Running nmap as an unprivileged user

From SecWiki
Jump to: navigation, search

It is possible to run Nmap as an unprivileged user on Linux systems by using capabilities.

Nmap can perform much of its functionality as a normal user, so it checks if it has permissions to perform certain actions before falling back to safer behaviours. For instance, performing a TCP SYN scan (-sS) requires opening raw sockets. If this fails and if the user didn't explicitly specify -sS, Nmap falls back to a normal TCP connect scan (-sT).

Nmap requires the following capabilities: CAP_NET_RAW, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE. Some NSE scripts may require additional capabilities.

Security Concerns

WARNING: This is dangerous. The Nmap Scripting Engine (NSE) allows scripts to sniff the network, change firewall roules and interface configuration, or exploit vulnerabilities including on localhost. It's possible, especially with elevated capabilities, for a clever person to use Nmap and NSE to escalate to full root privileges. If you do not understand these risks, do not do this.

Before setting capabilities, restrict Nmap access to certain groups. “adm” is a good choice for most distributions, as console users are generally members. Alternately, consider the group "sudo" (Ubuntu 12.04 or later), "admin" (Ubuntu before 12.04), or "wheel" (Red Hat systems).

chgrp adm /usr/bin/nmap
chmod 750 /usr/bin/nmap

Installing libcap

To set these capabilities, you must use the "setcap" command, which may not be installed. On Red Hat systems:

sudo yum install libcap

And on Debian/Ubuntu systems:

sudo apt-get install libcap2-bin

Set capabilities

Then add the capabilities to Nmap. Be sure to specify the full path to wherever you installed Nmap:

sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap


You must explicitly tell nmap that it has these capabilities:

nmap --privileged -sS

You can save the extra typing by setting the NMAP_PRIVILEGED environmental variable.

nmap -sS

You can set this permanently. Add the export line to one of the following:

  1. ~/.xsessionrc, for most graphical environments and inherited by all terminals and shells
  2. ~/.profile, for login shells
  3. ~/.bashrc, for bash
  4. ~/.gnomerc, for GNOME only


As long as it inherits NMAP_PRIVILEGED, Zenmap will run Nmap with these capabilities. However, Zenmap 6.25 and earlier will print a warning at startup:

"You are trying to run Zenmap with a non-root user! Some Nmap options need root privileges to work."

This can be ignored.