How to use Nmap to scan for open ports
One of Nmap's primary functions is conducting port scans. In this walkthrough, learn how to launch a default scan, along with other options that affect Nmap port scan behavior.
The Nmap network reconnaissance and security auditing tool, released in 1997, is one of the most basic and most used cybersecurity tools today. From its beginnings as an advanced port scanner, it evolved into a multifunctional tool with a family of useful projects that can discover weak passwords, scan IPv6 addresses, perform IP address geolocation, detect vulnerabilities and more.
The open source tool helps security pros, networking teams, sys admins and other IT personnel scan hosts, networks, applications, mainframes, Unix and Windows environments, supervisory control and data acquisition systems, and industrial control systems.
Paulino Calderon, co-founder of Websec and part-time Nmap developer, wrote Nmap Network Exploration and Security Auditing Cookbook, Third Edition, published by Packt, to offer firsthand insights into using the multifaceted tool.
In this excerpt from Chapter 1, "Nmap Fundamentals," Calderon shares a recipe on how to use Nmap to find open ports. Follow along to learn how to perform the quintessential Nmap task, and review Calderon's tips on port scanning techniques, options that affect the scan behavior of Nmap and more. Download a PDF of Chapter 1 to read more.
Listing open ports on a target
This recipe describes how to use Nmap to determine the port states of a target, a process used to identify running services commonly referred to as port scanning. This is one of the tasks Nmap excels at, so it is important to learn about the essential Nmap options related to port scanning.
How to do it...
To launch a default scan, the bare minimum you need is a target. A target can be an IP address, a hostname, or a network range:
$ nmap scanme.nmap.org
The scan results will show all the host information obtained, such as the IPv4 (and IPv6 if available) address, reverse DNS name, and interesting ports with service names. All listed ports have a state. Ports marked as open or filtered are of special interest as they represent services running on the target host:
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.16s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports PORT STATE SERVICE
22/tcp open ssh 25/tcp filtered smtp 80/tcp open http
9929/tcp open nping-echo 31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 333.35 seconds
How it works...
The default Nmap scan returns a list of ports. In addition, it returns a service name from a database distributed with Nmap and the port state for each of the listed ports.
Learn more about Calderon's
Nmap cookbook, published
by Packt.
Nmap categorizes ports into the following states:
- Open: Open indicates that a service is listening for connections on this port.
- Closed: Closed indicates that the probes were received, but it was concluded that there was no service running on this port.
- Filtered: Filtered indicates that there were no signs that the probes were received and the state could not be established. This could indicate that the probes are being dropped by some kind of filtering.
- Unfiltered: Unfiltered indicates that the probes were received but a state could not be established.
- Open/Filtered: This indicates that the port was filtered or open, but the state could not be established.
- Closed/Filtered: This indicates that the port was filtered or closed but the state could not be established.
Even for this simple port scan, Nmap does many things in the background that can be configured as well. Nmap begins by converting the hostname to an IPv4 address using DNS name resolution. If you wish to use a different DNS server, use --dns-servers <serv1[,serv2],...>, or use -n if you wish to skip this step, as follows:
$ nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org
Afterward, it performs the host discovery process to check whether the target is online (see the Finding online hosts recipe). To skip this step, use the no ping option, -Pn:
$ nmap -Pn scanme.nmap.org
Nmap then converts the IPv4 or IPv6 address back to a hostname using a reverse DNS query. Use -n to skip this step as well if you do not need that information:
$ nmap -n scanme.nmap.org
The previous command will launch either a SYN stealth scan or a TCP connect scan depending on the privileges of the user running Nmap.
There's more...
Port scanning is one of the most powerful features available, and it is important that we understand the different techniques and options that affect the scan behavior of Nmap.
Privileged versus unprivileged
Running the simplest port scan command, nmap <target>, as a privileged user by default launches a SYN stealth scan, whereas unprivileged users that cannot create raw packets use the TCP connect scan technique. The difference between these two techniques is that a TCP connect scan uses the high-level connect() system call to obtain the port state information, meaning that each TCP connection is fully completed and therefore slower. SYN stealth scans use raw packets to send specially crafted TCP packets to detect port states with a technique known as half-open.
Scanning specific port ranges
Setting port ranges correctly during your scans is a task you often need to do when running Nmap scans. You can also use this to filter machines that run a service on a specific port, for example, finding all the SMB servers open in port 445. Narrowing down the port list also optimizes performance, which is very important when scanning multiple targets.
There are several ways of using the Nmap -p option:
- Port list separated by commas: $ nmap -p80,443 localhost
- Port range denoted with hyphens: $ nmap -p1-100 localhost
- Alias for all ports from 1 to 65535: # nmap -p- localhost
- Specific ports by protocol: # nmap -pT:25,U:53 <target>
- Service name: # nmap -p smtp <target>
- Service name with wildcards: # nmap -p smtp* <target>
- Only ports registered in the Nmap services database: # nmap -p[1-65535] <target>
Selecting a network interface
Nmap attempts to automatically detect your active network interface; however, there are some situations where it will fail or perhaps you will need to select a different interface in order to test networking issues. To force Nmap to scan using a different network interface, use the -e argument:
#nmap -e <interface> <target>
#nmap -e eth2 scanme.nmap.org
This is only necessary if you have problems with broadcast scripts or see the WARNING: Unable to find appropriate interface for system route to message.
More port scanning techniques
In this recipe, we talked about the two default scanning methods used in Nmap: SYN stealth scan and TCP connect scan. However, Nmap supports several more advanced port scanning techniques. Use nmap -h or visit https://nmap.org/book/man-portscanning-techniques.html to learn more about them as Fyodor has done a fantastic job describing how they work in depth.
Target specification
Nmap supports several target formats that allow users to work with IP address ranges. The most common type is when we specify the target's IP or host, but it also supports the reading of targets from files and ranges, and we can even generate a list of random targets as we will see later.
Any arguments that are not valid options are read as targets by Nmap. This means that we can tell Nmap to scan more than one range in a single command, as shown in the following command:
# nmap -p25,80 -O -T4 192.168.1.1/24 scanme.nmap.org/24
There are several ways that we can handle IP ranges in Nmap:
- Multiple host specification
- Octet range addressing (they also support wildcards)
- CIDR notation
To scan the 192.168.1.1, 192.168.1.2, and 192.168.1.3 IP addresses, the following command can be used:
$ nmap 192.168.1.1 192.168.1.2 192.168.1.3
We can also specify octet ranges using -. For example, to scan hosts 192.168.1.1, 192.168.1.2, and 192.168.1.3, we could use the expression 192.168.1.1-3, as shown in the following command:
$ nmap 192.168.1.1-3
Octet range notation also supports wildcards, so we could scan from 192.168.1.0 to 192.168.1.255 with the expression 192.168.1.*:
$ nmap 192.168.1.*
Excluding hosts from scans
In addition, you may exclude hosts from the ranges by specifying the --exclude option, as shown next:
$ nmap 192.168.1.1-255 --exclude 192.168.1.1
$ nmap 192.168.1.1-255 --exclude 192.168.1.1,192.168.1.2
Otherwise, you can write your exclusion list in a file using the --exclude-file option:
$ cat dontscan.txt
192.168.1.1
192.168.1.254
$ nmap --exclude-file dontscan.txt 192.168.1.1-255
CIDR notation for targets
The CIDR notation (pronounced cider) is a compact method for specifying IP addresses and their routing suffixes. This notation gained popularity due to its granularity when compared with classful addressing because it allows subnet masks of variable length.
The CIDR notation is specified by an IP address and network suffix. The network or IP suffix represents the number of network bits. IPv4 addresses are 32-bit, so the network can be between 0 and 32. The most common suffixes are /8, /16, /24, and /32.
To visualize it, take a look at the following CIDR-to-netmask conversions:
- /8: 255.0.0.0
- /16: 255.255.0.0
- /24: 255.255.255.0
- /32: 255.255.255.255
For example, 192.168.1.0/24 represents the 256 IP addresses from 192.168.1.0 to 192.168.1.255. 50.116.1.121/8 represents all the IP addresses between 50.0-255.0-255.0-255. The /32 network suffix is also valid and represents a single IP address.
The CIDR notation can also be used when specifying targets. To scan the 256 hosts in 192.168.1.0-255 using the CIDR notation, you will need the /24 suffix:
$ nmap 192.168.1.0/24
Working with target lists
Many times, we will need to work with multiple targets, but having to type a list of targets in the command line is not very practical. Fortunately, Nmap supports the loading of targets from an external file. Enter the list of targets into a file, each separated by a new line, tab, or space(s):
$cat targets.txt
192.168.1.23
192.168.1.12
To load the targets from the targets.txt file, use the Nmap -iL <filename> option:
$ nmap -iL targets.txt
Important note
This feature can be combined with any scan option or method, except for exclusion rules set by --exclude or --exclude-file. The --exclude and --exclude-file options will be ignored when -iL is used.
You can also use different target formats in the same file. In the following file, we specify an IP address and an IP range inside the same file:
$ cat targets.txt
192.168.1.1
192.168.1.20-30
You can enter comments in your target list by starting the new line with the # character:
$ cat targets.txt
# FTP servers 192.168.10.3
192.168.10.7
192.168.10.11
Paulino Calderon
About the author
Paulino Calderon (@calderpwn on Twitter) is a published author and international speaker with more than 10 years of professional experience in network and application security. He co-founded Websec, a consulting firm securing applications, networks and digital assets operating in North America, in 2011. When he isn't traveling to security conferences or consulting for Fortune 500 companies with Websec, he spends peaceful days enjoying the beach in Cozumel, Mexico. His contributions have reached millions of users through Nmap, Metasploit, Open Web Application Security Project Mobile Security Testing Guide, OWASP Juice Shop and OWASP IoTGoat.
