Introduction Nmap, or the Network Mapper, is a powerful command-line tool for diagnosing network problems, finding security vulnerabilities, and host of other uses. Intricate knowledge of its use is crucial to systems administrators, but its many options and scanning methods can be daunting to even the most experienced of end users. nmapFE, or the nmap Front End, is a graphical interface for nmap that makes it easy to use even the most powerful aspects of the network mapper, and can be a life-saver when you run into networking problems.
Installation NmapFE can be most likely be installed using your package management software. For example, in debian-based distrobutions, such as Ubuntu Linux, use the command:
sudo apt-get install nmapfe
For other distrobutions and platforms (including Windows!), I recommend checking out the nmap download site.
Interface and Usage The interface for NmapFE is relatively straight forward; you enter the IP or URL of the “target” computer at the top, select your options, and the front end runs nmap in the background, showing you its output. At the bottom of the window is the command generated by the options selected in the front-end, which is great for those interested in learning how to control nmap from the command-line, when a graphical solution isn’t available.
Among the primary options available are scan type, which will be discussed later; scanned ports, in which you can select the “most important” ports for a fast scan (which will scan the ports used by the most commonly used services), all ports, or a specific range; and “Scan Extensions,” which will give you all sorts of extra information.
Operating System, Service, and Version Detection If these options are selected in “Scan Extensions,” nmapFE will use the response “fingerprint” of the target computer to guess the operating system of the target, as well as its version, and the version of whatever services it detects. For example:
In this scan, you can see that nmap detected my ssh server, Apache server (running on a non-standard port), and correctly identified their versions. It was also able to determine the extensions running on Apache (PHP and Python).
Its attempt to determine my operating system was mostly successful. It correctly determined that I am running Linux, kernel version 2.6; however, it guessed 2.6.18 when I am in fact running 2.6.22; it got my architecture correct (x86), and my distribution correct — Ubuntu — but not the version of my distribution (it guessed Dapper, when I am running Gusty). Note that it warns that OS detection is less reliable because I have no closed TCP ports (instead, they are in the filtered state, set by my router); even so, it did a very good job at figuring out my operating system and versions.
A Sample Windows Scan Next I ran a scan against a Windows machine on my local network. The results are as follows:
You can see here that, because my router is not in the way, the ports not listed are in the state of “closed” rather than “filtered.” It is able to precisely identify the operating system (Windows 2000), including the service pack (SP4); furthermore, nmap correctly determined that it is a Dell computer, based upon the ethernet card’s MAC address.
Scan Types and Other Options Both of the above scans were performed using the default “SYN Stealth Scan,” which should be sufficient for most users in most situations. It is relatively fast, especially when run inside a local network, and will uncover most relevant information. However, the list of available scan types is extensive:
Explaining them all here would be both outside the realm of this article, and far outside the realm of my understanding. I will note that the ACK Stealth Scan can be useful when you have a firewall issue, as it can return more information about the target’s ruleset than the default scan. However, I highly recommend that for more information on this topic, you defer to the more knowledgeable folks who’ve written the documentation on nmap’s port scanning techniques.
Other options that can be set using the nmapFE interface are DNS resolution, decoy sources (if, perhaps, you are doing something naughty), and selection of devices (if you have multiple connections, such as wired and wireless). You can also set time delays, so as not to raise suspicions or be considered rude by scanning too many ports, or too many hosts, too quickly.
A Word on Ethics While it is true that tools such as nmap/nmapFE can (and are) used maliciously, the overwhelming majority of users of these programs do so to solve problems, rather than create them. Software tools are just like any other tools – they can be used for both good, and for evil. It’s important to understand how to use them properly, and to use them responsibly. There is a world of difference between using tools such as these to figure out why your Apache server isn’t accessible to the outside world, and using it to find security holes on other peoples’ computers.