Now that you have Nmap up and running on your system, you’re ready to run a basic Nmap scan. In this video, Mike Chapple helps you run a basic Nmap scan and interpret the results.
- [Instructor] Now that you have Nmap up and running on your system, you're ready to run a basic Nmap scan. Before we run that scan, you'll need to know a little bit about the way that Nmap presents its results. Nmap will provide you with a list of ports that it detected, and then provide state information for each one of those ports. There are four possible states. Open ports are those that are listening for incoming connection requests and they're responding to those connections. Closed ports are those that seem to be accessible to the scanner, but there is no service responding to connection requests.
Filtered ports are ports that Nmap attempted to scan, but a firewall interfered with the scan. And finally, Unfiltered ports are those that Nmap was able to access, but for some reason was not able to determine whether the port was open or closed. There are also some special cases that you should be aware of. Nmap might be unable to make a definitive statement about the state of a port. In those cases, it will provide you with two options that it is unable to choose between.
For example, a port marked open, pipe, filtered, is either open or filtered. And a port marked closed, pipe, filtered, is either closed or filtered. With that background information under our belts, let's try to perform and Nmap scan. I'm back at the Mac command line and I'm going to attempt to run a basic scan of the scanme.nmap.org server. To do that, I simply type nmap and then the DNS name of the server, scanme.nmap.org.
And then the scan runs. And after a few seconds, I have some results. Now before we look at those results, I want to run the same scan one other way. I specified the DNS name of the server the first time I ran the scan, but I can also use an IP address to run the scan instead of a DNS name. So I'm gonna go ahead and look up the current IP address for scanme.nmap.org. I'm just going to do the dig command to do a DNS lookup, and then the name, scanme.nmap.org.
And I see in these results that the current IP address for scanme.nmap.org is 45 .33 .32 .156. One quick note, I used the dig command to look up that domain name. This command works natively on Mac and Linux systems, but it isn't available by default on Windows systems. If you're using a Windows system, you can use the Nslookup command instead. So now let's try running the Nmap scan by specifying the IP address instead of the DNS name.
I'm going to type nmap and then the IP address 126.96.36.199. When that scan completes, I get the same results as I did when I scanned the port by DNS name. Okay, now let's dig into these results. I see that right after I started the scan, Nmap gave me a confirmation that the scan had started. Says Starting Nmap 7.70, and then the date and time that the scan began. Next it tells me the server that it scanned.
It says Nmap scan report for scanme.nmap.org and the IP address. Now notice, Nmap in this case actually gave me the DNS name even though I only gave it the IP address. By default, Nmap does a reverse DNS lookup to tell us the name of the server that it scanned, even when only an IP address is provided. It tells me that the host is up and there's a very low latency to connect to that host, and then it gives me the information about the ports that it scanned. With this simple default scan, Nmap tracks 1000 ports.
And the first thing it tells me is that 996 ports were closed. Now it doesn't list all of those, because then it would be very difficult to parse through the results. What it shows me are the ports that don't have a state of closed, and I see that there are four of them here. For each of those ports I see the port number and protocol, the state, and then the service that Nmap believes is running on that port. So the first result, I see that it's for tcp port 22 and I happen to know that port's associated with a secure shell, the ssh service, and that's what Nmap has guessed.
And it's telling us that secure shell is open on this server, so this server is accepting ssh connections on port 22. The next port, port 80, is associated with web servers running the http protocol, and then I have two other ports that might not be as familiar. Port 9929 is associated with the nping protocol, which is a specialized version of ping that comes with Nmap, and then port 31337 gives a service name of Elite. This port is commonly associated with hackers, so if this were my system that we were scanning, I might think that it would be compromised and I would certainly want to investigate this open port in more detail.
Then at the end of the scan, Nmap gives me a little summary. It tells me that it scanned one address and one host was up out of the one that it scanned, and that the scan took about half a second to complete. You now know how to run a basic Nmap scan and interpret the results. If you'd like, now would be a great time to pause the course and try running a scan on one of your own systems. Remember, you should never scan a system unless you have explicit permission to do so.
- TCP/IP networking
- Network scanning
- Installing Nmap
- Testing your Nmap installation
- Scanning with Nmap
- Host discovery options in Nmap
- Operating system and service version detection
- Case studies in scanning