nmap is a port scanning utility created by fyodor (fyodor@dhs.org) using the Perl philosophy of There's More Than One Way To Do It (TWTOWTDI) .. it compiles/runs fairly easily on most all *nixes .. and has recently been ported to Windows NT by eEye (see: nmapNT).

features include:

vanilla TCP connect() scanning
TCP SYN (half open) scanning
TCP FIN, Xmas, or NULL (stealth) scanning
TCP ftp proxy (bounce attack) scanning
SYN/FIN scanning using IP fragments (bypasses some packet filters)
TCP ACK and Window scanning
UDP raw ICMP port unreachable scanning
ICMP scanning (ping-sweep)
TCP Ping scanning
direct (non portmapper) RPC scanning
remote OS identification by TCP/IP Fingerprinting
reverse-ident scanning


nmap is a tool that every system adminstrator should use unto themselves before someone else does the same unto them.

nmap's primary idea, like with all port scanners, is to find out what TCP/UDP ports are available on target host - in other words, what services target hosts are running. This can be used for good (seeing that you aren't running any unexpected stuff) or bad (seeing if someone else has l33t ports open).

(sKr1pT k1dd13z probably like this tool so much that there's even an output switch, -oS, to output results in l33tsp3ak...)

Why this tool is important?

It makes securing your machine much easier - it shows what your computer looks like from the host you run it on. Run it on localhost, see what services you have. Run it on another host outside your firewall, see what it looks like from there. It's an invaluable tool for making your firewall more secure.

nmap is my favorite because it can see stuff so clearly - it is the most feature-packed port scanner out there. It's also GPLed.

Here's an example that shows what my own home machine runs:

# nmap -sT xxx.xxx.xxx.xxx | less

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )

Interesting ports on xxxx.xxxx.xxxxxx.fi (xxx.xxx.xxx.xxx):
(The 1021 ports scanned but not shown below are in state: filtered)
(Also removed zillions of ports listed as "closed" =)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http
2001/tcp   open        dc
Nmap run completed -- 1 IP address (1 host up) scanned in 334 seconds

As indicated above, my own machine runs ssh server (so I can connect from elsewhere), a web server (for display of uncontrolled ugliness), and another server on port 2001 - which turns out to be Alicebot. (since then, I've limited SSH to certain addresses and closed alicebot...)

However, when I run nmap on my own machine, the results are quite different:

nighthowl:~$ nmap -sT localhost 

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on localhost (
(The 1531 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
25/tcp     open        smtp                    
80/tcp     open        http                    
119/tcp    open        nntp                    
631/tcp    open        cups                    
2001/tcp   open        dc                      
2002/tcp   open        globe                   
3128/tcp   open        squid-http              
6000/tcp   open        X11                     
8081/tcp   open        blackice-icecap         
8082/tcp   open        blackice-alerts         

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

So I have successfully closed

  • Postfix (It's only for local delivery and outgoing mail)
  • Noffle (I can only read my own cached copy of Usenet groups)
  • CUPS (Only I can print to my printer, no one else from the internet =)
  • Alicebot control port (Only I can shut her down)
  • Squid (so no one else can get to my web cache)
  • X11 (so only I can draw stuff to my screen...)
  • Freenet FProxy (Go set up your own node if you want to leech stuff from Freenet...)

using iptables - and believe me, without nmap, I would probably forget to do that.

I can heartily recommend this program to any Linux newbie. Point that to your own machine, get a nice long list of ports, and if the first thought that crosses your mind isn't "How the heck I close them all?", it should be.

It should be run periodically (preferrably always after installing something) from some other host, to see that you're not running any services you're unaware of.

(Surprisingly many Linux setups still have sun rpc stuff open by default...)

In closing, I'd like to say that some other security tools complement nmap nicely: Nessus is good for finding out if you have Really Common Vulnerabilities in your system...

Log in or register to write something here or to contact authors.