Using nmap on your home network

Nmap, the “network mapper,” has long been used on corporate networks to collect information on desktop systems and servers. The tool provides information on the systems and services that are running (i.e., open ports). It can also help identify rogue systems and vulnerabilities. Nmap makes it easy to detect changes, as well as new systems on the network. Typical uses include:

• Host discovery — probing by IP address and providing information on the systems that respond
• Port scanning — identifying services that are available for use
• Version detection — identifying applications and their versions
• OS detection — determining the operating system along with some hardware characteristics

Sysadmins have been installing nmap on Linux for more than 20 years. Originally released in 1997, nmap has since become available for Windows and other Unix variants, as well. In fact, it’s considered a standard security tool and is a free and open-source security scanner. It’s typically used in corporate settings for collecting information on systems and doing security analysis.

But here’s an interesting idea. What would you expect to find if you were to use the tool at home? The results might be far more interesting than you imagine. Even if you only have one to three home computers, what about your routers, cell phones, tablets, and other devices? What might you discover about them? What is discoverable? Let’s take a quick look and see.

First, the quickest nmap scan uses a couple options to tell nmap that you only want a listing of IP addresses. Here’s an example:

$ nmap -sn 192.168.0.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-23 09:57 EDT
Nmap scan report for _gateway (192.168.0.1)
Host is up (0.0063s latency).
Nmap scan report for 192.168.0.4
Host is up (0.0079s latency).
Nmap scan report for 192.168.0.6
Host is up (0.0079s latency).
Nmap scan report for 192.168.0.11
Host is up (0.0023s latency).
Nmap scan report for 192.168.0.13
Host is up (0.00048s latency).
Nmap scan report for butterfly (192.168.0.16)
Host is up (0.000063s latency).
Nmap scan report for 192.168.0.21
Host is up (0.055s latency).
Nmap scan report for 192.168.0.23
Host is up (0.075s latency).
Nmap scan report for 192.168.0.28
Host is up (0.0023s latency).
Nmap scan report for 192.168.0.29
Host is up (0.021s latency).
Nmap done: 256 IP addresses (9 hosts up) scanned in 4.28 seconds

And if you only want a list of IP addresses, you can modify that command to look like this:

$ nmap -sn 192.168.0.0/24 | grep report | awk '{print $NF}'
(192.168.0.1)
192.168.0.4
(192.168.0.6)
192.168.0.11
192.168.0.13
192.168.0.16
192.168.0.21
192.168.0.23
192.168.0.27
192.168.0.28
192.168.0.29

In this scan, we see that only two systems are displaying with host names — butterfly (the system on which the scan is being run) and _gateway (a name provided for the router). Most of the systems you end up probing will likely be using dynamically-assigned IP addresses (the local system might be as well), so you might see them changing, but you can get an idea what they are. Let’s try another probe.

In this next probe, we’re going to skip the -sn qualifier and take a look at the services that are running on each of these systems to better understand what these systems are.

$ nmap 192.168.0.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-23 10:43 EDT
Nmap scan report for _gateway (192.168.0.1)
Host is up (0.012s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
5431/tcp open  park-agent

Nmap scan report for 192.168.0.4
Host is up (0.027s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE
80/tcp    open  http
8200/tcp  open  trivnet1
20005/tcp open  btx

Nmap scan report for dragonfly (192.168.0.6)
Host is up (0.0084s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
5800/tcp open  vnc-http
5900/tcp open  vnc

Nmap scan report for 192.168.0.11
Host is up (0.026s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
8009/tcp open  ajp13
9080/tcp open  glrpc

Nmap scan report for 192.168.0.13
Host is up (0.00060s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE
80/tcp    open  http
3333/tcp  open  dec-notes
49152/tcp open  unknown

Nmap scan report for butterfly (192.168.0.16)
Host is up (0.00034s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 192.168.0.27
Host is up (0.027s latency).
All 1000 scanned ports on 192.168.0.27 are closed

Nmap scan report for 192.168.0.28
Host is up (0.028s latency).
Not shown: 992 closed ports
PORT      STATE SERVICE
7/tcp     open  echo
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
515/tcp   open  printer
9100/tcp  open  jetdirect
9999/tcp  open  abyss
10002/tcp open  documentum

Nmap scan report for 192.168.0.29
Host is up (0.030s latency).
All 1000 scanned ports on 192.168.0.29 are closed

Nmap done: 256 IP addresses (8 hosts up) scanned in 14.94 seconds

The primary router in this case provides a website that on inspection displays configuration information and offers a telnet connection that provides a series of commands. Of course, you need a login to connect and run the commands.

$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
BCM963268 Broadband Router
Login: root
Password:
?
help
logout
exit
quit
reboot
adsl
xdslctl
xdslctl0
xdslctl1
xtm
loglevel
logdest
virtualserver
ddns
dumpcfg
dumpmdm
meminfo
psp
dumpsysinfo
dnsproxy
syslog
ifconfig
ping
sntp
sysinfo
tftp
wlan
defpskkey
arp
defaultgateway
dhcpserver
dns
lan
lanhosts
passwd
ppp
restoredefault
route
nslookup
traceroute
save
uptime
exitOnIdle
wan
build
version
serialnumber
modelname
tr69cfg
save_default
acccntr
sysuptime
dsluptime
ethwanuptime
snmpsnat
dhcp6sinfo
ipneigh
nat
mcpctl

And, yes, you can actually ask it to provide information by running the listed commands:

 > uptime
7D 22H 34M 48S
 > version
WA31-412CTU-C05_R01.A2pvbF039q.d26b
 > modelname
Model Name : NexusLink 3112u
 > quit

Bye bye. Have a nice day!!!
Connection closed by foreign host.

The 192.168.0.4 system turns out to be a Netgear device offering a web connection. Again, a login name and password is required to connect, but like the router, we can see that our network devices are a lot more chatty than you might have understood them to be. How much you can get them to tell you depends on whether you were provided with the login details.

The 192.168.0.27 and 192.168.0.29 addresses turned out to be my cell phones. And, yes, I have two of them. Living in one of the few weak spots for Verizon coverage, I also have a Sprint phone that works when the Verizon phone doesn’t. As you can see, both phones show up on my scan. They respond to ping requests, but they don’t offer any of the common network connection services.

For 192.168.0.11, setting my browser to check out 192.168.0.11:9080 (the glrpc port) told me “status=ok”. This device might be one of my network extenders, but I will try to narrow this down.

The 192.168.0.28 address belongs to my laser printer. Noticing from my nmap report that I could connect using a browser (port 80 available), I brought up a useful report showing me that the printer is “ready” and showing me how much capacity remains in each of its four toner cartridges.

My new “network map”

While I’ve used nmap for many years to look at networks that I helped to manage in my various technical positions, I’d not until recently considered probing my home network. Clearly the devices are a lot more interesting than I’d imagined — not just “black boxes” in the “plug and play” sense, but devices that can answer some basic questions and provide useful information.

Between my browser and the command line on my Linux system, I’ve now got a clearer picture of all the devices that connect to my home network and how I can chat with them when I want to know more about how they’re working.