Introduction to Nmap
Nmap (Network Mapper) is an open source tool designed to discover hosts and services in a computer network, as well as to detect vulnerabilities and misconfigurations. Its popularity is due to the combination of power, flexibility and an active community that keeps its signature databases up to date. In Linux environments, Nmap is easily integrated with shell scripts, allows to automate security audits and can be combined with other utilities such as tcpdump or Wireshark for further analysis.
Nmap installation in major distributions
In Debian and Ubuntu, the package is in the official repositories and is installed with:
- sudo apt update
- sudo apt install nmap
In Fedora, CentOS and RHEL dnf or yum is used:
- sudo dnf install nmap # Fedora
- sudo yum install nmap # CentOS / RHEL
For Arch Linux and its derivatives:
- sudo pacman -S nmap
If the latest version is needed, it can be compiled from the source code available in the official repository of GitHub, following the steps of. / configure, make and sudo make install.
Basic Scanning of Hosts and ports
The simplest command is:
- nmap 192.168.1.0 / 24
This will perform a ping sleep to determine which IP addresses are active and by default will scan the most common 1000 ports. To limit scanning to a specific port range the -p option is used:
- nmap -p 22.80.443 192.168.1.10
If you want a faster scan, you can apply -T4 (aggressive timing template) or even -T5 for a mode «insane»but at greater risk of being detected by intrusion prevention systems.
Advanced scanning techniques
Nmap offers several types of scanning that are adapted to different scenarios:
- SYN (-sS) scan: open medium, does not complete the less detectable TCP handshake.
- TCP (-sT) connectivity scan: complete the handshake, useful when no root privileges are available.
- UDP Scanning (-sU): Discovers UDP services, slower due to the unconnected nature of the protocol.
- Scanning versions (-sV): try to determine the exact version of the service by listening in each port.
- Scanning scripts (-sC or -script): runs the NSE scripts collection (Nmap Scripting Engine) to detect vulnerabilities, obtain additional information or perform brutal force.
A combined example could be:
- nmap -sS -sV -script = vuln 10.0.5
This command performs a SYN scan, detects versions and runs vulnerability scripts against the indicated IP.
Save and process results
Nmap allows to export the results in several formats for further analysis:
- -oN archivo.txt: normal human readable output.
- -oX archivo.xml: XML format, ideal for scripts processing or integration into vulnerability management tools.
- -oG archivo.gnmap: grepable format, useful for quick search with grep or awk.
- -oA base: generates the three previous formats with the same prefix.
For example:
- nmap -sS -sV -oA scanning _ network 192.168.1.0 / 24
This will produce scanning _ red.nmap, scanning _ red.xml and scanning _ red.gnmap. XML files can be imported on platforms such as OpenVAS, Nessus or in custom dashboards using Python and python-nmap bookstore.
Automation of scans with shell scripts
To perform periodic scans you can create a small bash script that invokes Nmap and saves the results with a time mark:
- #! / bin / bas h
- DATE =$(date +% Y% m% d _% H% M% S)
- nmap -sS -sV -oA scanning _$DATE 10.0.0.0 / 24
- E «Scanning completed: scanning _$DATE.*»
This script can be added to crontab to run every night, generating a network change history that facilitates the detection of new unexpected open devices or ports.
Best practices and ethical considerations
Although Nmap is a powerful tool, its use must always be authorized. Scanning networks without permission may violate computer security laws and corporate policies. It is recommended that:
- Get written authorization from the network or system owner.
- Limit the scope of scanning to agreed IP ranges and ports.
- Use less aggressive timing options (-T2 or -T3) in production environments to reduce traffic noise.
- Frequently update the signature database and NSE scripts to take advantage of the latest detections.
- Document the findings and generate clear reports for stakeholders.
Following these guidelines, Nmap becomes an indispensable ally for system managers, security analysts and any professional who needs to know the real state of their Linux network infrastructure.
