29. Install NMAP Network Security Scanner

How do I install nmap command under CentOS / RHEL or Red Hat Enterprise Linux based system for testing security of my own network?

The nmap command line utility is used for port scanning and finding out all the ways a computer communicates with other computers on a network. You can find open ports on a server or computer and find what services are using those ports. It can even determine what operating system is running on the server and much more.

Installation

To install nmap on RHEL based Linux distributions, type the following yum command:

# yum install nmap


Sample outputs:

Loaded plugins: protectbase, rhnplugin, security
0 packages excluded due to repository protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package nmap.x86_64 2:5.51-2.el6 will be installed
--> Finished Dependency Resolution
 
Dependencies Resolved
 
================================================================================
 Package    Arch         Version               Repository                  Size
================================================================================
Installing:
 nmap       x86_64       2:5.51-2.el6          rhel-x86_64-server-6       2.8 M
 
Transaction Summary
================================================================================
Install       1 Package(s)
 
Total download size: 2.8 M
Installed size: 0  
Is this ok [y/N]: y
Downloading Packages:
nmap-5.51-2.el6.x86_64.rpm                               | 2.8 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 2:nmap-5.51-2.el6.x86_64                                     1/1 
  Verifying  : 2:nmap-5.51-2.el6.x86_64                                     1/1 
 
Installed:
  nmap.x86_64 2:5.51-2.el6                                                      
 
Complete!

 

How do I use nmap command?

To find out nmap version, run:

# nmap --version


Sample outputs:

Nmap version 5.51 ( http://nmap.org )

To scan an IP address or a host name (FQDN), run:

# nmap 1.2.3.4
 # nmap localhost
 # nmap 192.168.1.1


Sample outputs:

Fig.01: nmap in action

Getting more information out of the remote system

The -v option forces verbose output and the -A optipn enables OS detection and Version detection, Script scanning and traceroute in a single command:

# nmap -v -A scanme.nmap.org
 # nmap -v -A 192.168.1.1


Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-19 16:38 IST
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 16:38
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 16:38, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:38
Completed Parallel DNS resolution of 1 host. at 16:38, 0.00s elapsed
Initiating SYN Stealth Scan at 16:38
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Completed SYN Stealth Scan at 16:38, 0.27s elapsed (1000 total ports)
Initiating Service scan at 16:38
Scanning 2 services on 192.168.1.1
Completed Service scan at 16:39, 66.11s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
NSE: Script scanning 192.168.1.1.
NSE: Starting runlevel 1 scan
Initiating NSE at 16:40
Completed NSE at 16:40, 0.88s elapsed
NSE: Script Scanning completed.
Host 192.168.1.1 is up (0.00050s latency).
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 0.52 (protocol 2.0)
|  ssh-hostkey: 1024 15:b6:b5:68:dc:36:97:76:19:72:4d:74:63:d6:18:35 (DSA)
|_ 1040 d2:75:67:8e:51:4d:4b:f6:25:f0:46:e3:a8:9e:8f:42 (RSA)
80/tcp open  http?
|_ html-title: Error
|  http-auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = tswitch
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port80-TCP:V=5.00%I=7%D=11/19%Time=50AA133E%P=x86_64-unknown-linux-gnu%
SF:r(GetRequest,17E,"HTTP/1\.0\x20401\x20Unauthorized\r\nDate:\x20Mon,\x20
SF:19\x20Nov\x202012\x2011:08:46\x20GMT\r\nContent-Type:\x20text/html;\x20
SF:charset=utf-8\r\nCache-Control:\x20no-cache,\x20no-store,\x20must-reval
SF:idate,\x20private\r\nExpires:\x20Thu,\x2031\x20Dec\x201970\x2000:00:00\
SF:x20GMT\r\nPragma:\x20no-cache\r\nWWW-Authenticate:\x20Basic\x20realm=\"
SF:tswitch\"\r\nConnection:\x20close\r\n\r\n<html><head><title>Error</titl
SF:e></head><body><h2>401\x20Unauthorized</h2>\x20Unauthorized</body></htm
SF:l>")%r(FourOhFourRequest,17E,"HTTP/1\.0\x20401\x20Unauthorized\r\nDate:
SF:\x20Mon,\x2019\x20Nov\x202012\x2011:08:51\x20GMT\r\nContent-Type:\x20te
SF:xt/html;\x20charset=utf-8\r\nCache-Control:\x20no-cache,\x20no-store,\x
SF:20must-revalidate,\x20private\r\nExpires:\x20Thu,\x2031\x20Dec\x201970\
SF:x2000:00:00\x20GMT\r\nPragma:\x20no-cache\r\nWWW-Authenticate:\x20Basic
SF:\x20realm=\"tswitch\"\r\nConnection:\x20close\r\n\r\n<html><head><title
SF:>Error</title></head><body><h2>401\x20Unauthorized</h2>\x20Unauthorized
SF:</body></html>")%r(Help,15E,"HTTP/1\.0\x20400\x20Invalid\x20Request\r\n
SF:Date:\x20Mon,\x2019\x20Nov\x202012\x2011:09:06\x20GMT\r\nContent-Type:\
SF:x20text/html;\x20charset=utf-8\r\nCache-Control:\x20no-cache,\x20no-sto
SF:re,\x20must-revalidate,\x20private\r\nExpires:\x20Thu,\x2031\x20Dec\x20
SF:1970\x2000:00:00\x20GMT\r\nPragma:\x20no-cache\r\nConnection:\x20close\
SF:r\n\r\n<html><head><title>Error</title></head><body><h2>400\x20Invalid\
SF:x20Request</h2>\x20Invalid\x20Request</body></html>")%r(LPDString,15E,"
SF:HTTP/1\.0\x20400\x20Invalid\x20Request\r\nDate:\x20Mon,\x2019\x20Nov\x2
SF:02012\x2011:09:11\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-
SF:8\r\nCache-Control:\x20no-cache,\x20no-store,\x20must-revalidate,\x20pr
SF:ivate\r\nExpires:\x20Thu,\x2031\x20Dec\x201970\x2000:00:00\x20GMT\r\nPr
SF:agma:\x20no-cache\r\nConnection:\x20close\r\n\r\n<html><head><title>Err
SF:or</title></head><body><h2>400\x20Invalid\x20Request</h2>\x20Invalid\x2
SF:0Request</body></html>");
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=11/19%OT=22%CT=1%CU=35558%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50AA13
OS:8B%P=x86_64-unknown-linux-gnu)SEQ(CI=Z%II=I)ECN(R=Y%DF=Y%T=40%W=4600%O=M
OS:2300NNSNW2%CC=N%Q=)T1(R=N)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
 
Network Distance: 1 hop
 
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.27 seconds
           Raw packets sent: 1266 (62.072KB) | Rcvd: 1036 (44.320KB)

 

To scan a range of IP addresses

 

# nmap 192.168.1.1-50

 

To scan an entire subnet

 

# nmap 192.168.1.0/24

 

Ping only scan

 

# nmap -sP 192.168.1.1

 

TCP SYN scan

 

# nmap -sS 192.168.1.1

 

UDP scan

 

# nmap -sU 192.168.1.1

IP protocol scan

 

# nmap -sO 192.168.1.1

 

Scan port 80, 25, 443, and 110

 

# nmap -p 80,25,443,110 192.168.1.1

 

Scan port ranges 1024-2048

 

# nmap -p 1024-2048 192.168.1.1

 

Operating system detection

 

# nmap -O --osscan-guess 192.168.1.1

 

# nmap -O --osscan-guess 192.168.1.1