Port Scanning Options - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 5: Port Scanning Options

Overview

There are a total of 65,535 ports used in TCP/IP. Nmap, by default, only scans 1,000 of the most commonly used ports. This is done to save time when scanning multiple targets, as the majority of ports outside the top 1,000 are rarely used. Sometimes, however, you may want to scan outside the default range of ports to look for uncommon services or ports that have been forwarded to a different location. This section covers the options that allow this and other port specific features.

Tip: A complete list of TCP/IP ports can be found on the IANA website at iana.org/assignments/port-numbers.

Summary of features covered in this section:

-F
Perform a Fast Scan

-p [port]
Scan Specific Ports

-p [name]
Scan Ports by Name

-p U:[UDP ports],T:[TCP ports]
Scan Ports by Protocol

-p “*”
Scan All Ports

--top-ports [number]
Scan Top Ports

-r
Perform a Sequential Port Scan

--open
Only display open ports

Perform a Fast Scan

The -F option instructs Nmap to perform a scan of only the 100 most commonly used ports.

Usage syntax: nmap -F [target]

$ nmap -F 10.10.4.48

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 11:05 CST

Nmap scan report for 10.10.4.48

Host is up (0.0018s latency).

Not shown: 96 closed ports

PORT STATE SERVICE

80/tcp open http

111/tcp open rpcbind

2049/tcp open nfs

5000/tcp open upnp

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Output of a “fast” scan

Nmap scans the top 1,000 commonly used TCP ports by default. The -F option reduces that number to 100. The top 100 ports include some of the most common network services like DNS, SMTP, and HTTP. This can dramatically speed up scanning while still representing the majority of commonly used ports.

Scan Specific Ports

The -p option is used to instruct Nmap to scan the specified port(s).

Usage syntax: nmap [port1,port2,etc|range of ports] [target]

$ nmap -p 80 10.10.4.26

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 12:55 CST

Nmap scan report for 10.10.4.26

Host is up (0.000071s latency).

PORT STATE SERVICE

80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

Specifying a single port to scan

The example above demonstrates using -p to scan port 80 on a target system. This is useful when you are hunting for a specific service and don't want to bother with scanning all of the default ports. In addition to scanning a single port, you can scan multiple individual ports (separated by a comma) or a range of ports as demonstrated in the next example.

$ nmap -p 20-25,80,443 10.10.4.26

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 12:55 CST

Nmap scan report for 10.10.4.26

Host is up (0.00090s latency).

PORT STATE SERVICE

20/tcp closed ftp-data

21/tcp open ftp

22/tcp open ssh

23/tcp closed telnet

24/tcp closed priv-mail

25/tcp open smtp

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

Specifying multiple ports to scan

In this example the -p option is used to scan ports 20 through 25, 80, and 443.

Scan Ports by Name

The -p option can also be used to scan ports by name.

Usage syntax: nmap -p [port name(s)] [target]

$ nmap -p smtp,http 10.10.4.26

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 12:57 CST

Nmap scan report for 10.10.4.26

Host is up (0.000069s latency).

PORT STATE SERVICE

25/tcp open smtp

80/tcp open http

8008/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Scanning ports by name

The example above demonstrates searching for open SMTP and HTTP ports by name using the -p option. The name(s) specified must match a service in the nmap-services file. This is usually found in /usr/local/share/nmap/ on Unix/Linux systems or C:\Program Files\Nmap\ on Windows systems.

Wildcards can also be used when specifying services by name. For example, using -p "http*" would scan for all ports that start with http (including http, https, and several others) as demonstrated below.

$ nmap -p "http*" 10.10.4.26

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 12:58 CST

Nmap scan report for 10.10.4.26

Host is up (0.00015s latency).

PORT STATE SERVICE

80/tcp open http

280/tcp closed http-mgmt

443/tcp open https

591/tcp closed http-alt

593/tcp closed http-rpc-epmap

8000/tcp closed http-alt

8008/tcp closed http

8080/tcp closed http-proxy

8443/tcp closed https-alt

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

Scanning ports by name using wildcards

Note: Some systems may require you to enclose the wildcard statement in quotes so it is not interpreted as a shell wildcard.

Scan Ports by Protocol

Specifying a T: or U: prefix with the -p option allows you to search for a specific port and protocol combination.

Usage syntax: nmap -p U:[UDP ports],T:[TCP ports] [target]

# nmap -sU -sT -p U:161,T:80 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 15:50 CST

Nmap scan report for 10.10.3.1

Host is up (0.0012s latency).

PORT STATE SERVICE

80/tcp open http

161/udp open snmp

Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds

Scanning specific ports by protocol

Using the syntax -p U:161,T:80 instructs Nmap to perform a UDP scan on port 161 and a TCP scan on port 80. This can reduce the amount of time spent scanning ports in situations where you know which ports are likely to respond to TCP and which will use UDP. In this case, the number of port/protocol combinations are cut in half when compared to simply running a scan with -p 80,161.

Note: By default, Nmap will only scan TCP ports. In order to scan both TCP and UDP ports you will need to specify specific scan types such as -sU and -sT as shown in the example above.

Scan All Ports

The -p- option is a catch-all used to scan all 65,535 ports on the specified target.

Usage syntax: nmap -p- [target]

# nmap -p- 10.10.4.80

Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-08 15:36 CST

Nmap scan report for 10.10.4.80

Host is up (0.00029s latency).

Not shown: 65495 closed ports

PORT STATE SERVICE

[...]

8190/tcp open unknown

8191/tcp open unknown

8443/tcp open https-alt

9009/tcp filtered pichat

9090/tcp filtered zeus-admin

9443/tcp open tungsten-https

9875/tcp filtered sapv1

10080/tcp filtered unknown

10109/tcp filtered unknown

10443/tcp open unknown

11711/tcp open unknown

11712/tcp open unknown

12443/tcp open unknown

12721/tcp open unknown

21000/tcp filtered unknown

21100/tcp open unknown

22000/tcp open unknown

22100/tcp open unknown

48941/tcp open unknown

55969/tcp open unknown

59086/tcp open unknown

MAC Address: 00:50:56:BA:F8:B2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 18.48 seconds

Scanning all ports on a target system

Nmap only scans the top 1,000 ports by default. Scanning outside this range can open up the possibility of discovering services running on obscure ports. The above example shows some interesting ports listening outside of the well-known port numbers.

Tip: Don’t forget about UDP when scanning all ports. Including the -sU -sT options with -p- would scan all 65,535 ports using both TCP and UDP. This will take a considerable amount of time but will give you the most comprehensive port listing available for the target system.

Scan Top Ports

The --top-ports option is used to scan the specified number of top ranked ports.

Usage syntax: nmap --top-ports [number] [target]

# nmap --top-ports 10 10.10.4.80

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 13:07 CST

Nmap scan report for 10.10.4.80

Host is up (0.00035s latency).

PORT STATE SERVICE

21/tcp closed ftp

22/tcp open ssh

23/tcp closed telnet

25/tcp closed smtp

80/tcp open http

110/tcp closed pop3

139/tcp closed netbios-ssn

443/tcp open https

445/tcp closed microsoft-ds

3389/tcp closed ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

Performing a top port scan on the ten highest ranked ports

By default, Nmap will scan the 1000 most commonly used ports. The previously discussed -F option reduces that number to 100. Using the --top-ports option, you can specify any number of top ranked ports to scan.

The example above demonstrates using the --top-ports option to scan the top 10 ports. Any other number can be used to achieve the desired result. For example: nmap --top-ports 50 would scan the top 50 most commonly used ports and nmap --top-ports 500 would scan the top 500 most commonly used ports.

Perform a Sequential Port Scan

The -r option performs a sequential port scan on the specified target.

Usage syntax: nmap -r [target]

$ nmap -r 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 13:09 CST

Nmap scan report for 10.10.3.1

Host is up (0.043s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds

Performing a sequentially ordered port scan

Nmap’s default scanning algorithm randomizes the port scan order. This is useful for evading firewalls and intrusion prevention systems. The -r parameter overrides this functionality and instructs Nmap to sequentially scan each port in numerical order.

Note: The results of the -r scan aren’t entirely evident because Nmap always sorts the final output of each scan. Combining the -v option with -r will display the sequential port discovery in real time.

Only Display Open Ports

The --open parameter instructs Nmap to only display open ports.

Usage syntax: nmap --open [target]

$ nmap --open scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-18 22:49 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.087s latency).

Not shown: 990 closed ports, 4 filtered ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

80/tcp open http

554/tcp open rtsp

7070/tcp open realserver

9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 7.80 seconds

Limiting Nmap output to display open ports only

The --open parameter removes closed and filtered ports from the scan results. This option is useful when you want to unclutter the results of your scan so that only open ports are displayed. The same scan without the --open option is displayed below for comparison.

$ nmap scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-18 22:49 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.080s latency).

Not shown: 990 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

25/tcp filtered smtp

80/tcp open http

135/tcp filtered msrpc

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

554/tcp open rtsp

7070/tcp open realserver

9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 5.71 seconds

Nmap scan displaying open and filtered ports