Network Mapper, or nmap, is a powerful tool for exploring a network environment. It identifies nodes and is often able to report back available services, operating system versions, hostnames, IP addresses, MAC addresses, network devices (switches, routers), network printers, etc. The nmap utility has a great many options. It also has a GUI version called Zenmap.
The nmap utility may be used initially to audit and document the network. In troubleshooting, having such documentation is essential. It can also be used directly in the troubleshooting process to confirm whether expected components are in place or if there have been changes to the network environment.
Syntax
The syntax of the nmap command is:
# nmap [options] {target}
The following are some examples of troubleshooting with nmap:
- nmap -p 1-65535 -sV -sS -T4 {target} — Port scan for all listening ports on the designated target (hostname, IP address, subnet). This ensures the destination computer is listening for the source computer’s connection attempt.
- nmap -sP 192.168.1.0/24 — Host discovery scan for all devices on the 192.168.1.0/24 subnet. This reports all devices detected on the designated subnet.
nmap Command Examples
1. Check if an IP address is up, and guess the remote host’s operating system:
# nmap -O ip_or_hostname
2. Try to determine whether the specified hosts are up (ping scan) and what their names are:
# nmap -sn ip_or_hostname optional_another_address
3. Also enable scripts, service detection, OS fingerprinting and traceroute:
# nmap -A address_or_addresses
4. Scan a specific list of ports (use ‘-p-‘ for all ports from 1 to 65535):
# nmap -p port1,port2,...,portN address_or_addresses
5. Perform service and version detection of the top 1000 ports using default NSE scripts; writing results (‘-oN’) to output file:
# nmap -sC -sV -oN top-1000-ports.txt address_or_addresses
6. Scan target(s) carefully using ‘default and safe’ NSE scripts:
# nmap --script "default and safe" address_or_addresses
7. Scan web server running on standard ports 80 and 443 using all available ‘http-*’ NSE scripts:
# nmap --script "http-*" address_or_addresses -p 80,443
8. Perform a stealthy very slow scan (‘-T0’) trying to avoid detection by IDS/IPS and use decoy (‘-D’) source IP addresses:
# nmap -T0 -D decoy1_ipaddress,decoy2_ipaddress,...,decoyN_ipaddress address_or_addresses
9. To scan an IPv6 target, just use the -6 option and define the IPv6 target address. Currently, you can only specify individual IPv6 addresses. The following is a sample command to port scan the IPv6 address:
# nmap -6 fe80::20c:29ff:fe18:f08