Install Nmap Network Scanner on Rocky Linux 8

Nmap, also known as Network Mapper, is a free, open-source tool network administrators use to scan for vulnerabilities within their network and network discovery.

Nmap allows finding devices running on their network and discovering open ports and services that, if not secure or hardened, can lead to potential hackers exploiting known vulnerabilities security risks.

In the following tutorial, you will learn how to install and primary use Nmap on Rocky Linux 8 Workstation or Server.

Update Rocky Linux System

Update your Rocky Linux operating system to ensure all existing packages are up to date.

sudo dnf upgrade --refresh -y

Install Nmap

By default, NMAP is available on Rocky Linux’s repository. To begin the installation, execute the following command.

sudo dnf install nmap

Example output:

Install Nmap Network Scanner on Rocky Linux 8

Type Y, then press the ENTER KEY to proceed with the installation.

Next, verify the installation by checking the version and build.

nmap --version

Example output:

Install Nmap Network Scanner on Rocky Linux 8

How to Use the Nmap Scanner

An introduction to using the Nmap scanner will go over some of the most commonly used actions of how Nmap works: using Nmap and the target IP address or domain address and various additional flags.

Warning! Do not initiate scans without the permission of the host. If you do not care, that is fine. Still, you may face the consequences depending on your countries laws and possibly, to a lesser extent, could have your ISP canceling your account for malicious activity or having your IP Address blacklisted which can cause further issues.

This is designed for security testing your properties and services, not for hacking.

Nmap Port States Definitions

First, before you begin, you should know what the port terminal states when using the Nmap port scanner.

  • closed – the target port is reachable, but no application is listening or accepting.
  • open – the target port is accepting either TCP, UDP or SCTP.
  • filtered – the target port cannot be successfuly determined by nmap to be open or closed due to packet filtering.
  • unfiltered – the port is reachable, but cannot be dtermined if open or closed by nmap.
  • closed|filtered – nmap reach target and nmap cannot determine if the port is open or closed.
  • open|filtered – nmap cannot determine if a port is open or filtered.

Scan Host

To scan a host. This can be internal or external, and this is an excellent option to install on your server to do a sweep for any open local ports that need locking down to further increase your system’s security.

The first example uses an IP address.

Example:

nmap [IP address] or [website address]

Or, to scan internally, use the following.

Example:

nmap localhost

Example output:

Install Nmap Network Scanner on Rocky Linux 8

To perform a scan quickly, you can use the -F flag.

Example:

nmap -F [IP address] or [website address]

When scanning, if you want to scan specific hosts, you can specify.

Example:

nmap [IP address],[IP address],[IP address]

Alternatively, you can scan the entire subnet if known.

Example:

nmap [IP address]/24

Operating System Scan

Initiate an operating system scan that instructs Nmap to try and figure out what operating system is run on the target system. If the target address is locked down and ports are filtered or closed, the results will be less than reliable to downright useless (good result).

Example:

nmap -O --osscan-guess [IP address] or [website address]

Port Specification and Scan Order

Initiate a custom port scan, and this can be useful for checking specific ports that are not covered in the top 1000 common ports for each protocol. This is done by adding the -p flag.

Example:

nmap –p 80,443,8080,9090 [IP address] or [website address]

Services Scan

Initiate a services scan that instructs Nmap to check what services on being run on the target by investigating the open ports. Some commonly used ports will not get much information, but others known to use specific uncommonly shared ports will show far better results if they are open.

Example:

nmap -sV [IP address] or [website address]

TCP SYN Scan

Initiate TCP SYN scan (SYN/Connect()/ACK/Window/Maimon). This type of scan is referred to often as half-opened connections scan, and it never fully completes. This method is used for DDoS but on a large scale with botnets.

Example:

nmap -sS [IP address] or [website address]

Nmap Help

Overall, Nmap has many features and combinations. Ideally, to learn more about these, use the following command to bring up the list of commands and optional flags that can be used with your scans.

nmap --help

Example output:

Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

Remove (Uninstall) Nmap

To remove Nmap from your system, use the following command to remove the application.

sudo dnf remove nmap

Comments and Conclusion

In the tutorial, you have learned how to install Nmap are check your Rocky Linux 8 Workstation or Server for various open ports/services. Nmap should be a tool to use straight away on any server to check what is precisely open and going on, and it can immediately show results when scanning localhost.

Before locking off ports, if you discover any open, be sure to research the service and port that is open and what it does, aka do not block SSH port and lock yourself the ability to SSH into your server.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!