Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)
Section 5: Port Scanning Options
Overview
There are a total of 65,535 ports used in TCP/IP. Nmap, by default, only scans 1,000 of the most commonly used ports. This is done to save time when scanning multiple targets, as the majority of ports outside the top 1,000 are rarely used. Sometimes, however, you may want to scan outside the default range of ports to look for uncommon services or ports that have been forwarded to a different location. This section covers the options that allow this and other port specific features.
Tip: A complete list of TCP/IP ports can be found on the IANA website at iana.org/assignments/port-numbers.
Summary of features covered in this section:
-F
Perform a Fast Scan
-p [port]
Scan Specific Ports
-p [name]
Scan Ports by Name
-p U:[UDP ports],T:[TCP ports]
Scan Ports by Protocol
-p “*”
Scan All Ports
--top-ports [number]
Scan Top Ports
-r
Perform a Sequential Port Scan
--open
Only display open ports
Perform a Fast Scan
The -F option instructs Nmap to perform a scan of only the 100 most commonly used ports.
Usage syntax: nmap -F [target]
$ nmap -F 10.10.4.48
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 11:05 CST
Nmap scan report for 10.10.4.48
Host is up (0.0018s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
5000/tcp open upnp
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
Output of a “fast” scan
Nmap scans the top 1,000 commonly used TCP ports by default. The -F option reduces that number to 100. The top 100 ports include some of the most common network services like DNS, SMTP, and HTTP. This can dramatically speed up scanning while still representing the majority of commonly used ports.
Scan Specific Ports
The -p option is used to instruct Nmap to scan the specified port(s).
Usage syntax: nmap [port1,port2,etc|range of ports] [target]
$ nmap -p 80 10.10.4.26
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 12:55 CST
Nmap scan report for 10.10.4.26
Host is up (0.000071s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Specifying a single port to scan
The example above demonstrates using -p to scan port 80 on a target system. This is useful when you are hunting for a specific service and don't want to bother with scanning all of the default ports. In addition to scanning a single port, you can scan multiple individual ports (separated by a comma) or a range of ports as demonstrated in the next example.
$ nmap -p 20-25,80,443 10.10.4.26
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 12:55 CST
Nmap scan report for 10.10.4.26
Host is up (0.00090s latency).
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp closed telnet
24/tcp closed priv-mail
25/tcp open smtp
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
Specifying multiple ports to scan
In this example the -p option is used to scan ports 20 through 25, 80, and 443.
Scan Ports by Name
The -p option can also be used to scan ports by name.
Usage syntax: nmap -p [port name(s)] [target]
$ nmap -p smtp,http 10.10.4.26
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 12:57 CST
Nmap scan report for 10.10.4.26
Host is up (0.000069s latency).
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
8008/tcp closed http
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Scanning ports by name
The example above demonstrates searching for open SMTP and HTTP ports by name using the -p option. The name(s) specified must match a service in the nmap-services file. This is usually found in /usr/local/share/nmap/ on Unix/Linux systems or C:\Program Files\Nmap\ on Windows systems.
Wildcards can also be used when specifying services by name. For example, using -p "http*" would scan for all ports that start with http (including http, https, and several others) as demonstrated below.
$ nmap -p "http*" 10.10.4.26
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 12:58 CST
Nmap scan report for 10.10.4.26
Host is up (0.00015s latency).
PORT STATE SERVICE
80/tcp open http
280/tcp closed http-mgmt
443/tcp open https
591/tcp closed http-alt
593/tcp closed http-rpc-epmap
8000/tcp closed http-alt
8008/tcp closed http
8080/tcp closed http-proxy
8443/tcp closed https-alt
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
Scanning ports by name using wildcards
Note: Some systems may require you to enclose the wildcard statement in quotes so it is not interpreted as a shell wildcard.
Scan Ports by Protocol
Specifying a T: or U: prefix with the -p option allows you to search for a specific port and protocol combination.
Usage syntax: nmap -p U:[UDP ports],T:[TCP ports] [target]
# nmap -sU -sT -p U:161,T:80 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 15:50 CST
Nmap scan report for 10.10.3.1
Host is up (0.0012s latency).
PORT STATE SERVICE
80/tcp open http
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds
Scanning specific ports by protocol
Using the syntax -p U:161,T:80 instructs Nmap to perform a UDP scan on port 161 and a TCP scan on port 80. This can reduce the amount of time spent scanning ports in situations where you know which ports are likely to respond to TCP and which will use UDP. In this case, the number of port/protocol combinations are cut in half when compared to simply running a scan with -p 80,161.
Note: By default, Nmap will only scan TCP ports. In order to scan both TCP and UDP ports you will need to specify specific scan types such as -sU and -sT as shown in the example above.
Scan All Ports
The -p- option is a catch-all used to scan all 65,535 ports on the specified target.
Usage syntax: nmap -p- [target]
# nmap -p- 10.10.4.80
Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-08 15:36 CST
Nmap scan report for 10.10.4.80
Host is up (0.00029s latency).
Not shown: 65495 closed ports
PORT STATE SERVICE
[...]
8190/tcp open unknown
8191/tcp open unknown
8443/tcp open https-alt
9009/tcp filtered pichat
9090/tcp filtered zeus-admin
9443/tcp open tungsten-https
9875/tcp filtered sapv1
10080/tcp filtered unknown
10109/tcp filtered unknown
10443/tcp open unknown
11711/tcp open unknown
11712/tcp open unknown
12443/tcp open unknown
12721/tcp open unknown
21000/tcp filtered unknown
21100/tcp open unknown
22000/tcp open unknown
22100/tcp open unknown
48941/tcp open unknown
55969/tcp open unknown
59086/tcp open unknown
MAC Address: 00:50:56:BA:F8:B2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 18.48 seconds
Scanning all ports on a target system
Nmap only scans the top 1,000 ports by default. Scanning outside this range can open up the possibility of discovering services running on obscure ports. The above example shows some interesting ports listening outside of the well-known port numbers.
Tip: Don’t forget about UDP when scanning all ports. Including the -sU -sT options with -p- would scan all 65,535 ports using both TCP and UDP. This will take a considerable amount of time but will give you the most comprehensive port listing available for the target system.
Scan Top Ports
The --top-ports option is used to scan the specified number of top ranked ports.
Usage syntax: nmap --top-ports [number] [target]
# nmap --top-ports 10 10.10.4.80
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 13:07 CST
Nmap scan report for 10.10.4.80
Host is up (0.00035s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp closed netbios-ssn
443/tcp open https
445/tcp closed microsoft-ds
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
Performing a top port scan on the ten highest ranked ports
By default, Nmap will scan the 1000 most commonly used ports. The previously discussed -F option reduces that number to 100. Using the --top-ports option, you can specify any number of top ranked ports to scan.
The example above demonstrates using the --top-ports option to scan the top 10 ports. Any other number can be used to achieve the desired result. For example: nmap --top-ports 50 would scan the top 50 most commonly used ports and nmap --top-ports 500 would scan the top 500 most commonly used ports.
Perform a Sequential Port Scan
The -r option performs a sequential port scan on the specified target.
Usage syntax: nmap -r [target]
$ nmap -r 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 13:09 CST
Nmap scan report for 10.10.3.1
Host is up (0.043s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
Performing a sequentially ordered port scan
Nmap’s default scanning algorithm randomizes the port scan order. This is useful for evading firewalls and intrusion prevention systems. The -r parameter overrides this functionality and instructs Nmap to sequentially scan each port in numerical order.
Note: The results of the -r scan aren’t entirely evident because Nmap always sorts the final output of each scan. Combining the -v option with -r will display the sequential port discovery in real time.
Only Display Open Ports
The --open parameter instructs Nmap to only display open ports.
Usage syntax: nmap --open [target]
$ nmap --open scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-18 22:49 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.087s latency).
Not shown: 990 closed ports, 4 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
554/tcp open rtsp
7070/tcp open realserver
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 7.80 seconds
Limiting Nmap output to display open ports only
The --open parameter removes closed and filtered ports from the scan results. This option is useful when you want to unclutter the results of your scan so that only open ports are displayed. The same scan without the --open option is displayed below for comparison.
$ nmap scanme.nmap.org
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-18 22:49 CST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.080s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
7070/tcp open realserver
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 5.71 seconds
Nmap scan displaying open and filtered ports