How to Install Nmap on Debian 11 Bullseye

Nmap, also known as Network Mapper, is a free, open-source tool used by network administrators to scan for vulnerabilities within their network and network discovery.

Nmap allows to find devices running on their network and discover open ports and services that, if not secure or hardened, can lead to potential hackers exploiting known vulnerabilities security risks.

In the following tutorial, you will learn how to install and basic use Nmap on Debian 11 Bullseye.

Install Nmap

By default, NMAP is available on Debian 11’s repository. To begin the installation, execute the following command.

sudo apt install nmap

Example output:

How to Install Nmap on Debian 11 Bullseye

Type Y, then press the ENTER KEY to proceed with the installation.

Next, verify the installation by checking the version and build.

nmap --version

Example output:

How to Install Nmap on Debian 11 Bullseye
Advertisement

How to Use the Nmap Scanner

An introduction into using Nmap scanner will go over some of the most commonly used actions. How Nmap works is using nmap and the target IP address or domain address along with various additional flags.

Warning! Do not initiate scans without the permission of the host, if you do not care that is fine but you may face consequences depending on your countries laws and possibly to a lesser extent could have your ISP canceling your account for malicious activity or having your IP Address blacklisted which can cause further issues.

This is designed for security testing your own properties and services, not for hacking.

Nmap Port States Definitions

First, before you begin you should know what the terminal of the port states when using the Nmap port scanner.

  • closed – the target port is reachable, but no application is listening or accepting.
  • open – the target port is accepting either TCP, UDP or SCTP.
  • filtered – the target port cannot be successfuly determined by nmap to be open or closed due to packet filtering.
  • unfiltered – the port is reachable, but cannot be dtermined if open or closed by nmap.
  • closed|filtered – nmap reach target and nmap cannot determine if the port is open or closed.
  • open|filtered – nmap cannot determine if a port is open or filtered.

Scan Host

To scan a host. This can be internal or external, this is a good option to install on your server to do a sweep for any open local ports that need locking down to further increase the security of your system.

The first example, using an IP address.

Example:

sudo nmap [IP address] or [website address]

Or, to scan internally, use the following.

Example:

sudo nmap localhost

Example output:

How to Install Nmap on Debian 11 Bullseye

To perform a scan quickly, you can use the -F flag.

Example:

sudo nmap -F [IP address] or [website address]

When scanning, if you want to scan specific hosts you can specify.

Example:

sudo nmap [IP address],[IP address],[IP address]

Alternatively, you can scan the entire subnet if known.

Example:

sudo nmap [IP address]/24

Operating System Scan

Initiate an operating system scan that instructs Nmap to try and figure out what operating system is run on the target system. If the target address is locked down and ports are filtered or closed, the results will be less than reliable to downright useless (good result).

Example:

sudo nmap -O --osscan-guess [IP address] or [website address]

Port Specification and Scan Order

Initiate a custom port scan, and this can be useful for checking specific ports that are not covered in the top 1000 common ports for each protocol. This is done by adding the -p flag.

Example:

sudo nmap –p 80,443,8080,9090 [IP address] or [website address]

Services Scan

Initiate a services scan that instructs Nmap to check what services on being run on the target by investigating the open ports. Some commonly used ports will not get much information, but others known to use specific uncommonly shared ports will show far better results if they are open.

Example:

sudo nmap -sV [IP address] or [website address]

TCP SYN Scan

Initiate TCP SYN scan (SYN/Connect()/ACK/Window/Maimon). This type of scan is referred to often as half-opened connections scan and it never fully completes. This method is used for DDoS but on a large scale with botnets.

Example:

sudo nmap -sS [IP address] or [website address]

Nmap Help

Overall, Nmap has many features and combinations. Ideally, to learn more about these, use the following command to bring up the list of commands and optional flags that can be used with your scans.

sudo nmap --help

Example output:

Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

How to Remove (Uninstall) Nmap

To remove Nmap from your Debian 11 system, use the following command to remove the application.

sudo apt autoremove nmap --purge

Example output:

Type Y, then press the ENTER KEY to proceed with the removal of Nmap.

Note, this will remove the unused dependencies that were also installed during the initial installation of Nmap.

Advertisement

Comments and Conclusion

In the tutorial, you have learned how to install Nmap are check your Debian 11 server for various open ports/services. Nmap should be a tool to use straight away on any server to check what is exactly open and going on, it can immediately show results when scanning localhost.

Before locking off ports if you discover any open, be sure to research the service and port that is open and what it does, aka don’t block SSH port and lock yourself the ability to SSH into your server.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x