Python and nmap: Scanning For Hosts (Python)

nmap is a powerful software tool that can be used to scan a network for hosts, see what ports they have open and even try to identify what operating system the hosts have running. I previously created a basic port scanner in Python, but in this blog post I am going to look at using Python with nmap to see some of what it can do.

Before proceeding I need to make this very clear:

DO NOT USE THE BELOW INFORMATION TO ATTACK, MONITOR OR BREAK INTO ANY COMPUTER / NETWORK / DEVICE THAT DOES NOT BELONG TO YOU. I TAKE NO RESPONSIBILITY FOR YOUR ACTIONS.

For this project I am using my home test network and running Python 3 on a Raspberry Pi (Raspbian Linux). The same details should work on the majority of Linux systems with Python, although you may need to replace apt with yum etc… in commands.

This project requires nmap and the Python nmap library. If you don’t have these installed then:

Installing nmap

sudo apt-get install nmap

nmap is a program that can be used without having to write any Python and at some point in the future I may do a blog post on it. If you want to use nmap on its own, then open a terminal / command line and type nmap.

Installing Python Nmap

pip3 install python-nmap

Be careful at this stage; Python has a package called nmap which is not the package we are looking for. Make sure pip3 installs python-nmap. If you want to see what the difference between the packages is:

• nmap maps numbers from one range to another – https://pypi.org/project/nmap/
• python-nmap used to access nmap and scans from Python3 – https://pypi.org/project/python-nmap/

If you install the wrong library via pip3, then use pip3 uninstall library_name, e.g. pip3 uninstall nmap to uninstall the library.

Using Python To Scan A Single Host

For my first Python script I am going to scan a Raspberry Pi that is on IP address 192.168.0.28.

#!/usr/bin/python3

# geektechstuff nmap

import nmap

nm = nmap.PortScanner()

scan_range = nm.scan(hosts="192.168.0.28")

print (scan_range['scan'])

Note: nmap can take a few minutes to scan an individual host depending on the options given to it.

The results from the scan will be outputted in JSON format.

{'192.168.0.28': {'hostnames': [{'name': '', 'type': ''}], 'addresses': {'ipv4': '192.168.0.28'}, 'vendor': {}, 'status': {'state': 'up', 'reason': 'conn-refused'}, 'tcp': {22: {'state': 'open', 'reason': 'syn-ack', 'name': 'ssh', 'product': 'OpenSSH', 'version': '7.9p1 Raspbian 10+deb10u2', 'extrainfo': 'protocol 2.0', 'conf': '10', 'cpe': 'cpe:/o:linux:linux_kernel'}}}}

As can be seen from the returned JSON, nmap managed to see 192.168.0.28, could tell the device was up, that port 22 (SSH) was open, the type of SSH in use (OpenSSH) and the operating system (Raspbian) in use.

Using Python To Scan Multiple Hosts

Multiple Individual Hosts

The above Python code can be changed to scan multiple hosts instead of one single host, just with an alteration to the line that begins scan_range and adding a space in between each host.

scan_range = nm.scan(hosts="192.168.0.28 192.168.0.1 192.168.0.2")

In the above example nmap will scan 192.168.0.28, 192.168.0.1 and 192.168.0.2

A Range Of Hosts

If the hosts you want to scan are in a range (i.e. 192.168.0.1 to 192.168.0.10) then nmap can be given the range to scan rather than typing in each individual host.

scan_range = nm.scan(hosts="192.168.0.1-10")

The above example will scan all the hosts on IP addresses between (and including) 192.168.0.1 and 192.168.0.10

A CIDR Range

If Classless Inter Domain Routing (CIDR) is more your style and you know the CIDR notation of the network you want to scan then that can be used instead.

scan_range = nm.scan(hosts="192.168.0.1/24")

In the above example nmap will scan 192.168.0.1/24 , i.e. 192.168.0.1 to 192.168.0.255