Nmap Use Cases, Tools, and Product Comparisons

Nmap is one of the best known tools in the infosec community. “Some call it the Swiss army knife of hacking,” said Paulino Calderon, author and co-founder of Websec Mexico.

At nearly 25 years old, the network discovery and security audit tool has come a long way since its inception. What was designed for network reconnaissance and port scanning has evolved to include a host of sub-projects, including Ndiff, Ncat, and Zenmap.

In his latest book, Nmap Network Exploration and Security Auditing Cookbook, Third Edition, Calderon offers an overview of the tool and its use cases – concrete advice he learned not just from using the tool in his job everyday, but also as a developer. with the project since 2011.

The book is not a manual, Calderon warned. “Don’t see it as competition for official documentation,” he said, explaining that topics like Nmap discovery, services and scanning are well documented in the official book. Instead, Calderon focused on sharing his personal experiences in the book, providing readers with advice he learned along the way. “If it helped me at any time, I know it will help other people,” he said.

Here Calderon shared his knowledge of the open source tool, its many sub-projects, why and how it compares to tools like Masscan and Wireshark, his involvement in the Nmap project and more. Read an excerpt from Chapter 1 of Calderon’s book for tips on finding open ports with Nmap.

Editor’s note: This transcript has been edited for length and clarity.

Besides port scanning, what is Nmap commonly used for?

Paulino Calderon

Paulino Calderon: Many IT people will use it at some point because it’s one of the most robust tools for diagnosing connectivity issues. System administrators and developers can use it to verify that services are working properly. Blue teams and system administrators will use it to perform vulnerability checks or to detect if random services are running under servers or if programs are listening for connections on a given computer or server. Fingerprinting is another common task that Nmap is used for.

Nmap is not a vulnerability scanner, but when a critical vulnerability surfaces and the Nmap developers know it could target many infrastructures, they try to incorporate a module to at least detect that vulnerability.

How does the tool being open source contribute to its effectiveness?

Calderon: Being open source is one of the most important aspects of Nmap. The project receives contributions from hundreds of developers around the world. The most important thing about this is related to signatures. Nmap has a version detection engine that identifies services running on targets. This engine is powered by a database of signatures; signatures in the database determine applications and protocols. While Nmap’s development team offers its own research and analysis to generate some of this data, the majority of signatures come from users. Nmap has a similar engine for detecting operating systems on a target, which works over IPv4 or IPv6. So there is a version detection engine and an operating system detection engine.

You are part of this contributor effort. How did you get involved with Nmap as a developer?

Cover image of Find out more about Calderon

Nmap cookbook, published

by Packt.

Calderon: Nmap has benefited a lot from a program called Google Summer of Code. Sponsored by Google, the company pays students at all levels: undergraduate, master’s or doctoral. — to work on open source projects. Nmap has been part of the program for some time.

I started contributing to the project through Summer of Code. Then I did it full time for a while. I now work as a security consultant and am still active and managing a few Nmap projects. For example, I ported the SMB2 [Server Message Block 2] library, an important library in Windows systems. I also recently participated in the integration of certain modules for scanning medical equipment. I helped develop DICOM [Digital Imaging and Communications in Medicine] library — a protocol for scanning medical imaging systems. We hope Nmap can scan all these devices and list when they are vulnerable.

Can you explain some of the components of Nmap?

Calderon: Summer of Code has helped create many new sub-projects in the Nmap family. These include:

  • Ndiff is a utility used to compare Nmap scans. As Nmap generates timestamps, traditional tools cannot always be used. Nmap needed something that would identify the differences between the two files without ignoring the timestamps generated.
  • Ncat is an enhanced version of the traditional Netcat, which established and performed connection troubleshooting. A major improvement of Ncat over Netcat is that the scripting engine can be run using the dynamic Lua programming language, which is very fast for development. With Netcat, you had to use different languages; with Ncat you can use a simple Lua script.
  • Zenmap is Nmap’s GUI – it’s good for those who like to work with a user interface. It has features like generating network diagrams and ability to generate images. Zenmap also makes it easier to use Nmap. Nmap contains dozens of features – it can be a bit daunting. Zenmap has profiles with predefined flags and options, so you don’t have to memorize every Nmap feature and option.
  • Ncrack is a network authentication hacking tool for applications and protocols. It basically performs password brute force over the network.
  • Nping is a packet generator tool that allows you to graph ICMP [Internet Control Message Protocol] packages for different types of packages. It also has scripting options. One of the most useful things about Nping is that it’s cross-platform – it works the same on Windows and Linux and on any BSD [Berkeley Software Distribution] Distribution.
  • Npcap, which has been in development for years, has just released its first official stable release. It is a driver that improves the way packets are read and transmitted.

How does Nmap compare to similar tools?

Calderon: Nmap is often compared to the Masscan IP port scanner. Nmap can do the same functions as Masscan and more, but you have to set it up and configure it correctly. Also, it is not designed to run at the speed of Masscan. It’s not because he can’t run at that speed, but he’s trying to achieve a different goal. Nmap is not intended to be a fast scanner; it tries to be portable to run most systems, keeping the executable to a relatively small size.

Nmap is also compared to other projects, such as Wireshark. Wireshark actually benefits from Nmap. For example, it uses Npcap in the background. Nessus also used Nmap until a few years ago. In fact, a bunch of vulnerability scanners run Nmap in the background to perform the reconnaissance phase. Nmap also has a custom license, so many commercial tools use its features.

Comments are closed.