HOW TO USE ZENMAP TO SCAN A NETWORK [2021]

In this tutorial, we will have a closer look at how to use ZENMAP, from getting familiar with the interface to understanding its role in the information gathering process.

I will show you how to use Zenmap to run a few scans, configure scanning profiles, use the advanced topology option, read and compare ZENMAP scanning results, and how to save scans for future use. 

In a nutshell, I will cover everything there is to know about ZENMAP to get you started.

I will be using KALI LINUX to showcase ZENMAP, but you can run ZENMAP basically on any operating system [Windows, macOS, Linux/UNIX].

If you don’t have ZENMAP/NMAP installed on your computer, I will cover this shortly.

NOTE: As of Kali Linux 2020, ZENMAP is no longer part of the INFORMATION GATHERING stack due to its lack of compatibility with Python 3. However, you can add ZENMAP back into Kali by simply following my tutorial on installing Zenmap on Kali Linux 2021

I highly recommend you stay away from picking random targets on the Internet to scan without permission. You can get in serious trouble unless you know what you’re doing. 

Instead, consider setting up your own Virtual Hacking Lab first, and you can use it in the future for any ethical hacking or penetration testing activities.

Without further ado, let’s get started. 

What Is ZENMAP?

ZENMAP is a free and open-source graphical front-end for NMAP. ZENMAP usually comes pre-packaged with NMAP but can also be downloaded separately from the official NMAP website

By all means, ZENMAP is not intended to replace NMAP but rather to complement an already powerful utility with additional features such as:

  • Profile manager: select from a drop-down menu which scanning profile you want to apply to a target IP(s) or save your own favorite NMAP command profile for further scans.
  • Command creator: a ZENMAP option allows you to create your own NMAP custom commands and save them for later use. 
  • Output classification: organized scan results on categories such as Ports/Hosts, Discovered Services, Host Details, etc. ZENMAP’s Topology view is a handy way of visualizing a map of the discovered network.  
  • Compare scan results: you can compare one or multiple scan results to check whether hosts or services are new or changed their status over time. 
  • Usability: You can save a scan as a new profile and run it as many times as you need without remembering the underlying NMAP command.
  • Ease-of-use: as a beginner ethical hacker or pentester, you can find NMAP’s comprehensive lists of commands and flags intimidating. ZENMAP is aimed to be a beginner-friendly alternative to NMAP without compromising on the more advanced options provided by NMAP via command-line.

ZENMAP Installation And Launching

ZENMAP is installed automatically when you install/compile NMAP. If you don’t know how to get NMAP on your system, follow this step-by-step guide to install NMAP on Windows, macOS, Linux, and FreeBSD.

Launching ZENMAP is as simple as launching any other application on your operating system. 

  • On Windows: Go to Start > Programs > Nmap > Zenmap
  • On macOS: Open Finder and navigate to Applications > Zenmap
  • On Linux/UNIX: Open a terminal and type: sudo zenmap

NOTE: You should run NMAP/ZENMAP as root/Administrator to avoid possible restrictions [some NMAP flags are only available for root/Administrator] and have access to additional features such as ARP for MAC address resolution, etc.

The ZENMAP Interface

It’s fair to say that using ZENMAP is as easy as 1,2,3… In fact, the interface is so intuitive that you can find your way around in seconds, even if you see ZENMAP for the very first time right now [Figure 1.1]. 

How to use ZENMAP - Interface. Source: nudesystems.com
Figure 1.1: ZENMAP tutorial – Interface

To run your first scan with ZENMAP and visualize the scan output follow these steps in order:

  1. Target: here is where you put your target IP or IP range, e.g., 192.168.130.129 as a single target or 192.168.130.120-140 as a multi-target [Figure 1.2].
How to use ZENMAP - example of the multi-target scan. Source: nudesystems.com
Figure 1.2: ZENMAP tutorial – example of the multi-target scan.
  1. Profile: this field presents us with a drop-down menu where we can select pre-customized NMAP commands for various scans such as Quick scan, Regular scan, Intense scan, etc. [Figure 1.3]. 
ZENMAP tutorial - example of the multi-target scan - Intense scan. Source: nudesystems.com
Figure 1.3: ZENMAP tutorial – example of multi-target Intense scan.
  1. Scan: triggers the scanning process for the target IP(s). Depending on the type of scan you use or how many targets, the scanning process might take a while though it is usually fast.
  1. Command: This field is showing you the NMAP command for the scan you performed above. You can further add NMAP command flags/options in this field to find additional details on a target machine- if needed. Figure 1.4 shows the NMAP command and flags used for the Intense scan.
How to use ZENMAP - command, and flags for Intense scan. Source: nudesystems.com
Figure 1.4: ZENMAP tutorial – command and flags for Intense scan.

As mentioned before, you can add/remove NMAP flags and create your own ZENMAP scanning profiles. Here are a few useful guides to get you started:

  1. Host/Services: This section will list the hosts and services discovered during a ZENMAP scanning session. 
  • Click on the Hosts button to list all the “alive” discovered hosts. In Figure 1.5, I ran a ZENMAP scan for a range of IPs [192.168.130.120-140] in my network and discovered three alive hosts. 
ZENMAP tutorial - list of alive discovered hosts in a network. Source: nudesystems.com
Figure 1.5: ZENMAP tutorial – list of alive discovered hosts in a network.
  • Click on Services button to list the services discovered as seen in Figure 1.6 below.
How to use ZENMAP - list of services discovered on the up [alive] hosts. Source: nudesystems.com
Figure 1.6: ZENMAP tutorial – list of services discovered on the up [alive] hosts.
  1. The Output Area: the output section consists of five tabs: Nmap Output, Ports / Hosts, Topology, Hosts Details, Scans. Once the scan is completed, navigate through the output tabs to find the scan results as follows:
  • The Nmap Output tab shows the output for all operations performed during a scan. This is basically the output you would receive when running an NMAP command in a Terminal [Figure 1.7].
The ZENMAP tutorial - Nmap Output tab. Source: nudesystems.com
Figure 1.7: ZENMAP tutorial – Nmap Output tab.
  • The Ports / Hosts show the list of open ports and services discovered during a ZENMAP scanning session. If you scan multiple targets, you can browse through the hosts’ section and check which ports and services were discovered on the selected target [Figure 1.8].
How to use ZENMAP - The Ports / Hosts tab in ZENMAP. Source: nudesystems.com
Figure 1.8: The Ports / Hosts tab in ZENMAP.
  • The Topology tab is a very cool ZENMAP feature that provides you a visual map of all the targets discovered during a scan and how they are interconnected. This is probably one of the features that make ZENMAP such a powerful tool. 

You can zoom in and out [mouse wheel], rearrange the nodes [click a node], get target details [right-click a node], choose layouts, save the graphic on your local machine – to say the least [Figure 1.9].  

How to use ZENMAP - The Topology tab in ZENMAP. Source: nudesystems.com
Figure 1.9: The Topology tab in ZENMAP.
  • The Hosts Details tab provides an “ergonomic” alternative to the Nmap Output tab. Here the information is structured in a visual way to help you understand better the scanning results [Figure 1.10].
How to use ZENMAP - The Hosts Details tab in ZENMAP. Source: nudesystems.com
 Figure 1.10: How to use ZENMAP – The Hosts Details.

To save your Topology as an image on your disk, simply click on the Save Graphics button, give it a name, choose a location and click Save [Figure 1.11].

How to use ZENMAP - Save a ZENMAP Topology. Source: nudesystems.com
 Figure 1.11: Save a ZENMAP Topology.
  • The Scans tab provides a list of all the ZENMAP scans [NMAP commands] you performed during a session [Figure 1.12]. Here you can Append, Remove or Cancel an ongoing scan – if needed. Please note that once you close ZENMAP, the Scans list will be cleared. 
How to use ZENMAP - The Scans tab in ZENMAP. Source: nudesystems.com
 Figure 1.12: The Scans tab in ZENMAP.

How To Use ZENMAP Profile Editor

As mentioned before, ZENMAP allows us to create our own scans if the built-in scan profiles don’t match our exact needs. To access ZENMAP’s Profile Editor, press the CTRL+P key combination on your keyboard or navigate to Profile > New Profile in the ZENMAP menu. 

Figure 1.13 below shows an example of creating a custom scan profile. You can give a name to your profile, and it will be available next time you open ZENMAP in your Profile drop-down menu. 

Also, you can choose which target(s) to scan, which targets to exclude, which protocols to use, choose from a vast built-in list of scripts to include, and much more. Here lies the true power of ZENMAP [NMAP]. 

At first glance, the Profile Editor, with its huge list of features, can be overwhelming. But don’t worry, take some time to play around with it, and you will master ZENMAP in no time. 

How to use ZENMAP - The Profile Editor in ZENMAP. Source: nudesystems.com
 Figure 1.13: The Profile Editor in ZENMAP.

Once you finish customizing your next super-scan, don’t forget to click the Save Changes button.

Compare Scan Results In ZENMAP

This ZENMAP feature is extremely handy in many situations, two common scenarios being listed below:

  • You perform a security audit for a client and provide a list of vulnerabilities and corrective actions. Your client is asking to perform a follow-up audit once the corrective actions were implemented. 
  • You are a system/network admin, and your task is to monitor the security health status of a network constantly. You can easily log system changes over time, identify potential vulnerabilities and provide solutions by comparing multiple scan results with ZENMAP. 

To access ZENMAP’s Compare Results feature, press the CTRL+D key combination on your keyboard or navigate to Tools > Compare Results in the ZENMAP menu.

To demo the Compare Results feature, I performed two Quick scans on a Windows 10 target machine with and without Windows firewall enabled. You can see the results between A scan [firewall on – red] and B scan [firewall off – green] in Figure 1.14 below.

ZENMAP tutorial - Compare Scan results example. Source: nudesystems.com
 Figure 1.14: ZENMAP tutorial – Compare Scan results example.

You can compare various scan results performed in a current ZENMAP session, or you can import saved .xml scans from previous sessions by clicking the Open button [Figure 1.14] and select a .xml file saved on your local disk. Check the next section to find out how to save your current ZENMAP scan results. 

Save ZENMAP Scans

If you performed various scans with ZENMAP and would like to have them available, e.g., scan result comparison in the future, you can press CTRL+S key combination on your keyboard or navigate to Scan > Save Scan in the ZENMAP menu [Figure 1.15].

How to use ZENMAP - Save Scan in ZENMAP. Source: nudesystems.com
 Figure 1.15: Save Scan in ZENMAP.

If you performed multiple ZENMAP scans, and would like to save them all in one go, press CTRL+ALT+S key combination on your keyboard or navigate to Scan > Save All Scans to Directory in the ZENMAP menu [Figure 1.16].  

How to use ZENMAP - Save All Scans to Directory in ZENMAP. Source: nudesystems.com
 Figure 1.16: Save All Scans to Directory in ZENMAP.

Before You Go

In this ZENMAP tutorial, we just scratched the tip of the iceberg on how to use ZENMAP, but enough to give you a taste for further exploration. 

If you’re looking for different commands to use in ZENMAP, I recommend you to check the NMAP tutorials in the INFORMATION GATHERING section on my website – especially if you are serious about getting your feet wet in cybersecurity.

If you found this ZENMAP tutorial useful, please help me share it with your friends and colleagues – it really makes a difference. 

Stay safe!