Nmap For Mac

Use Nmap, the open source network mapper tool, to better understand what's happening in your network.

More Linux resources

Nmap, which stands for 'Network Mapper,' is an open source tool that lets you perform scans on local and remote networks. Nmap is very powerful when it comes to discovering network protocols, scanning open ports, detecting operating systems running on remote machines, etc. The tool is used by network administrators to inventory network devices, monitor remote host status, save the scan results for later use, and so on.

The Nmap suite includes an advanced graphical user interface and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Why use Nmap?

[email protected]:# nmap Starting Nmap 7.70 ( ) at 2019-08-17 02:23 IST Nmap scan report for Host is up (0.0018s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind MAC Address: 00:0C:29:8E:EE:70 (VMware) Nmap done: 1 IP address (1 host up. The easiest way to install Nmap and Zenmap on Mac OS X is to use our installer. The Mac OS X section of the Nmap download page provides a file named nmap.dmg, where is the version number of the most recent release. The.dmg file is known as a. Nmap has a lot of different features. The mac-related feature can be used to get mac addresses of the hosts in the same network segment. I can be used to get remote systems mac addresses but SNMP should be enabled on remote systems. Get Mac Address Of Local System. Getting local systems mac address is easy and have a lot of different ways. Here I find an interesting phenomenon, that I get different MAC address using different Nmap options. With my Kali OS, I type nmap -sS to start a 'half-open' scan. Starting Nmap 7.70( ) at 2018-07-04 12:38 UTC Nmap scan report for Host shown: 999 closed ports PORT STATE unknown 49159/tcp open unknown MAC Address: 94:XX:XX:XX:XX:XX (Tp-link.

Besides being free, Nmap is very flexible, portable, well-documented, and easy to use. In the following post, we'll walk you through on how to install Nmap, use it, and, most important, get more to know about your network.

Installing Nmap

To install Nmap on Red Hat Enterprise Linux 8 or Fedora, you'd run:

Substitute dnf for yum if you are on Red Hat Enterprise Linux 7 or newer. After installing Nmap, you can run the nmap command without arguments to display all of its options. You also should consult the Nmapman page by running man nmap.

Using Nmap

Let's assume your local network is, and you want to run a scan on this network. Running a scan without any argument except the network address yields the following:

Multiple networks can be scanned at once. For example:

If we want to run a quick scan of machines in our network without trying to see if any port is open, we run:

The output of the above command produces something like:

Mind you that -sn was known as -sP in the previous versions of Nmap. The use of -sP is still backward compatible and should work in the recent versions of Nmap.

While Nmapman pages are well-written and provide many examples, there are specific things you won't find in the man pages. For example, what if we wanted to store IP addresses from the above output to a file? This is something specific and does not belong in the man pages of Nmap. We have to parse the output ourselves and extract IP addresses only.

For example:

Nmap offers many other options to save the scan output to different formats.

For example:

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s <rIpt kIddi3, and Grepable format, respectively, to the given filename.


So running:

produces the following output:

Scanning specific ports

Nmap has the option to scan specific ports on specific targets. If we were interested in checking the state of ports 22 and 443 (which by default use the TCP protocol), we'd run the following:

If you are unsure what -sV does, just run:

The above command displays the ports regardless of their state: open, closed, filtered, etc. Most of the time, we're interested in open ports, and so we can add the –open flag to achieve this. We'll slightly modify the above command and run:

Instead of using a comma to specify a port, it is also possible to use a range of ports, which is much more flexible and easier to read. For example:

[ Just getting started with networking? Check out the Linux networking cheat sheet. ]

Advanced Nmap scanning

Now we know the basics of Nmap and its capabilities. Let's move to a more advanced approach to scanning targets, getting more information from a target, and using packet-tracing.

Tracing a packet on a single IP

At the moment of writing, I am connected to my server via SSH. To demonstrate how packet tracing is done using Nmap and what the output of such a trace looks like we are going to use the following Nmap syntax to produce the following output:

The above flags have the following meanings:

  • -vv (Increase verbosity)
  • -n (No DNS resolution. This speeds up our scan!)
  • -sn (No port scan)
  • -PE (Use ICMP echo request queries. This is what is displayed in the output above)
  • -T4 (prohibits the dynamic scan delay from exceeding 10 ms for TCP ports. See man nmap).
  • --packet-trace (Trace sent and received packets)

Using recursive DNS proxies for a stealth scan on a target

By default, Nmap runs an rDNS (reverse-DNS) resolution on any responsive host. Let's see if we can gather some information about a specific network and remain anonymous. The anonymous part is because we'll use public DNS servers, namely and, to perform the recursive query.

First, we resolve redhat.com using Google's public DNS server, which results in the following:

Second, let's run a stealth list scan -sL on the IP address

We're able to obtain a lot of information about specific networks by using just a few simple techniques.

NSE scripts

As mentioned earlier, Nmap is equipped with many advanced features, one of which is NSE (Nmap Scripting Engine) scripts. Using NSE scripts with Nmap allows you to scan different hosts and find vulnerabilities in services running on the host and possibly log in by brute-forcing these services.

The use of NSE script syntax is as follows:

Nmap For Mac Brew

Now, you are probably wondering where to find these NSE scripts and how to know what script uses what arguments. Start by running man nmap. You can also jump straight away to the right section, i.e.:

The available NSE scripts you can pass to Nmap are located at:


You can also locate the NSE scripts by running:

Nmap Scan For Mac Address Filter

Now that we know where NSE scripts are located let's see how we can use these scripts to get some information about a target that's running a web server.

See if a WAF protects a website

A Web Application Firewall (WAF) is specifically designed to protect websites from SQL injection, cross-site scripting, malformed HTTP packets, etc. Using Nmap, we can detect if a website is protected by such a WAF. The following displays the usage of an NSE script and its arguments:

Nmap For Mac

As shown above, a Web Application Firewall protects the target website.

More NSE scripts

Once again, Nmap is often used by system administrators to inventory their environment, discover weaknesses in their network, and so protect their systems from intruders. Intruders, on the other hand, can do the same to explore a remote system and try to gather as much information as possible about such a system.

Assume that some unauthorized person has scanned your network and found a few open ports/services. This person could then pass some NSE scripts to Nmap and see if these services are vulnerable. Here is what is going to happen:

We can see that the remote system is running OpenSSH 7.4. Nmap queried public vulnerability databases and found the known CVE's.

Wrap up

MacNmap For Mac

Nmap is a very powerful system inventory and port scanning tool that can be used for good and bad purposes. It depends on which hat you are wearing. The best way to learn Nmap is to read man pages, use examples shown in the man pages, and experiment with the NSE scripts. Also, try Zenmap. If you are interested in knowing more about port scanning and the science behind it, see the Nmap documentation.

[ Want more for your network? Download a free ebook on network automation with Ansible. ]

Related Content