In part 4, we looked at the various scanning techniques that are available in Nmap. In this post, we'll look at the various port-scan specific options that Nmap provides.
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
So far, we've been looking at options where, by default the top 1000 ports were scanned. There will be situations where you would need to scan a port that is not among those 1000. This option will be helpful in that situation.
If you have forgotten the port number for a particular service, that is not a problem. Instead of the port number, you can provide the name of the service that runs on that port number.
If you want to scan port x with TCP and port y with UDP, it is possible through this option. It important to use both -sS (or any other TCP scanning technique) and -sU for this to work.
nikhilh@ubuntu:~$ sudo nmap -d -sU -sS -p T:80,U:67 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 15:21 PDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
Scanned at 2018-08-22 15:21:07 PDT for 0s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 128
67/udp open|filtered dhcps no-response
Final times for host: srtt: 10394 rttvar: 24115 to: 106854
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
Raw packets sent: 7 (252B) | Rcvd: 3 (112B)
If you have the need to scan ALL 65535 ports, then this option will be helpful. Keep in mind that it will take a while to execute. I have never had the need to use this option so far. The command is as below:
Previously, we have seen the top 1000 ports being scanned. With the -F option, Nmap scans the top 100 ports. But what if you need to scan the top 10 ports? Or top 200 ports? Then this option would be helpful.
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
Scan specific ports
So far, we've been looking at options where, by default the top 1000 ports were scanned. There will be situations where you would need to scan a port that is not among those 1000. This option will be helpful in that situation.
nikhilh@ubuntu:~$ nmap -d -p80,443 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 12:25 PDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
...
...
...
PORT STATE SERVICE REASON
80/tcp open http syn-ack
443/tcp filtered https no-response
Final times for host: srtt: 81264 rttvar: 61024 to: 325360
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.84 seconds
Scan ports by name
If you have forgotten the port number for a particular service, that is not a problem. Instead of the port number, you can provide the name of the service that runs on that port number.
nikhilh@ubuntu:~$ nmap -d -pimap,smtp scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 13:23 PDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
Nmap scan report for scanme.nmap.org (45.33.32.156)
...
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.082s latency).
Scanned at 2018-08-22 13:23:47 PDT for 2s
PORT STATE SERVICE REASON
25/tcp filtered smtp no-response
143/tcp filtered imap no-response
Final times for host: srtt: 81738 rttvar: 81738 to: 408690
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds
Scan ports by protocol
If you want to scan port x with TCP and port y with UDP, it is possible through this option. It important to use both -sS (or any other TCP scanning technique) and -sU for this to work.
nikhilh@ubuntu:~$ sudo nmap -d -sU -sS -p T:80,U:67 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 15:21 PDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
Scanned at 2018-08-22 15:21:07 PDT for 0s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 128
67/udp open|filtered dhcps no-response
Final times for host: srtt: 10394 rttvar: 24115 to: 106854
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
Raw packets sent: 7 (252B) | Rcvd: 3 (112B)
Scanning all ports
If you have the need to scan ALL 65535 ports, then this option will be helpful. Keep in mind that it will take a while to execute. I have never had the need to use this option so far. The command is as below:
nikhilh@ubuntu:~$ nmap -d -p- scanme.nmap.org
Scan top ports
Previously, we have seen the top 1000 ports being scanned. With the -F option, Nmap scans the top 100 ports. But what if you need to scan the top 10 ports? Or top 200 ports? Then this option would be helpful.
nikhilh@ubuntu:~$ nmap -d --top-ports 10 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 13:34 PDT
PORTS: Using top 10 ports found open (TCP:10, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
...
PORT STATE SERVICE REASON
21/tcp filtered ftp no-response
22/tcp open ssh syn-ack
23/tcp filtered telnet no-response
25/tcp filtered smtp no-response
80/tcp open http syn-ack
110/tcp filtered pop3 no-response
139/tcp filtered netbios-ssn no-response
443/tcp filtered https no-response
445/tcp filtered microsoft-ds no-response
3389/tcp filtered ms-wbt-server no-response
Final times for host: srtt: 82117 rttvar: 35374 to: 223613
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds
Scanning ports sequentially
Scanning ports sequentially is usually not recommended because it is very obvious that an entity is trying to scan the system. But if there is a requirement, then this is the option to use.
nikhilh@ubuntu:~$ nmap -d -r scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 13:40 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
Not shown: 998 filtered ports
...
Not shown: 998 filtered ports
Reason: 998 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
9929/tcp open nping-echo syn-ack
Final times for host: srtt: 82645 rttvar: 15487 to: 144593
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds
Scan and show only open ports
When this option is used, Nmap will only display open ports. All others, which include closed, filtered, unfiltered, open|filtered, closed|filtered will not be displayed.
nikhilh@ubuntu:~$ nmap -d --open scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 14:55 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
Reason: 997 no-responses
...
Reason: 997 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
9929/tcp open nping-echo syn-ack
Final times for host: srtt: 83157 rttvar: 12869 to: 134633
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
That's it for part 5! Like part 4, I believe this post's content was straight forward as well. I hope everything was simple to understand. If there are any questions, please leave them in the comments below and I'll get back to you as soon as I can!
In the next part, we'll be looking at OS and service version detection along with timing options that Nmap offers.