Nmap use cases, tools and product comparisons

Nmap is one of the most well-known tools among the infosec community. "Some call it the Swiss Army knife for hacking," said Paulino Calderon, author and co-founder of Websec Mexico.

At almost 25 years old, the network discovery and security auditing tool has come a long way since its inception. What was designed for network reconnaissance and port scanning has evolved to include a slew of subprojects, including Ndiff, Ncat and Zenmap.

In his latest book, Nmap Network Exploration and Security Auditing Cookbook, Third Edition, Calderon offers insights into the tool and its use cases -- real-world tips he learned by not only using the tool in his everyday work, but also as a developer with the project since 2011.

The book is not a manual, Calderon warned. "Don't see it as competition for the official documentation," he said, explaining that topics such as Nmap discovery, services and scanning are well documented in the official book. Instead, Calderon focused on sharing his personal experiences in the book, providing readers with advice he learned along the way. "If it helped me at some point, I know it will help other people," he said.

Here, Calderon shared knowledge on the open source tool, its many subprojects, why and how it compares to tools such as Masscan and Wireshark, his involvement in the Nmap project and more. Read an excerpt of Chapter 1 of Calderon's book to get tips for scanning for open ports with Nmap.

Editor's note: This transcript has been edited for length and clarity.

In addition to port scanning, what is Nmap commonly used for?

Paulino Calderon

Paulino Calderon: A lot of people in IT will use it at some point because it's one of the most robust tools out there to diagnose connectivity problems. Systems administrators and developers may use it to check that services are running properly. Blue teams and sys admins will use it to run vulnerability checks or to detect whether random services are running under servers or if programs are listening to connections on a given computer or server. Fingerprinting is another common task Nmap is used for.

Nmap is not a vulnerability scanner, but when a critical vulnerability surfaces and Nmap developers know it could target a lot of infrastructure, they try to incorporate a module to at least detect that vulnerability.

How does the tool being open source help its efficacy?

Calderon: Being open source is one of the most important aspects of Nmap. The project receives contributions from hundreds of developers around the world. The most important thing about this is related to signatures. Nmap has a version detection engine that identifies services running on targets. That engine is powered by a database of signatures; the signatures in the database determine applications and protocols. While Nmap's development team comes up with its own research and scans to generate some of this data, the majority of signatures come from users. Nmap has a similar engine for detecting OSes on a target, which works over IPv4 or IPv6. So, there's a version detection engine and an OS detection engine.

You're part of that contributor effort. How have you been involved in Nmap as a developer?

Learn more about Calderon's
Nmap cookbook, published
by Packt.

Calderon: Nmap has benefited a lot from a program called Google Summer of Code. Sponsored by Google, the company pays students of any level -- undergrad, master's or Ph.D. -- to work on open source projects. Nmap has been part of the program for quite some time.

I started contributing to the project through Summer of Code. Then, I did it full time for a while. I work as a security consultant now and am still active and managing a few Nmap projects. For example, I ported the SMB2 [Server Message Block 2] library, an important library in Windows systems. I also recently helped incorporate some modules to scan medical equipment. I helped grow the DICOM [Digital Imaging and Communications in Medicine] library -- a protocol for scanning medical imaging systems. We're hoping to get Nmap to be able to scan all those devices and list when they're vulnerable.

Can you explain some of the components of Nmap?

Calderon: Summer of Code helped create a lot of new subprojects in the Nmap family. These include:

• Ndiff is a utility used to compare Nmap scans. Because Nmap generates timestamps, traditional tools can't always be used. Nmap needed something that would identify the differences between the two files without ignoring the timestamps that are generated.
• Ncat is an improved version of the traditional Netcat, which established and conducted connection troubleshooting. One major improvement of Ncat over Netcat is the scripting engine can be run using the dynamic programming language Lua, which is very rapid for development. With Netcat, you had to pipe with different languages; with Ncat, you can use a simple Lua script.
• Zenmap is the GUI for Nmap -- it's good for those who like to work with a UI. It has features such as generating network diagrams and the ability to generate images. Zenmap also makes Nmap easier to use. Nmap contains dozens of features -- it can be a bit intimidating. Zenmap has profiles with predefined flags and options, so you don't have to memorize each and every Nmap feature and option.
• Ncrack is a network authentication cracker tool for applications and protocols. It basically performs password brute forcing over the network.
• Nping is a packet generator tool that allows you to graph ICMP [Internet Control Message Protocol] packets for different types of packets. It also has scripting options. One of the most useful things about Nping is that it is cross-platform -- it works the same on Windows and Linux and any BSD [Berkeley Software Distribution] distribution.
• Npcap, which has been in development for years, just had its first official stable version released. It is a driver that improves how packets get read and transmitted.

How does Nmap stack up against similar tools?

Calderon: Nmap is often compared to the Masscan IP port scanner. Nmap can do the same functions as Masscan and more, but you need to tune and configure it properly. Plus, it's not designed to work at Masscan's speed. It's not because it cannot work at that speed, but it is trying to achieve a different objective. Nmap is not about being a fast scanner; it's trying to be portable to run most systems, keeping the executable in a relatively small size.

Nmap is also compared to other projects, such as Wireshark. Wireshark actually benefits from Nmap. For example, it uses Npcap in the background. Nessus also used Nmap until a few years ago. In fact, a bunch of vulnerability scanners run Nmap in the background to do the reconnaissance phase. Nmap also has a custom license, so a lot of commercial tools use its functionality.