Unix How To: Using nmap to Map Your Network

It is certainly well known that "hacker tools" can be used for many legitimate purposes. Nmap, the Network Mapper and security scanner is no exception. These days, it is used routinely to identify the operating systems, applications and software versions running on targeted systems. This kind of data can be as useful for building a system inventory as identifying targets for an attack.

Scanning with nmap doesn't necessarily imply lots of network traffic, probes against huge port ranges and setting off intrusion detection alerts. You can also use it to quickly, easily and stealthily generate a listing of all systems on a particular subnet. And the process can be even simpler than building your own "ping everybody on this subnet" scripts.

When a friend of mine walked into a new job with a very poorly documented network, he and I used nmap to get him started on the process of discovering the servers he was about to manage. We used what is called a "skip port scan" to quickly outline each subnet that he was about to manage. As the name suggests, this nmap scan does NOT scan ports. Instead, it is just a "ping scan" or "ping sweep" as some call it.

# nmap -sP

Starting Nmap 4.60 ( http://insecure.org ) at 2010-02-17 10:01 EST
Host appears to be up.
MAC Address: 00:06:31:7B:48:0C (Cisco Systems)
Host appears to be up.
MAC Address: 00:03:BA:42:DE:49 (Sun Microsystems)
Host appears to be up.
MAC Address: 00:03:BA:55:26:BA (Sun Microsystems)

What you end up with when you do a skip port scan is a list that looks like the (truncated) listing above. You see which IP addresses in the subnet are in use and the MAC address of each system. Not surprisingly, the output above indicates that the "1" address in the subnet is a Cisco switch. Then it moves on to the servers and finds some older Sun systems. By the end of the scan, we have an idea what the subnet looks like -- the number of systems and composition of the subnet in terms of architecture.

Another nmap command that costs virtually nothing in terms of network activity and intrusiveness is the list scan. This scan uses DNS to flesh out a network and doesn't send any packets to the system. Thus, it provides another way of finding out what your name server thinks is on the subnet. In this type of scan, nmap uses reverse lookups to populate system names and doesn't go any further in determining whether the system is running or even present.

# nmap -sL

Starting Nmap 4.60 ( http://insecure.org ) at 2010-02-17 10:54 EST
Host server1 ( not scanned
Host not scanned
Host not scanned
Host server4 ( not scanned
Host server5 ( not scanned
Host server6 ( not scanned

Due to the "no impact" nature of these scans, particular the list scan, you needn't be concerned that your gentle probing of network space is going to register as a problem. This is not true of more rigorous and comprehensive types of scans.

For more intrusive scanning of any network, you should always be sure that you have permission to run the scans and that anyone responsible for managing the networks you are scanning is well aware of your activity. You are likely to set off alarms or get someone's attention when you port scan.

You can learn more about using nmap for host discovery at this page:


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.