Nmap: a gentle introduction to the most well-known network scanner

In this tutorial I will introduce NMap, the most well-known network scanner. I will tell you what is network scanning and why it is important, then we will get our hands dirty with nmap and we will try its more important features: host discovery, network scanning, service and OS fingerprinting and the Nmap Scripting Engine! (NSE)


testbed nmap
What is NMAP?

Nmap is an open-source tool used to do network scanning. This basically means that when you run Nmap, it will begin sending packets inside the network. Then it will analyze the responses to such packets and it will deduce which are the other hosts inside the network and which are the services listening on such hosts. Network scanning is a very important activity that can be used both in a defensive and in an offensive way.

What is Network Scanning?

Network scanning is the activity of discovering the hosts inside a network and the services listening on such hosts. Every host, being it a PC, a smartphone, a smart TV or even the smart watch on your wrist, is connected to a network of computers, otherwise it would be impossible for it to communicate with the rest of the world (a notable exception could be a computer holding top-secret information, which could be disconnected from any other network on purpose). Nmap allows us to make a scan of the network to discover who is currently attached to our network. This knowledge may be exploited both from a defensive and from an offensive point of view. On the defending side, knowing who is currently using our network allows us to discover people or machines that gained unauthorized access to our network. As a simple example, this could be a way to detect people that discovered our Wi-Fi password and are now stealing our Internet connection. On the offensive side, knowing which hosts are connected to a network allows an attacker to draw a map of the topology and to fine-tune its plans to carry out the attack. Actually a network scan goes far beyond, because it is generally able to tell which services are active on the discovered hosts. This is a very important piece of information too, since it gives a hint about which could be the entry points of a possible attack.

Nmap Installation

I assume that we are running nmap on a Ubuntu machine (a usual choice could be using Kali Linux, but for the purpose of this tutorial there are no differences). The easiest way to install nmap is to install it from the repository: open a terminal and type

apt install nmap

Now nmap has been installed and if you simply type nmap in a terminal you will get the nmap usage message.

Host Discovery

Let's start talking about the first step of network scanning, i.e. host discovery. In this phase we gained access to a network and we would like to discover which are the other hosts attached to this network. The idea of host discovering is basically sending packets to all the valid ip addresses inside the network to see who responds. Let's consider the following figure: we are sending probes from our PC 192.168.1.2 to all the valid IP addresses in the network 192.168.1.0/24. Green packets represent the requests, red packets the responses. We send request packets blindly, because we don't know if there is a receiver on the other side. Every time we receive a response, we have identified a host. Actually in this moment we only know that we discovered a certain number of hosts inside the network, we don't know the identity of the discovered hosts yet. Furthermore, there could be some hosts in the network that did not respond to our traces and thus that we did not discover. Anyway this is a beginning, and at the end of the host discovery phase we have discovered the ip addresses of the hosts that answered to our probes.
host discovery animated

To run a host discovery scan with nmap for the subnet 192.168.1.0/24, open a terminal and type

nmap -sn 192.168.1.0/24

The result will be something like this:

nmap host discovery

As you can see, nmap queried 256 IP addresses but only got a response from 2 hosts. Now there is an important point that need to be explained.

We must understand that a host discovery scan is a test and thus may present both false positives and false negatives. A false positive is a host that answered to our probe but that does not actually exist. This could be possible in presence of special network equipment that the network administrators deployed to defend their network against network mapping. So there could be a special host that intercepts all the traffic, just like a network IDS/IPS does, and that answers on behalf of the queried IP address every time it recognizes an ongoing network scan. Its goal is to flood the attacker with fake information in order to make impossible for it to draw a map of the network. A false negative is a host that is attached to the network but that was not identified by our scan. This is a much more common situation. As an example, the most common test used to check if a host is reachable on the network is pinging it, that is sending to the host an ICMP Echo Request packet that should result in a ICMP Echo Response sent back from the destination host to the sender. Anyway, nowadays many firewalls block this kind of ICMP packets (even the default Windows 10 firewall does it!), so if this was the only packet employed to implement the host discovery scan, it would be highly probable that it would result in a high number of missed hosts, or false negatives.