There’s nothing quite like getting spotted anywhere near a public network using Nmap. At my local makerspace I was once spotted and had to immediately show everyone in the room the router I was connected to, before they started throwing things. Nmap is one of the first things you will learn in linux networking, so why not start with a quick tutorial on some of the basics.
This tutorial will be scanning a local network, and since most routers tend to default to a IP range of 192.168.1.1 – 192.168.1.254, we’ll use that as our example. If your network IP range is different, you will need to use that in place of the example IP address used here.
This is the default scan, and will take a bit of time. In my home scan, it took 50.86 seconds. The scan will ping for each potential host in the range and check to see if a host is there. If there, it will sweep all the potential ports of the host that responds. With this data, we can get a pretty good idea of whats going on.
Nmap scan report for _gateway (192.168.1.1) Host is up (0.0018s latency). Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 5000/tcp open upnp 8081/tcp filtered blackice-icecap 8082/tcp filtered blackice-alerts Nmap scan report for 192.168.1.8 Host is up (0.012s latency). Not shown: 995 closed ports PORT STATE SERVICE 8008/tcp open http 8009/tcp open ajp13 8443/tcp open https-alt 9000/tcp open cslistener 10001/tcp open scp-config Nmap scan report for 192.168.1.10 Host is up (0.021s latency). Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 515/tcp open printer 631/tcp open ipp 9100/tcp open jetdirect Nmap scan report for 192.168.1.14 Host is up (0.021s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 256 IP addresses (4 hosts up) scanned in 50.86 seconds
On this scan we found 4 hosts, 3 of which have some open ports that tell us a bit about the devices we found.
The first host at 192.168.1.1 has HTTP and HTTPS ports open along with UPNP. Many times the first IP address is the router, so we will assume that for now.
220.127.116.11 has 5 ports open, including one that commonly gets used for HTTP. Hard to tell what it is with the other information we got here though.
The next with a IP of 192.168.1.10 also has ports 80 and 443 open, but also ports typically used for printers.
192.168.1.14 responded and have us a potentially open SSH port.
Let’s see if we can learn more about 192.168.1.8. We will do Nmap with a ‘-A’ flag to see what we can learn about the OS:
nmap –A 192.168.1.8
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-01 13:56 CST Stats: 0:03:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 97.50% done; ETC: 14:00 (0:00:03 remaining) Nmap scan report for 192.168.0.8 Host is up (0.0058s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 8008/tcp open http? |_http-title: Site doesn't have a title (text/html). 8009/tcp open ssl/castv2 Ninja Sphere Chromecast driver |_ajp-methods: Failed to get a valid response for the OPTION request | ssl-cert: Subject: commonName=39866c38-5c85-60d4-fb33-f19f7735d94e | Not valid before: 2022-01-31T20:40:02 |_Not valid after: 2022-02-02T20:40:02 |_ssl-date: 2022-02-01T19:58:57+00:00; 0s from scanner time. 8443/tcp open ssl/https-alt? |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=ADV5YGB FA8FCA8A4A74/organizationName=Google Inc/stateOrProvinceName=California/countryName=US | Not valid before: 2019-03-05T08:00:00 |_Not valid after: 2040-05-12T12:33:48 9000/tcp open ssl/cslistener? 10001/tcp open ssl/scp-config? Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 242.01 seconds
This scan takes some time. In this case it took 242.01 seconds, but we’ve potentially learned a lot about the device there. Port 8008 which can be a HTTP port for serving websites has a script run to see if it can return a website. It didnt, so we can assume its not meant to be a (public) webserver. Port 8009 returned the interesting data: A “Nina Sphere Chromecast driver”. Seems to be a Chromecast device.
Scans like this can give you a much better idea of what devices are on your network, and can allow for some really interesting automations. We can alert ourselves when devices connect to the network that we don’t recognize, or automate home functions based on when certain devices connect to the network (like phones). Both of which we will be getting into with future tutorials.
Till then, I hope this tutorial was helpful, and if you have any questions or comments at all, be sure to add it in the comment section below!