Nmap is typically used to scan corporate networks and conduct security audits, but it can also reveal useful information about your home systems and gadgets.




Nmap is my favorite tool when it comes to security testing. In 1997, Gordon Lyon, aka Fyodor, developed Nmap. The "network mapper," also known as Nmap, has long been used in corporate networks to gather data on servers and desktop computers. Information on the active systems and services is provided by the tool (i.e., open ports). Additionally, it can aid in locating malicious software and weaknesses. Nmap makes it simple to find both new systems and network changes. Common uses include:

Host discovery — IP address probing and providing details on the systems that respond
Port scanning — A list of the services that are accessible
Version detection — identifying applications and their versions
OS detection — identifying the operating system and a few hardware features

For more than 20 years, sysadmins have been installing nmap on Linux. Since its initial 1997 release, nmap has also been made available for Windows and other Unix variations. It is a free and open-source security scanner that is actually regarded as a standard security tool. It is frequently employed in corporate settings for system information gathering and security analysis.

But here's a smart suggestion. If you were to use the tool at home, what would you anticipate finding? The outcomes might be much more fascinating than you anticipate. What about your routers, cell phones, tablets, and other devices, even if you only have one to three home computers? What could you learn about them? What can be found out? Let's quickly look and find out.

In order to tell nmap that you only want a list of IP addresses, you can use a few options to perform the fastest nmap scan possible. Here's an example:

$ nmap -sn 192.168.0.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-23 09:57 EDT
Nmap scan report for _gateway (192.168.0.1)
Host is up (0.0063s latency).
Nmap scan report for 192.168.0.4
Host is up (0.0079s latency).
Nmap scan report for 192.168.0.6
Host is up (0.0079s latency).
Nmap scan report for 192.168.0.11
Host is up (0.0023s latency).
Nmap scan report for 192.168.0.13
Host is up (0.00048s latency).
Nmap scan report for butterfly (192.168.0.16)
Host is up (0.000063s latency).
Nmap scan report for 192.168.0.21
Host is up (0.055s latency).
Nmap scan report for 192.168.0.23
Host is up (0.075s latency).
Nmap scan report for 192.168.0.28
Host is up (0.0023s latency).
Nmap scan report for 192.168.0.29
Host is up (0.021s latency).
Nmap done: 256 IP addresses (9 hosts up) scanned in 4.28 seconds
And you can change that command to read like this if you only want a list of IP addresses:
$ nmap -sn 192.168.0.0/24 | grep report | awk '{print $NF}'
(192.168.0.1)
192.168.0.4
(192.168.0.6)
192.168.0.11
192.168.0.13
192.168.0.16
192.168.0.21
192.168.0.23
192.168.0.27
192.168.0.28
192.168.0.29
Only two systems are displaying host names in this scan: butterfly, which is the system running the scan, and _gateway (a name provided for the router). Since the majority of the systems you end up probing (and possibly the local system as well) use dynamically assigned IP addresses, you might notice that they change but can still get a general idea of what they are. Let's run one more probe.

The -sn qualifier will not be used in this probe; instead, we will look at the services that are currently running on each of these systems to learn more about them.

$ nmap 192.168.0.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-23 10:43 EDT
Nmap scan report for _gateway (192.168.0.1)
Host is up (0.012s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
5431/tcp open  park-agent

Nmap scan report for 192.168.0.4
Host is up (0.027s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE
80/tcp    open  http
8200/tcp  open  trivnet1
20005/tcp open  btx

Nmap scan report for dragonfly (192.168.0.6)
Host is up (0.0084s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
5800/tcp open  vnc-http
5900/tcp open  vnc

Nmap scan report for 192.168.0.11
Host is up (0.026s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
8009/tcp open  ajp13
9080/tcp open  glrpc

Nmap scan report for 192.168.0.13
Host is up (0.00060s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE
80/tcp    open  http
3333/tcp  open  dec-notes
49152/tcp open  unknown

Nmap scan report for butterfly (192.168.0.16)
Host is up (0.00034s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 192.168.0.27
Host is up (0.027s latency).
All 1000 scanned ports on 192.168.0.27 are closed

Nmap scan report for 192.168.0.28
Host is up (0.028s latency).
Not shown: 992 closed ports
PORT      STATE SERVICE
7/tcp     open  echo
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
515/tcp   open  printer
9100/tcp  open  jetdirect
9999/tcp  open  abyss
10002/tcp open  documentum

Nmap scan report for 192.168.0.29
Host is up (0.030s latency).
All 1000 scanned ports on 192.168.0.29 are closed

Nmap done: 256 IP addresses (8 hosts up) scanned in 14.94 seconds

In this instance, the main router offers a website that, upon inspection, displays configuration details and a telnet connection that offers a number of commands. Of course, in order to connect and execute the commands, you need a login.

$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
BCM963268 Broadband Router
Login: root
Password:
?
help
logout
exit
quit
reboot
adsl
xdslctl
xdslctl0
xdslctl1
xtm
loglevel
logdest
virtualserver
ddns
dumpcfg
dumpmdm
meminfo
psp
dumpsysinfo
dnsproxy
syslog
ifconfig
ping
sntp
sysinfo
tftp
wlan
defpskkey
arp
defaultgateway
dhcpserver
dns
lan
lanhosts
passwd
ppp
restoredefault
route
nslookup
traceroute
save
uptime
exitOnIdle
wan
build
version
serialnumber
modelname
tr69cfg
save_default
acccntr
sysuptime
dsluptime
ethwanuptime
snmpsnat
dhcp6sinfo
ipneigh
nat
mcpctl
And yes, by executing the listed commands, you can request information from it:

> uptime
7D 22H 34M 48S
 > version
WA31-412CTU-C05_R01.A2pvbF039q.d26b
 > modelname
Model Name : NexusLink 3112u
 > quit

Bye bye. Have a nice day!!!
Connection closed by foreign host.
It turns out that the 192.168.0.4 system is a Netgear device that provides a web connection. Once more, connecting requires a login name and password, but just like the router, we can see that our network devices are much more chatty than you might have thought. If you received the login information, it will affect how much information you can obtain from them.

It turned out that the addresses 192.168.0.27 and 192.168.0.29 belonged to my mobile devices. I do have two of them, yes. I also have a Ncell phone that functions when the NTC phone doesn't because I live in one of the few areas where NTC coverage is weak. You can see that both phones are detected by my scan. Although they don't provide any of the standard network connection services, they do respond to ping requests.

When I pointed my browser to 192.168.0.11:9080 (the glrpc port) for 192.168.0.11, it displayed "status=ok." It's possible that this thing is one of my network extenders, but I'll try to be more specific.

My dad's printer's 192.168.0.28 address is its IP address. My nmap report showed that I could connect using a browser (port 80 was open), so I did so. This opened a helpful report that showed me that the printer was "ready" and that each of its four toner cartridges still had some capacity.




I now have a better understanding of all the devices that connect to my home network and how I can chat with them when I want to know more about how they're working thanks to my browser and the command line on my Linux system :)


Happy hacking!