Don’t know how to use Nmap to scan Open Ports? We can help you.
A single IP address can have several services running, such as a web server, an application server, etc. In order for each of them to communicate, they listen and communicate on a specific port.
Hence, when we make a connection to a server, we connect to both the IP address and a port.
For example, when we connect to https://bobcares.com, we connect to the bobcares.com server on port 443, the default port for secure web traffic.
As part of our Server Management Services, we assist our customers with several Nmap queries.
Today, let us see how to use Nmap to scan Open Ports.
How To Use Nmap to Scan Open Ports?
In this article, let us discuss ports in detail.
World’s leading port security network scanner, Nmap hosted security tool can help us determine how well the firewall and security configuration is working.
“nmap” scans IPv4 addresses by default. However, if we specify the proper option, it can also scan IPv6 addresses.
Identifying Common Ports
Ports are specified by a number ranging from 1 to 65535.
We cannot register ports between 49152 and 65535 and are suggested for private use.
Since there is a vast number of ports available, we don’t have to bother the majority of the services that tend to bind to specific ports.
However, there are some ports that are worth knowing due to their ubiquity. The following are a few:
- 20: FTP data
- 21: FTP control port
- 22: SSH
- 23: Telnet
- 25: SMTP
- 43: WHOIS protocol
- 53: DNS services
- 67: DHCP server port
- 68: DHCP client port
- 80: HTTP – Unencrypted Web traffic
- 110: POP3 mail port
- 113: Ident authentication services on IRC networks
- 143: IMAP mail port
- 161: SNMP
- 194: IRC
- 389: LDAP port
- 443: HTTPS – Secure web traffic
- 587: SMTP – message submission port
- 631: CUPS printing daemon port
- 666: DOOM – This legacy game actually has its own special port
To configure a specific application we need to find the appropriate ports.
We should make sure, both the client and server are configured to use a non-standard port.
To get a list of a few common ports, look at the /etc/services file:
$ less /etc/services
The output will have a list of common ports and their associated services:
Output . . . tcpmux 1/tcp # TCP port service multiplexer echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users daytime 13/tcp daytime 13/udp netstat 15/tcp qotd 17/tcp quote msp 18/tcp # message send protocol . . .
Checking Open Ports
Generally, we have a number of tools to scan for open ports. netstat is the default for most Linux distributions.
To easily discover the services running, we can issue:
$ sudo netstat -plunt
We will receive a result like the following:
Output Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 785/sshd tcp6 0 0 :::22 :::* LISTEN 785/sshd
Our output shows the port and listening socket associates with the service and lists both UDP and TCP protocols.
Part of securing a network involves infiltrating the network and discovering weaknesses in the same way an attacker might.
Out of all of the available tools for this, the most powerful is the Nmap tool.
To install Nmap on an Ubuntu or Debian machine, we run:
$ sudo apt-get update $ sudo apt-get install nmap
The installation gives us an improved port mapping file. A more extensive association between ports and services can be seen at:
$ less /usr/share/nmap/nmap-services
Output . . . tcpmux 1/tcp 0.001995 # TCP Port Service Multiplexer [rfc-1078] tcpmux 1/udp 0.001236 # TCP Port Service Multiplexer compressnet 2/tcp 0.000013 # Management Utility compressnet 2/udp 0.001845 # Management Utility compressnet 3/tcp 0.001242 # Compression Process compressnet 3/udp 0.001532 # Compression Process unknown 4/tcp 0.000477 rje 5/udp 0.000593 # Remote Job Entry unknown 6/tcp 0.000502 echo 7/tcp 0.004855 echo 7/udp 0.024679 echo 7/sctp 0.000000 . . .
Scanning Ports with Nmap
Nmap can reveal a lot of information about a host. For this reason, our Support Techs recommend testing it on your own servers or after notifying the owners.
The Nmap creators provide a test server located at scanme.nmap.org. This or your own servers are good targets for practicing Nmap.
Moving ahead let us see a few common operations we can perform with Nmap.
Scan for the host operating system:
$ sudo nmap -O scanme.nmap.org
We assume the host is online and skip the network discovery portion. This helps if we get the reply, “Note: Host seems down” in other tests.
Add this to the other options:
$ sudo nmap -PN scanme.nmap.org
Scan without performing a reverse DNS lookup on the IP address specified. This will speed up the results in most cases:
$ sudo nmap -n scanme.nmap.org
Scan a specific port instead of all common ports:
$ sudo nmap -p 80 scanme.nmap.org
To scan for TCP connections, Nmap can perform a 3-way handshake, with the targeted port. Execute it like this:
$ sudo nmap -sT scanme.nmap.org
Similarly, to scan for UDP connections, we type:
$ sudo nmap -sU scanme.nmap.org
We can scan for every TCP and UDP open port using:
$ sudo nmap -n -PN -sT -sU -p- scanme.nmap.org
A TCP “SYN” scan exploits the way that TCP establishes a connection.
To perform an SYN scan, we execute:
$ sudo nmap -sS scanme.nmap.org
A more stealthy approach is to send invalid TCP headers. This will work on non-Windows-based servers.
We can use the “-sF”, “-sX”, or “-sN” flags. All of which will produce the response we look for:
$ sudo nmap -PN -p 80 -sN scanme.nmap.org
To check the version of a service is running on the host, we try this command. It tries to determine the service and version by testing different responses from the server:
$ sudo nmap -PN -p 80 -sV scanme.nmap.org
Finally, we can use Nmap to scan multiple machines.
In addition, to specify a range of IP addresses with “-” or “/24” to scan a number of hosts at once, we run:
$ sudo nmap -PN xxx.xxx.xxx.xxx-yyy
Or scan a network range for available services with a command like this:
$ sudo nmap -sP xxx.xxx.xxx.xxx-yyy
This should help us explore the networking vulnerabilities.
[Need help with Nmap? We are here for you]
To conclude, the world’s leading port security network scanner, Nmap can determine how well the security configuration is working. Today we learned from our Support Techs how to use Nmap to Scan Open Ports.