How to use Nmap and other network scanners
In order to protect a network, you need to know what’s on it. In this episode of Cyber Work Applied, Infosec Skills author Mike Meyers walks through how to perform a network scan using tools like Nmap and Zenmap.
What are network scanners?
Network scanners can help you figure out what’s on your network — as well as find and address vulnerabilities. Learn how to use free network scanning tools like Nmap, Zenmap and Advanced Port Scanner in this episode of Cyber Work Applied.
How to use Nmap and other network scanners | Free Cyber Work Applied series
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Network scanning walkthrough
Below is the edited transcript from Mike’s network scanning walkthrough.
Why do you need to scan networks?
(0:00- 0:53) – One of the big challenges we have when looking at a network is we need to know what is in this network. In other episodes, we talked about tools like, for example, netstat, which allow us to know what’s happening on an individual host or local host. But what if you have a whole bunch of computers?
There are a zillion scenarios within the IT security world where you want to be sitting at one computer, and you want to start checking out other computers. Now, when I’m talking about checking out other computers, we’re talking about using powerful tools that will query not just one system, but all the systems within a certain network ID to determine what is going on.
You’re going to be running into certain tools that will go out and sniff a network, and that’s what I want to talk about right now.
What is Nmap?
(0:54- 1:20) The first one I want to talk about is probably the most famous. It’s called Nmap. Nmap is a powerful tool. It is used for inventorying networks, looking for bad guys and all kinds of stuff, but it’s not the easiest one in the world to use. However, I’m not too bad at it. So let’s take a moment and use it.
Now I need to warn you. Nmap is more commonly used in Linux systems, but I’m a Windows guy. So anybody out there who likes Linux, don’t yell at me.
How to use Nmap to scan a network
(1:21- 2:49) Here I am in the command prompt, and I’ve got Nmap installed. There are a lot of different ways to run Nmap. So the first thing I’m going to do is I’m going to check out the network around me.
So I’m going to type Nmap, give me lots of verbose information, and then do what’s known as a ping scan. Then I’m going to give it a network to check out, which is the local network for this right here.
C:\Users\Mike>nmap -v -sn 192.168.4.0/24
And let’s see what happens when I run this. It’s going to be taking a minute, so that’s the one downside to Nmap. Sometimes, you have to sit around and wait a little bit.
So we’ve got a ton of output here. Let me scroll up to the top so we can see this. Basically, what I’ve asked Nmap to do is I said, look out on the entire 192.168.4 with a WAC 24 subnet mask and give me a quick idea of what’s out there. I’m not asking for much information.
So let’s pick individual ones. You’ll see it starts at zero and goes all the way through, and here it found that this is my router and these are some more unused IP addresses. And as we go through, you’ll notice it’s giving me an idea of how many up-and-live systems are out there right this very moment. So there are a lot of computers on my little network. No big surprise there.
Using the Nmap Scanme service
(2:50- 4:09) Now Nmap doesn’t stop there. We can go a lot deeper. One of the things I want to do this time — I’m going to run Nmap again, but this time, instead of just looking at my own little local network, I’m going to go to a very specific computer out on the internet that Nmap has been nice enough to set up for us to play with. And it’s the infamous Nmap.scanme.
Let me type this in real quick. So you type Nmap again. I want verbose output. This time I’m saying I want to know what the operating systems are.
C:\Users\Mike>nmap -v -A scam.nmap.org
We’re going to let this puppy go. Now, in this particular case, we’re not scanning an entire network. I’m trying to zero in on one very specific computer. So let’s see what it came up with.
Fantastic. So let’s take a look at what’s happening on just this one little machine. Now, if you think about this, they’re going to put some fun stuff for us to find here.
First, here are all the different types of work it’s trying to do, but here’s what I’m interested in. I noticed that port 22 is open, so it’s an SSH server. I see that port 80 is open. So I know automatically that it’s a web server and then port 9929, a non-standard port number, is also available. And I can go ahead and start doing stuff with this.
Different Nmap scenarios
(4:10- 5:24) So that’s one of the most important aspects of Nmap. Nmap, by itself, doesn’t hack anything. What Nmap allows me to do is query a system, and then I can start doing stuff. If I know that port 22 is open, I might turn to some SSH attack tools to try to break into the system via SSH. If I’m just a network administrator and all of a sudden I see one of my servers is running SSH, I might be making some phone calls to shut that port off. So when we’re talking about a tool like Nmap keep in mind different scenarios require different actions.
This is pretty cool because not only does it show that it’s SSH, but here are my SSH keys that are involved with that particular one. And I got some other — like I know this is a Windows machine because I see it’s running 135.139.445. Then it gives me a traceroute so I know the process I went through to get to that particular system.
So here’s just one example of how Nmap can be handy. I like Nmap quite a bit. It is on every one of my thumb drives. You come up and say hi to me, I’m going to have a thumb drive on me and on that thumb drive is going to be Nmap.
But one of the downsides to Nmap is that it’s a little hard to read as it is.
What is Zenmap?
(5:25- 6:25) There’s a wonderful tool that comes with Nmap called Zenmap. Zenmap is a graphical user interface, an overlay that runs on top of Nmap. Let’s fire him up.
Welcome to Zenmap. Now, one of the things you’re going to learn about Zenmap is that you’re still typing those strange commands at the command prompt. You’re doing the same thing, but Zenmap organizes it better. So let’s go ahead and have him do a ping scan, which is not super aggressive.
Now while this guy is scanning, there are a couple of things I need to warn you about. Any decent intrusion detection system, either host-based or network-based, will go bananas if you start running scans like this onto a network. So be warned if you go to the office and try Nmap. You may end up getting a phone call.
We’ve got some output here.
How to use Zenmap
(6:26- 8:01) We have a whole bunch of systems on this network. I want to keep that a little bit closed because I don’t want you guys to see exactly my DNS names on everything.
The bottom line is I’ve got tons and tons of systems. It’s easier to use than running Nmap from a command prompt because I can click around a little bit. It also has some handy tools like, for example, a typology tool. He’s a little challenging to work with, but we can make him work.
All this represents all the different systems on this individual LAN. So it’s kind of pretty in the way that it just shows all this stuff. I could actually click on individual systems and I can do whatever research I need to do on it, but I can go through and look at all these individual systems and figure out what’s going on.
So on that one particular system, which happens to be my router, I can get whatever information is going on on that particular system.
Zenmap is just a semi-graphical Nmap, and it is an incredibly powerful tool. Now Nmap is great, but it’s not the only one out there. There are a lot of really wonderful, absolutely free tools out there. And I’m going to show you one real quick. Let me close him out.
How to use Advanced Port Scanner
(8:02- 8:56) I have a wonderful free tool called Advanced Port Scanner. This is completely free and it works fantastic. And it’s doing the same job we saw with Nmap — or at least the Zenmap interface. You can see that I’ve told it to scan everything from 192.168.4.1 to 192.168.4.254.
And this guy right here gives me all kinds of information. For example, I can click on a particular system. I can see what ports are open on this. I can run tools. I can run an SSH against it. Let’s see if that works. So I can connect to something if I want to. But the bottom line is I know all the different systems that are on the network. And I also can tell what ports are open. So that’s really what these types of network scanners can do.
3 main uses of network scanners
(8:57- 10:19) So when you’re using network scanners, keep in mind that there will be three big areas where you will be using them.
Number one, you’re looking for open ports, maybe not necessarily on one machine, maybe you are, but these types of tools tell you all the open ports on all the different systems on your network. And then you can decide what to do. If you’re doing a vulnerability assessment, maybe you can use that as a way to attack a system. If you’re a network administrator trying to stop these guys, you can go over to that system and turn off whatever open ports are running.
The other big thing that makes these incredibly popular is network inventory. It shocks us how many times we don’t know what’s on our own networks. I’m not talking about individual desktops and things like that, but people bringing in smartphones and people plugging in their own little laptops or anything like that. With tools like this, we’ll find them. It’s got to have an IP address to be on the network, and they’ll help you with it.
The last thing you want to watch out for is rogue systems. A rogue system is generally any system that shouldn’t be on the network. And it doesn’t always mean evil. For example, it’s common for people to bring in an extra system and plug it in. It’s just their home system. That could cause problems if the system doesn’t have good anti-malware. So when you’re thinking about these tools, keep in mind those different types of scenarios.
More cybersecurity training resources
Want more free cybersecurity resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.
Cyber Work listeners also get other free training resources. Check out the latest free cybersecurity training resources to keep learning!