In this tutorial, we will have a closer look at how to use ZENMAP in Kali Linux, from getting familiar with the interface to understanding its role in the information gathering process in ethical hacking.
Furthermore, you will learn how to use the ZENMAP to scan a network, configure scanning profiles, use the advanced topology option, read and compare scanning results, and how to save ZENMAP scan profiles for future use.
We will be using ZENMAP with Kali Linux
Without further ado, let’s get started.
What Is NMAP ZENMAP GUI?
ZENMAP is a free and open-source graphical front-end for NMAP. ZENMAP usually comes pre-packaged with NMAP but can also be downloaded separately from the official NMAP website.
By all means, ZENMAP is not intended to replace NMAP but rather to complement an already powerful utility with additional features such as:
- Profile manager: select from a drop-down menu which scanning profile you want to apply to a target IP(s) or save your own favorite NMAP command profile for further scans.
- Command creator: a ZENMAP option allows you to create your own NMAP custom commands and save them for later use.
- Output classification: organized scan results on categories such as Ports/Hosts, Discovered Services, Host Details, etc. ZENMAP’s Topology view is a handy way of visualizing a map of the discovered network.
- Compare scan results: you can compare one or multiple scan results to check whether hosts or services are new or changed their status over time.
- Usability: You can save a scan as a new profile and run it as many times as you need without remembering the underlying NMAP command.
- Ease-of-use: as a beginner ethical hacker or pentester, you can find NMAP’s comprehensive lists of commands and flags intimidating. ZENMAP is aimed to be a beginner-friendly alternative to NMAP without compromising on the more advanced options provided by NMAP via command-line.
It is important to remember not to use ZENMAP to pick random targets to scan on the Internet without permission. You can get in serious trouble for doing so.
Instead, consider setting up your own Virtual Hacking Lab first, and you can practice ZENMAP without the worry of getting in any trouble.
Where is ZENMAP in Kali Linux?
ZENMAP used to be installed by default in Kali under the Information Gathering category but disappeared starting with version 2020. So, where is ZENMAP in Kali now?
The answer is nowhere. Since ZENMAP was built using the now deprecated Python 2 libraries, it stopped being supported upstream once Python 2 reached the end of life in January 2020.
So can we get ZENMAP NMAP GUI back in Kali Linux 2023 and above?
The answer is Yes! In fact, I have two easy methods to install ZENMAP in Kali Linux here. Once you got ZENMAP up and running, proceed to the next section.
Getting Started With ZENMAP in Kali Linux
It’s fair to say that using ZENMAP is as easy as 1,2,3… In fact, the interface is so intuitive that you can find your way around in seconds, even if you see ZENMAP for the very first time right now.
Once installed, you will find ZENMAP in the Kali Linux menu or simply by running the sudo zenmap command in the terminal.
NOTE: You should run ZENMAP as root to avoid possible restrictions (some important flags can only be run as root). Additional features such as ARP for MAC address resolution are only available when ZENMAP is run as root as well.
To run your first scan with ZENMAP and visualize the scan output follow these steps in order:
- Target: here is where you put your target IP or IP range, e.g., 192.168.130.129 as a single target or 192.168.130.120-140 as a multi-target.
- Profile: this field presents us with a drop-down menu where we can select pre-customized NMAP commands for various scans such as Quick scan, Regular scan, Intense scan, etc.
- Scan: triggers the scanning process for the target IP(s). Depending on the type of scan you use or how many targets, the scanning process might take a while though it is usually fast.
- Command: This field is showing you the NMAP command for the scan you performed above. You can further add NMAP command flags/options in this field to find additional details on a target machine- if needed. The below capture shows the NMAP command and flags used for the Intense scan.
As mentioned before, you can add/remove NMAP parameters/flags and create your own ZENMAP scanning profiles. Here are more useful guides to help you get started with NMAP and ZENMAP.
- Host/Services: This section will list the hosts and services discovered during a ZENMAP scanning session.
- Click on the Hosts button to list all the “alive” discovered hosts. In the capture below I ran a ZENMAP scan for a range of IPs [192.168.130.120-140] in my network and discovered three hosts that are alive.
- Click on Services button to list the services discovered as seen in below.
- The Output Area: the output section consists of five tabs: Nmap Output, Ports / Hosts, Topology, Hosts Details, Scans. Once the scan is completed, navigate through the output tabs to find the scan results as follows:
- The Nmap Output tab shows the output for all operations performed during a scan. This is basically the output you would receive when running an NMAP command in a Terminal.
- The Ports / Hosts show the list of open ports and services discovered during a ZENMAP scanning session. If you scan multiple targets, you can browse through the hosts’ section and check which ports and services were discovered on the selected target.
- The Topology tab is a very cool ZENMAP feature that provides you a visual map of all the targets discovered during a scan and how they are interconnected. This is probably one of the features that make ZENMAP such a powerful tool.
You can zoom in and out [mouse wheel], rearrange the nodes [click a node], get target details [right-click a node], choose layouts, save the graphic on your local machine – to say the least.
- The Hosts Details tab provides an “ergonomic” alternative to the Nmap Output tab. Here the information is structured in a visual way to help you understand better the scanning results.
To save your Topology as an image on your disk, simply click on the Save Graphics button, give it a name, choose a location and click Save.
- The Scans tab provides a list of all the ZENMAP scans [NMAP commands] you performed during a session. Here you can Append, Remove or Cancel an ongoing scan – if needed. Please note that once you close ZENMAP, the Scans list will be cleared.
How To Use ZENMAP Profile Editor
As mentioned before, ZENMAP allows us to create our own scans if the built-in scan profiles don’t match our exact needs. To access ZENMAP’s Profile Editor, press the CTRL+P key combination on your keyboard or navigate to Profile > New Profile in the ZENMAP menu.
The capture below shows an example of creating a custom scan profile. You can give a name to your profile, and it will be available next time you open ZENMAP in your Profile drop-down menu.
Also, you can choose which target(s) to scan, which targets to exclude, which protocols to use, choose from a vast built-in list of scripts to include, and much more. Here lies the true power of ZENMAP [NMAP].
At first glance, the Profile Editor, with its huge list of features, can be overwhelming. But don’t worry, take some time to play around with it, and you will master ZENMAP in no time.
Once you finish customizing your next super-scan, don’t forget to click the Save Changes button.
Compare Scan Results In ZENMAP
This ZENMAP feature is extremely handy in many situations, two common scenarios being listed below:
- You perform a security audit for a client and provide a list of vulnerabilities and corrective actions. Your client is asking to perform a follow-up audit once the corrective actions were implemented.
- You are a system/network admin, and your task is to monitor the security health status of a network constantly. You can easily log system changes over time, identify potential vulnerabilities and provide solutions by comparing multiple scan results with ZENMAP.
To access ZENMAP’s Compare Results feature, press the CTRL+D key combination on your keyboard or navigate to Tools > Compare Results in the ZENMAP menu.
To demo the Compare Results feature, I performed two Quick scans on a Windows 10 target machine with and without Windows firewall enabled. You can see the results between A scan [firewall on – red] and B scan [firewall off – green].
You can compare various scan results performed in a current ZENMAP session, or you can import saved .xml scans from previous sessions by clicking the Open button and select the .xml file saved on your local disk. Check the next section to find out how to save your current ZENMAP scan results.
Save ZENMAP Scans
If you performed various scans with ZENMAP and would like to have them available, e.g., scan result comparison in the future, you can press CTRL+S key combination on your keyboard or navigate to Scan > Save Scan in the ZENMAP menu.
If you performed multiple ZENMAP scans, and would like to save them all in one go, press CTRL+ALT+S key combination on your keyboard or navigate to Scan > Save All Scans to Directory in the ZENMAP menu.
In this ZENMAP tutorial, we just scratched the tip of the iceberg on how to use ZENMAP, but enough to give you a taste for further exploration.
If you’re looking for different commands to use in ZENMAP, go check the Information Gathering section of the website. There’s a lot of cool stuff waiting for you there.
If you found this ZENMAP tutorial useful, please help me share it with your friends and colleagues – it really makes a difference.