While nmap is generally used to probe business networks and perform security reviews, the tool can also provide interesting details on your systems and devices at home. Credit: Netgear Nmap, the “network mapper,” has long been used on corporate networks to collect information on desktop systems and servers. The tool provides information on the systems and services that are running (i.e., open ports). It can also help identify rogue systems and vulnerabilities. Nmap makes it easy to detect changes, as well as new systems on the network. Typical uses include: Host discovery — probing by IP address and providing information on the systems that respond Port scanning — identifying services that are available for use Version detection — identifying applications and their versions OS detection — determining the operating system along with some hardware characteristics Sysadmins have been installing nmap on Linux for more than 20 years. Originally released in 1997, nmap has since become available for Windows and other Unix variants, as well. In fact, it’s considered a standard security tool and is a free and open-source security scanner. It’s typically used in corporate settings for collecting information on systems and doing security analysis. But here’s an interesting idea. What would you expect to find if you were to use the tool at home? The results might be far more interesting than you imagine. Even if you only have one to three home computers, what about your routers, cell phones, tablets, and other devices? What might you discover about them? What is discoverable? Let’s take a quick look and see. First, the quickest nmap scan uses a couple options to tell nmap that you only want a listing of IP addresses. Here’s an example: $ nmap -sn 192.168.0.0/24 Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-23 09:57 EDT Nmap scan report for _gateway (192.168.0.1) Host is up (0.0063s latency). Nmap scan report for 192.168.0.4 Host is up (0.0079s latency). Nmap scan report for 192.168.0.6 Host is up (0.0079s latency). Nmap scan report for 192.168.0.11 Host is up (0.0023s latency). Nmap scan report for 192.168.0.13 Host is up (0.00048s latency). Nmap scan report for butterfly (192.168.0.16) Host is up (0.000063s latency). Nmap scan report for 192.168.0.21 Host is up (0.055s latency). Nmap scan report for 192.168.0.23 Host is up (0.075s latency). Nmap scan report for 192.168.0.28 Host is up (0.0023s latency). Nmap scan report for 192.168.0.29 Host is up (0.021s latency). Nmap done: 256 IP addresses (9 hosts up) scanned in 4.28 seconds And if you only want a list of IP addresses, you can modify that command to look like this: $ nmap -sn 192.168.0.0/24 | grep report | awk '{print $NF}' (192.168.0.1) 192.168.0.4 (192.168.0.6) 192.168.0.11 192.168.0.13 192.168.0.16 192.168.0.21 192.168.0.23 192.168.0.27 192.168.0.28 192.168.0.29 In this scan, we see that only two systems are displaying with host names — butterfly (the system on which the scan is being run) and _gateway (a name provided for the router). Most of the systems you end up probing will likely be using dynamically-assigned IP addresses (the local system might be as well), so you might see them changing, but you can get an idea what they are. Let’s try another probe. In this next probe, we’re going to skip the -sn qualifier and take a look at the services that are running on each of these systems to better understand what these systems are. $ nmap 192.168.0.0/24 Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-23 10:43 EDT Nmap scan report for _gateway (192.168.0.1) Host is up (0.012s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 5431/tcp open park-agent Nmap scan report for 192.168.0.4 Host is up (0.027s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 8200/tcp open trivnet1 20005/tcp open btx Nmap scan report for dragonfly (192.168.0.6) Host is up (0.0084s latency). Not shown: 996 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 5800/tcp open vnc-http 5900/tcp open vnc Nmap scan report for 192.168.0.11 Host is up (0.026s latency). Not shown: 998 closed ports PORT STATE SERVICE 8009/tcp open ajp13 9080/tcp open glrpc Nmap scan report for 192.168.0.13 Host is up (0.00060s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 3333/tcp open dec-notes 49152/tcp open unknown Nmap scan report for butterfly (192.168.0.16) Host is up (0.00034s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap scan report for 192.168.0.27 Host is up (0.027s latency). All 1000 scanned ports on 192.168.0.27 are closed Nmap scan report for 192.168.0.28 Host is up (0.028s latency). Not shown: 992 closed ports PORT STATE SERVICE 7/tcp open echo 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 515/tcp open printer 9100/tcp open jetdirect 9999/tcp open abyss 10002/tcp open documentum Nmap scan report for 192.168.0.29 Host is up (0.030s latency). All 1000 scanned ports on 192.168.0.29 are closed Nmap done: 256 IP addresses (8 hosts up) scanned in 14.94 seconds The primary router in this case provides a website that on inspection displays configuration information and offers a telnet connection that provides a series of commands. Of course, you need a login to connect and run the commands. $ telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. BCM963268 Broadband Router Login: root Password: ? help logout exit quit reboot adsl xdslctl xdslctl0 xdslctl1 xtm loglevel logdest virtualserver ddns dumpcfg dumpmdm meminfo psp dumpsysinfo dnsproxy syslog ifconfig ping sntp sysinfo tftp wlan defpskkey arp defaultgateway dhcpserver dns lan lanhosts passwd ppp restoredefault route nslookup traceroute save uptime exitOnIdle wan build version serialnumber modelname tr69cfg save_default acccntr sysuptime dsluptime ethwanuptime snmpsnat dhcp6sinfo ipneigh nat mcpctl And, yes, you can actually ask it to provide information by running the listed commands: > uptime 7D 22H 34M 48S > version WA31-412CTU-C05_R01.A2pvbF039q.d26b > modelname Model Name : NexusLink 3112u > quit Bye bye. Have a nice day!!! Connection closed by foreign host. The 192.168.0.4 system turns out to be a Netgear device offering a web connection. Again, a login name and password is required to connect, but like the router, we can see that our network devices are a lot more chatty than you might have understood them to be. How much you can get them to tell you depends on whether you were provided with the login details. The 192.168.0.27 and 192.168.0.29 addresses turned out to be my cell phones. And, yes, I have two of them. Living in one of the few weak spots for Verizon coverage, I also have a Sprint phone that works when the Verizon phone doesn’t. As you can see, both phones show up on my scan. They respond to ping requests, but they don’t offer any of the common network connection services. For 192.168.0.11, setting my browser to check out 192.168.0.11:9080 (the glrpc port) told me “status=ok”. This device might be one of my network extenders, but I will try to narrow this down. The 192.168.0.28 address belongs to my laser printer. Noticing from my nmap report that I could connect using a browser (port 80 available), I brought up a useful report showing me that the printer is “ready” and showing me how much capacity remains in each of its four toner cartridges. My new “network map” While I’ve used nmap for many years to look at networks that I helped to manage in my various technical positions, I’d not until recently considered probing my home network. Clearly the devices are a lot more interesting than I’d imagined — not just “black boxes” in the “plug and play” sense, but devices that can answer some basic questions and provide useful information. Between my browser and the command line on my Linux system, I’ve now got a clearer picture of all the devices that connect to my home network and how I can chat with them when I want to know more about how they’re working. Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to The logic of && and || on Linux These AND and OR equivalents can be used in scripts to determine next actions. By Sandra Henry-Stocker May 02, 2024 4 mins Linux how-to Using the apropos command on Linux By Sandra Henry-Stocker Apr 24, 2024 3 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe