sizes against the signature records maintained by Nmap.
Key Nmap Features
Network mapper (Nmap) began as an open-source tool for rapid scanning and identifying the IP addresses of systems within a network. Developers continue to add robust features to Nmap, which now encompass probing of applications, packets, and ports.
Users need to understand that not all features will be available for all operating systems or without administrative (admin) level access. Users will need to test if the features they need will work on the platform from which they need to use it and with their existing level of access.
Still, even a partial set of tools or capabilities can be quite useful. Not only could entire articles be written about the use of any specific tool in Nmap, a 464 page book has been published on the basics of Nmap.
We’ll provide an overview of the available features, which can be roughly categorized into Network Mapping, Network Packet Manipulation, Port Analysis, and Scripting.
As the core function in Nmap, network mapping allows a user to scan the network to find connected devices such as PCs, servers, routers, switches and other devices.
The basic “nmap” command can be directed at a range or a single IP address and it will reply with basic information about online devices, open ports, and network connections between devices — which can be represented graphically in Zenmap. Nmap will also capture the media access control (MAC) addresses.
MAC address information includes manufacturers, which can be very useful to identify printers, routers, or even video game consoles connected to the network. However, for endpoints and servers, the MAC address will usually only return the manufacturer of the network card, and other commands will need to be used to obtain more information.
The information produced by Nmap will often be used to detect rogue devices or shadow IT connected to the network. IT admins can locate unapproved or unexpected devices such as a PlayStation console, internet connected televisions, or an unauthorized wireless access point by examining the Nmap results.
Ndiff provides a tool to compare Nmap XML output files. IT teams use this utility to determine what has been changed in a network: IP addresses added or dropped, ports opened or closed, etc. Scripts can run network mapping and Ndiff to create reports for security incident and event monitoring (SIEM) tools or alert security operations centers (SOC) of changes.
Network Packet Manipulation
To gather network information, Nmap has developed abilities to manipulate the data packets transmitted across the network. These features enable users to intercept (or packet capture), filter, reroute, or send crafted data packets. Most packet manipulation can be conducted using built-in commands or scripts, but of special note is the Nping tool.
The Nping network package generator can be used for network stress testing, ARP poisoning, denial of service attacks, firewall rule testing, trouble-shooting, and more. Nping customizes transmission control protocol (TCP), user datagram protocol (UDP), internet control message protocol (ICMP), and address resolution protocol (ARP) packets and has support for Ethernet frame generation.
Nping’s echo mode enables users to track how packets might be modified between source and destination hosts to understand firewall rules or detect packet corruption. Customization of Nping capabilities can be very powerful and some hackers will use packet manipulation to enable TCP Idle Scan.
TCP Idle Scan will steal the IP ID from a device, often called a zombie host, and then send packets that impersonate the zombie host communication. Hackers typically use this capability to misdirect security tools or personnel into investigating the zombie host instead of the device from which the hackers may be operating.
By sending manipulated packets, Nmap can perform port analysis and determine detailed information on the scanned hosts. Scans reveal the type of host or device, services running on the ports, operating systems and the confidence in the analysis. With deeper scans, the analysis can report on versions, patch levels, and estimated uptimes for the host.
Analysis can determine the role of a host (mail server, web server, etc.) and detect port rules. Network managers also often use Nmap to verify the programming of port rules for firewalls.
Nmap’s true power can be found in the scripting capabilities. Many contributors have developed powerful scripts that are now included in Nmap, and many IT managers use scripting to facilitate automation and reporting. Hackers also make use of scripting to enable sets of commands to be automatically executed once malware infects the network.
Nmap scripting enables robust vulnerability detection using a variety of vulnerability (vuln) scripts and two downloadable scripts: Vulners and Vulscan. Scripting also enables the powerful Ncat tool that enables device-to-device network communications.
The Ncat network utility enables a wide variety of network communication for a variety of purposes. Network administrators can use Ncat commands as a backend tool to connect to network devices. Programmers can use Ncat to create secure connections between applications and devices.
Of course, hackers also use Ncat. The most common application is to use a virus to drop Ncat into a network and use the tool to call out to the hacker’s device and create a reverse shell.
Many firewalls and security devices monitor incoming attacks and may not even monitor outgoing communication. The Ncat reverse shell initiates the communication and allows hackers to obtain access to the network without attacks that might trigger alerts.
Basic Nmap Commands
The basic Nmap commands and flags allow for robust scanning of the network and hosts without any scripts or programming. The Zenmap GUI will provide many of the same commands through menu options, also called predefined profiles. The commands in Zenmap will be renamed (Intense Scan, Quick Scan, etc.) and Zenmap will allow for the export or results to be selected later instead of at the time of running the command.
Running the following basic command discovers open ports on the host at the IP address:
nmap <IP address>
Adding flags to the command will extract additional information, filter scans, or permit export of the results:
- -A: or “aggressive” returns service versions and operating system information
- -O: guesses the operating system of the host based on replies
- -sA: determines if a firewall is active on the host
- -p <port number(s)>: scans a specific port or number of ports
- -sV: allows for version detection for each service on each port; very important for vulnerability scanning
- -oN: normal text file output of results
- -oX: XML output of reports to a file, typically for parsing by another program
- Exclude <host1>[,<host2>]: Excludes hosts from scanning
- Excludefile /<exclude filename>: Exclude a list of hosts included in file the exclude file (.txt format)
A full set of options can be found on the Nmap website, which even includes a mindmap of the different options. While very powerful, the full feature set for Nmap can only be realized through built-in Nmap scripts or through custom scripts.
Built-in Nmap Scripts
Built-in Nmap scripts can be updated by running the command:
sudo nmap --script-updatedb
Once scripts are updated a user can probe even more deeply into the network, hosts, and ports. For example, the “banner” script can be run against specific ports to guess software versions for specific services:
nmap -p 21 --script=banner 18.104.22.168
In this example, Nmap is running against port 21 (-p 21) to determine what FTP service may be running on the host located at IP address 22.214.171.124.
The NSEDoc Reference Portal links to the full list of 604 Nmap scripts and 139 Nmap script libraries. All of the scripts are written using the Nmap Scripting Engine (NSE) and the lists of scripts or libraries additionally link to individual pages with more in-depth information.
Using Custom Nmap Scripts
Although the Nmap tools and scripts provide powerful capabilities, advanced users may prefer to combine multiple lines of instructions or more complex commands to create customized capabilities. These additional capabilities require programming in Python, using the python-nmap package, or the Nmap Scripting Engine (NSE), which uses the Lua programming language.
Once developed, both the custom scripts and the built-in Nmap scripts or commands may be called by other programs. Network managers might use custom scripts to schedule a set of Nmap commands to map the network and detect new devices or changes in port status (from open to closed or vice-versa). Hackers, of course, use Nmap scripts in a variety of ways.
How Do Attackers Use Nmap?
Nmap scans large networks fast by using raw IP packets to identify available hosts and services on the network. Hackers and pen testers typically add specific options to cover their tracks and scripting to perform multiple functions automatically.
Covering Tracks in Nmap
Decoy scans add the -D option flag (Ex: nmap -p 123 -D <decoy IP address> <target IP address>) to hide the attacking IP address and send source-spoofed packets to the target in addition to the packets associated with the scan. A more advanced form of decoy scan is the zombie or idle scan.
This side-channel attack attempts to send forged SYN packets to the target using the IP address of the “zombie” endpoint on the network. This method attempts to fool the intrusion detection system (IDS) into mistaking the innocent zombie computer for the attacker.
In addition to obfuscation, Nmap can also manipulate the timing of scans. IT administrators may prefer to perform heavily parallel (multiple scans at once), easily detectable, and quick scans selecting the -T5 option, also known as the “Insane” timing setting, with 75 second timeout and 0.3 seconds per probe sent in parallel. Internal users don’t care about being noisy and prefer speed.
However, attackers will prefer to use settings that will blend in more with network traffic such as:
- Polite: serial scans, 0.4 seconds wait time between scans
- Sneaky: serial scans, 15 second wait time between scans
- Paranoid: serial scans, 300 second wait time between scans
Attacks Using Nmap
It is easy to talk about possible generalities, but to understand how attackers actually use Nmap, let’s look at specific examples. U.S. government sources note two examples of known attacks that incorporate Nmap, an EyesOfNetwork vulnerability and one of the exploits for Log4Shell.
EyesOfNetwork 5.3, CVE-2020-8655
Vulnerability CVE-2020-8655, given a 7.8 / 10 severity rating, enabled Apache users in the sudoers configuration to launch arbitrary commands as root using Nmap version 7+. The National Institute of Standards and Technology (NIST) links to a proof of concept (PoC) code for the known-exploited vulnerability that details how attackers used a script to perform a local privilege escalation (LPE) attack and launch a reverse shell with a single Nmap command.
Although the vulnerability lies within the EyesOfNetwork software, attackers within the system can run a prepared script with little effort to use the Nmap reverse shell to gain access to the Apache server. Since Apache users are permitted to run Nmap as root, no additional credentials will be needed to enable the attackers to run further Nmap commands as root in the environment.
Log4Shell Nmap Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) provides an analysis of a malicious PowerShell Trojan downloader file. Using the Log4Shell Java vulnerability, attackers could push malicious PowerShell malware onto unpatched, public-facing VMware Horizon and Unified Access Gateway (UAG) servers.
The PowerShell malware checks for Nmap and, if not found, installs Nmap on the victim’s computer. The script stops existing “Runtime Service” and “Runtime Update Service” tasks in Windows Server. Then the script automatically runs commands to set up Nmap, run daily tasks under the name “Runtime Service.exe” and update the registry to disable uninstall for Nmap or Nmap’s packet capture tool Npcap.
These scripts establish persistence on the servers and enable reverse shell connections for the attackers. Meanwhile, defenders will have difficulty detecting that the familiar “Runtime Service” in Windows Server has been turned into a malware program without careful examination of the program or log files.
How to Detect, Slow, or Block Nmap Scans
Host networks and systems can detect Nmap scans using SIEM tools, firewalls, and other defensive tools; however, some systems may need to be configured first. Nmap scans use requests to probe ports, and successful connections can be found in log files on hosts. More sophisticated IDS/IDP tools might also detect malformed TCP requests, such as the Nmap stealthy requests that do not complete a TCP connection.
Nmap provides specific advice regarding how to detect or block Nmap in various ways, but tool vendors will also provide suggested methods. Of course, organizations will need to work with their teams and partners to ensure the proper settings for tools to generate alerts. Then the organization needs to work with the security teams to ensure that the alerts will be properly received by SIEM tools, SOC teams, or managed IT security service providers (MSSPs).
Nmap Recommendations For Detection
While the detection of port scans can be done, the high volume of scans on internet-facing ports will be overwhelming and standard system logs will usually be insufficient. Many administrators will track port scans with logs because they can be the precursor to attack. However, more useful detection may be obtained through intrusion detection or intrusion prevention systems (IDS/IPS or IDPS) installed on internal networks, where there will be less noise from constant, automated scans.
Nmap notes that special port scan detectors such as Sentry Tools (previously known as PortSentry) or Scanlogd can detect port scans on hosts even as attackers might attempt to evade detection. Nmap also notes that one of the best defenses to block or at least slow Nmap scans will come from well-configured Firewalls with deny by default principles applied.
Nmap notes that firewalls can frustrate attackers by confusing Nmap as to whether or not the scans were conducted successfully. A confused Nmap will perform scans more slowly and make attacks cumbersome.
For example, if firewall filters drop TCP SYN scan probes on closed ports, NMAP must wait for the TCP timeout instead of receiving the RST packet and moving onto the next port nearly instantaneously. Similarly, firewalls that drop UDP probe packets on closed ports will confuse Nmap if the port is open or closed (where Nmap expects an ICMP port unreachable response).
Cisco IDS Sensor Nmap Detection
Cisco IDS systems, such as the Cisco 4200 series, can deploy IDS sensors to the network that can detect TCP and SYN scans. Cisco provides articles that illustrate the Nmap results and the Cisco real-time output capturing these scans as well as FIN, NULL, OS Guessing, and Xmas-Tree scans on the network.
As noted above, just because Cisco can detect Nmap does not mean the tool will automatically detect Nmap when installed. Organizations may need to work with Cisco partners to ensure proper configuration for Nmap detection.
Microsoft Nmap Detection
Microsoft recommends using the Windows Defender Firewall with Advanced Security to detect Nmap activity in real time. However, while the firewall will detect and log the scan, enterprise-wide Microsoft Defender for Endpoint can aggregate alerts from multiple endpoints to detect a network-wide probe that indicates an attack in progress.
Other antivirus, endpoint detection and response (EDR), or extended detection and response (XDR) tools may offer similar capabilities. Organizations will need to dive into documentation or work with vendors to verify capabilities and ensure proper implementation.
Organizations can take steps to block, or at least make the deployment of Nmap much more difficult. Most Windows settings allow for Command Line or Command Prompt to be blocked for non-admin accounts. These settings can block command-line tools such as Nmap from running or from being installed on endpoints.
The typical user will never need to launch the Command Line and will never notice if the features are blocked. Most often, it will be hackers who are inconvenienced. More advanced users, such as hackers, will know to create batch (.bat) files or to run Windows from a USB drive, but administrators can also block these on local machines for non-admin users as well.
Of course, these tools will have significant limitations in the modern environment. First, blocking these options will prevent new software installations and some desired batch files from running on the systems and users will complain. This complaint can be offset by requiring all software to be installed by IT admins or by whitelisting software and batch files allowed to be run on endpoints.
The more significant problem arises from the widespread use of bring-your-own-device (BYOD) endpoints. The organization can only impose limitations on company devices and BYOD should not be blocked in this fashion. However, even in this case, an organization can create protections by requiring connection to company resources through browser isolation, zero trust network access, or virtual desktop interfaces that isolate BYOD devices.
Penetration testers can find a wide range of penetration testing tools that offer alternatives to Nmap. Open source tools include choices such as:
- Zap (application scanner)
- John the Ripper (Password cracker)
- Wireshark (packet sniffer)
However, many of these tools will specialize in other aspects of penetration testing because Nmap holds a dominant position for many pentesters.
Even commercial penetration testing tools such as Burp Suite or Rapid7’s Metasploit, struggle to replace Nmap entirely. Many security teams will enjoy the more user-friendly capabilities of the commercial tools and continue to use Nmap for specific users, specific needs, or scripting.
Still, Nmap receives most of its funding from OEM licensing of Nmap to companies that incorporate Nmap into their tools. Commercial pentesting tools either copy segments of code into their software or install Nmap locally and parse the results through the commercial tool.
Organizations paying for commercial software may actually be using Nmap under the hood, but the improved ease of use may be worth the added expense. Commercial tools enable IT security staff with less experience to perform equivalent tasks they could not perform on Nmap and often enable professional reports to be generated more rapidly.
Organizations can also turn to professional penetration testing services as an alternative to using tools with their internal teams. However, buyers should be aware that some penetration testing companies even sell services that directly use the open source tool. For better or worse, most will not do so as blatantly as the potentially misleading Nmap Online, which uses a similar logo and domain name to the official Nmap.org website.
Bottom Line: Learn Nmap to Master Pentesting
Nmap requires time, practice, and expertise to master, but the extensive capabilities make it worthwhile to learn. While many alternatives exist, Nmap provides an excellent primary or backup tool, and the process of learning Nmap will open up a huge range of penetration testing skills for any user.
- Top Open Source Penetration Testing Tools
- Top Commercial Penetration Testing Tools
- How Much Does Penetration Testing Cost? 11 Pricing Factors
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.