Zenmap is an Open Source GUI for the free Windows network scanner nmap.
I have been a Windows administrator for eight years and currently focus on Group Policy, backup, and IIS/Apache administration.
Nmap is a tool that needs no introduction. Quite arguably it should be in the hands, or at least the back pocket, of most systems administrators. Nmap can perform network host and service discovery, security scans, OS fingerprinting, and a whole lot more. Zenmap, a highly functional GUI for nmap, helps ease the learning curve by providing a user-friendly interface for both building scans and viewing scan results or reports. Plus, Zenmap is a multi-platform application that runs on Windows as well as Linux and Mac.
The Windows Zenmap GUI
How it works
You can think of Zenmap as a “syntax builder” for nmap. Rather than sitting on top of nmap, it simply sends commands to the platform-specific nmap executable and pipes the output back. This is very useful for nmap beginners who would like to harness the power of nmap while learning some of the deep syntax options it provides.
Zenmap makes it easy to build out command line options like this
The basic operation in nmap is network scanning and Zenmap allows you to perform and save scans as well as the results from those scans. Zenmap uses Profiles, which are basically nmap parameter presets, to specify how scans are performed. It ships with some handy preset profiles, such as Intense scan, which scans hosts with “all advanced/aggressive options,” Quick scan, which scans hosts without those advanced options, and Slow comprehensive scan, which is exactly as it sounds. Budding administrators can choose profiles that match their needs. For example, if your goal is host discovery, Quick scan might do the job. If your goal is to map out every single TCP port, you’ll need to do an Intense scan, all TCP ports at a minimum.
Defining a target
Every scan must be associated to a specific target, which can be a single host, an interval range of hosts, or a full subnet. Nmap uses the following syntax for target definitions:
- Single host: Just a hostname or IP address will do, like localhost or 127.0.0.1
- Interval: Intervals are denoted by a dash in the IP address; for example, if you want to scan 192.168.1.0/24 through 192.168.10.0/24, you would use 192.168.1-10.0-255
- CIDR Notation: Nmap accepts CIDR target specification, like 192.168.5.0/24
- Lists: Separate different targets with a comma; for instance, 10.1.1.0/24, 192.168.1.0/24
Zenmap provides different tabs for reporting on scan results. These tabs either directly report the output of nmap or expand on the output with diagrams and user-friendly reports. The tabs include:
- Nmap output: The piped output of the nmap command sent by Zenmap
- Ports/Hosts: If a host is selected on the left, this will display open and unknown ports. If a service is selected on the left, this will display all hosts for that service
- Topology: A neat diagram of the network topology as understood by Nmap
- Host Details: Displays a condensed report of pertinent host information from the scan
A sample Nmap output window from an Intense scan
Zenmap also ships with some useful tools that can help you track changes between scans and drill down to useful information within long scan results. The Compare Results tool provides an interface for differentiating between two scans, which can be used to monitor daily changes in network topology or available hosts. The Search Scan Results tool is great for finding specific text in results, and the Filter Hosts tool does exactly what you would imagine – it filters hosts, which comes in handy when scanning large subnets or lists of networks.
By going to File > Save Scan, you can save a scan result report in XML or plain text format for later consumption. This comes in handy when you perform a large scan and do not want to repeat the scan again later while reviewing results. The XML format is also very friendly for consumption by third party report generation packages as well as web service reporting.
A sample XML report generated by Zenmap
Perhaps the best feature of Zenmap is its Profile Editor, which empowers users who are unfamiliar with nmap syntax to build powerful and custom scanning profiles. These profiles can be saved for later use and even exported to other interested admins. The Profile Editor window contains the following tabs:
- Profile: The name and description of your profile
- Scan: The most important tab, where you can specify targets, scan type (TCP, UDP, IP), timing template, and much more
- Ping: Specifies ping behavior. You can suppress pings or build a specific ICMP packet
- Scripting: Include nmap scripts in your scan. Zenmap comes with many useful scripts
- Target: Allows for greater target specification flexibility, including excluded hosts, target list files, and fast scan support
- Source: Specify how you would like the scanner to behave with respect to scanning identity, IP address, port, and interface
- Other: Includes options for verbosity level, TTL, and other scanner behaviors
- Timing: Defines timing profile with respect to maximum scan time, scan delay, and timeouts, among other things
Use the Profile Editor to develop custom profiles that meet your enterprise needs
Saving profiles saves time because it allows the administrator to quickly perform familiar and repetitive scans without specifying the target and options. Using saved profiles also ensures that when comparing two scan results you are working from the same scan options.
Zenmap is an excellent Windows GUI for nmap and takes the edge off of the learning curve. Administrators who are versed in basic networking will have little trouble jumping into the simple, yet powerful interface that Zenmap offers. Since ZenMap is Open Source, it represents a great cost savings for the budget-strapped admin with excellent community support and regular updates. If you haven’t checked out Zenmap yet, give it a try! Achieving IT security is a moving target, and Zenmap makes it easier to reach your goal.