Tips Using Zenmap on Ubuntu

What is Zenmap ?
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. It is a multi-platform, free and open-source application designed to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. The purpose of Zenmap is not to replace Nmap. You still can use the good old command-line, but you will be able to use some advanced features like the “Topology” tab. This is an interactive view of the connections between hosts in a network. The following article will explain how to install Zenmap 5.0 on an Ubuntu system and how to use the main features.

In Ubuntu you will still find the older package (4.76-0ubuntu4: amd64 i386) of Zenmap. But here we using the version 5.00.

You can install version 5.00 like described :

sudo aptitude install build-essential
sudo apt-get install libssl-dev
mkdir src
cd src
wget -c http://nmap.org/dist/nmap-5.00.tar.bz2
bzip2 -cd nmap-5.00.tar.bz2 | tar xvf -
cd nmap-5.00/
./configure
make
sudo make install

To run Zenmap please go to Applications > Internet > Zenmap (as root).

Useful commands to Using Zenmap
Nmap has a lot of options, which can be “painful “ for beginners. Some time it is not so easy to understand the options and the presented output. Beginners are now able to choose options from a menu, more advanced users can build and store their own commands. This also helps to double-check exactly what they will be run before they press the “Scan” button.
I very nice overview of the Nmap commands and usage you will find here:

http://linux.die.net/man/1/nmap

We will just take a short look to a few commands that will show Nmap’s power.

nmap -sV -T4 -O -F –version-light

Let’s start with a quick scan to get an overview in your network. The (-F) options specifies that you only wish to scan for ports listed in the nmap-services file (see /usr/share/nmap/nmap-services). This is much faster than scanning all 65535 ports on a host. The option (-sV) enables the version detection and (-O) will be used to detect the Operating System. The option (–version-light) is a convenience alias for –version-intensity 2. This light mode makes version scanning much faster, but it is slightly less likely to identify services. The (-T4) option prohibits the dynamic scan delay from exceeding 10ms for TCP ports.

nmap -A -T4 –v scanme.nmap.org

This command enables additional advanced and aggressive options. In this case its enables OS Detection (-O) and version scanning (-sV), script scanning (-sC) and traceroute (–traceroute). More features may be added in the future. The point is to enable a comprehensive set of scan options without people having to remember a large set of flags. The timing option (-T4) and the verbosity options (-v) can be used to achieve some minor speed adjustments and to increase the verbosity level. Without root privileges only version detection and script scanning are run.

nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389

These additional options add optimized host discovery features to your scan. This option (-PS) sends an empty TCP packet with the SYN flag set. The default destination port is 80, but an alternate port can be specified as a parameter. The SYN flag suggests to the remote system that you are attempting to establish a connection. Normally the destination port will be closed, and a RST (reset) packet sent back. If the port happens to be open, the target will take the second step of a TCP 3-way-handshake by responding with a SYN/ACK TCP packet. The machine running Nmap then tears down the nascent connection by responding with a RST rather than sending an ACK packet which would complete the 3-way-handshake and establish a full connection. The RST packet is sent by the kernel of the machine running Nmap in response to the unexpected SYN/ACK, not by Nmap itself.
The( -PA) option uses the same default port as the SYN probe (80) and can also take a list of destination ports in the same format but sends a TCP ACK Ping. The (-PE) option is used to enable the echo request behavior.

nmap -p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389

This additional option adds specifies which ports you want to scan and overrides the default. So you can specify (-p) to scan ports from 1 through 65535. If you like to scan UDP port as well, please use the (-sU) option.