Run nmap without root privileges

Currently, I have to run a lot of Nmap a network scanner for a client. One part of these scans is to check in different ways for open ports. Create new connections isn’t enough. Instead, you use an SYN scan. SYNC scans are fast and harder to detect because the TCP connection is never closed by Nmap correctly.

Because SYN scans are only half-open scans, it requires more privilege to the local network stack. Nmap sends ‘raw’ TCP packages, hence running nmap as root becomes necessary. However, this is a bad practice to run with root privileges.

Setting caps

Instead of executing nmap always with sudo, we could grant the executable the necessary rights it needs with capabilities. Capabilities are additional information about privileges a process can have, that can be stored within the extended attributes of a file. For modern ping commands, this often becomes necessary too, because users aren’t allowed to create a raw socket for ICMP connections.

To set the capabilities of a file, we use setcap, to receive them we use getcap.

~ $ sudo getcap /usr/bin/nmap

The result here is not missing, but getcap will not return anything when nothing is set. Thanks to the secwiki, we get the necessary flags for the capabilities quite comfortable and do not have to guess much.

~ $ sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap

When we re-run the getcap command, we get the following:

~ $ sudo getcap /usr/bin/nmap
/usr/bin/nmap = cap_net_bind_service,cap_net_admin,cap_net_raw+eip

To make use of this option now, we merely telling nmap to assume that we do have all the necessary privileges with the --privileged flag.

Starting Nmap 7.70 ( ) at 2020-02-25 18:03 CET
Nmap scan report for (
Host is up (0.024s latency).
Other addresses for (not scanned): 2a03:b0c0:3:d0::41:c001
rDNS record for
Not shown: 989 filtered ports
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https
444/tcp open  snpp
465/tcp open  smtps
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s

Nmap done: 1 IP address (1 host up) scanned in 43.17 seconds

Sometimes you receive varying results. Even ports are displayed that the scanned system not offer. The reason can be the locale firewall that messes with your TCP connection. It is vital to make sure that your local network firewall does not mess with your packages.

That’s a lot of open services. Maybe the owner of this domain should reduce it a bit? :-)

so far, akendo