Nmap (“Network Mapper”) is an open source tool for network
exploration and security auditing. It was designed to rapidly
scan large networks, although it works fine against single
hosts. Nmap uses raw IP packets in novel ways to determine what
hosts are available on the network, what services (application
name and version) those hosts are offering, what operating systems
(and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other
characteristics. While Nmap is commonly used for security audits,
many systems and network administrators find it useful for routine
tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime.
The output from Nmap is a list of scanned targets, with
supplemental information on each depending on the options
used. Key among that information is the “interesting ports
That table lists the port number and protocol,
service name, and state. The state is either
means that an application on the target machine is listening for
connections/packets on that port.
means that a firewall, filter, or other network
obstacle is blocking the port so that Nmap cannot tell whether it is
ports have no application listening on them,
though they could open up at any time.
Ports are classified as
when they are
responsive to Nmap's probes, but Nmap cannot determine whether they are
open or closed.
Nmap reports the state combinations
when it cannot determine which
of the two states describe a port. The port table may also
include software version details when version detection has been
requested. When an IP protocol scan is requested
-sO), Nmap provides information on supported IP
protocols rather than listening ports.
In addition to the interesting ports table, Nmap can provide
further information on targets, including reverse DNS names,
operating system guesses, device types, and MAC addresses.
A typical Nmap scan is shown in Example 15.1. The only Nmap arguments used in
this example are
-A, to enable OS and version
detection, script scanning, and traceroute;
faster execution; and then the two target hostnames.
Example 15.1. A representative Nmap scan
nmap -A -T4 scanme.nmap.org
Nmap scan report for scanme.nmap.org (188.8.131.52)
Host is up (0.029s latency).
rDNS record for 184.108.40.206: li86-221.members.linode.com
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-title: Go ahead and ScanMe!
646/tcp filtered ldp
1720/tcp filtered H.323/Q.931
9929/tcp open nping-echo Nping echo
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.39
OS details: Linux 2.6.39
Network Distance: 11 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
[Cut first 10 hops for brevity]
11 17.65 ms li86-221.members.linode.com (220.127.116.11)
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
The newest version of Nmap can be obtained from
http://nmap.org. The newest version of this man page
is available at http://nmap.org/book/man.html.
It is also included as a chapter of Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning.