This is the second in a series of tips on how to use Nmap in an enterprise network environment.
Nmap was originally a command-line application for Unix, but a Windows version
Although you can download and install Nmap for Windows from a zip file, the latest version requires the free WinPcap packet capture library to be installed as well. I suggest you opt for using the Nmap Windows installer, which handles WinPcap installation for you. This installer, nmap-4.01-setup.exe, can be downloaded from the insecure.org website. The installer doesn't add a shortcut to the Programs menu for Nmap as you need to run nmap.exe from a DOS command prompt, and although WinPcap does appear in the Add/Remove applet, you will need to run the uninstall program in the Nmap folder if you choose to remove Nmap at any time. The total space required for the complete installation is only 2.6Mb.
The default install directory is C:\Program Files\Nmap\, but because the installer adds Nmap to the computer's PATH environment variable, you can execute Nmap from any directory. So to run and test Nmap, open a Command Prompt window and type the following, which will scan the host scanme.insecure.org: nmap -A -T4 scanme.insecure.org
The A and T4 options enable OS and version detection, and set the timing template to "aggressive."
There are more than a hundred command-line options, some of which we'll be looking at in the next few tips. Note that the command options are case sensitive. Nmap for Windows is not as efficient as on Unix. The connect scan (-sT) in particular is often much slower because of shortcomings in the Windows networking API. You can improve connect scan performance by double clicking the nmap_performance.reg file located in the Nmap directory, which will make three registry changes in order to increase the number of ephemeral ports reserved for applications such as Nmap, and decrease the amount of time before a closed connection can be reused. If you run in to problems running Nmap on Windows you should check for error messages in the Windows event log and then see if the problem is covered in the Nmap-dev list archives. There is also plenty of supporting documentation for Nmap, and it is worthwhile to subscribe to the Nmap hackers mailing list, too.
The main advantage of Nmap being a command-line application is it is easier to run from a script, and precise scans can be executed without having to set lots of different options. However, this can be intimidating for new and infrequent users. And although there are graphical user interfaces (GUI) available for Unix, as yet there are no stable GUIs for Windows. Fortunately, this is expected to change this year. There is no official release date, but the creator of Nmap, Fyodor, hopes to have a Windows-compatible version of NmapFE, the most popular GUI for Unix, out sometime this year. There are other cross-platform GUIs that are in development too, such as UMIT.
NMAP TECHNICAL MANUAL
Nmap: A valuable open source tool for network security
How to install and configure Nmap for Windows
How to install and configure Nmap on Linux
How to scan ports and services
More port scanning techniques
Firewall configuration testing
Techniques for improving Nmap scan times
Interpreting and acting on Nmap scan results
Nmap parsers and interfaces
Nmap and the open source debate
This was first published in May 2006