The network is one of the most complex and sensitive components of an IT infrastructure. System administrators must understand various layers, interfaces, protocols, tools, and ports to effectively handle network communication. You must use the correct ports to enable secure communication.
Nmap is an open-source command-line tool to scan ports, audit network security, detect hosts and services, and get a list of open ports. It was started as a Linux tool and later included on Windows, macOS, and BSD.
In this tutorial, we will learn how to use Nmap to scan open ports.
- A working Linux operating system.
- Terminal access and understanding.
- Sudo or the root user privileges.
What is a Network Port
A network port is a logical endpoint for network communication. It is a numbered address to manage network traffic. Different components or services use different ports, and the most commonly used network ports are TCP/IP and UDP ports. You can run several services on a single IP, but each of these services needs a separate port to listen to requests, and communicate.
Common Linux Ports
When you install your Linux operating system and configure different services, some ports are automatically assigned to these services. The port numbers range from 1 to 65536. Ports below 1024 are usually reserved for significant and critical network functions.
The following table lists some of the most common Linux ports:
|20||For FTP data.|
|21||For FTP control.|
|25||For SMTP to send emails.|
|80||For HTTP web server.|
|110||For POP3 to receive emails.|
|143||For IMAP email.|
|443||For HTTPS secure web server.|
|465||For SMTPS to send secure emails.|
|631||For CUPS print server.|
|993||For IMPAS secure email.|
At a given time, your Linux computer has multiple open ports on which the services listen to connections.
You can use any of the following commands to list open ports in Linux:
sudo lsof -i -P -n | grep LISTEN
sudo netstat -tulpn | grep LISTEN
sudo ss -tulpn | grep LISTEN
Nmap Scan Ports
To save time Nmap by default scan only the most popular 1000 ports. To scan all ports we need to add a flag which we learn in the following section. If you don't have a target to practice Nmap scan you may use scanme.nmap.org.
Nmap or network mapper tool is not installed by default on most Linux Distributions. Installing Nmap using Distro specific package manager is very simple and straightforward.
Let's check how to use nmap to scan for open ports.
1. Scan for the Specified IP or Host
Enter nmap followed by the IP to scan a particular IP:
sudo nmap 192.168.0.1
The Nmap scan report displays the host status and latency.
Similarly, you can specify a hostname to scan for the host:
sudo nmap example.com
2. Scan Multiple IP Addresses
To scan multiple targets, specify nmap followed by a list of IPs separated by space:
sudo nmap 192.168.0.1 192.168.0.2 192.168.0.3
The same nmap scan report is displayed for multiple targets.
3. Scan for IP Range
You can specify a range of IPs after the nmap command, instead of a single IP or multiple targets to scan for an IP range:
sudo nmap 192.168.200.1-10
In this case, IP addresses from 192.168.200.1 to 22.214.171.124 are scanned and the report is generated.
4. Ping Scan for IP Addresses on Subnet
You can run nmap on a subnet to perform a ping scan to get a list of live hosts on the subnet:
sudo nmap 192.168.200.1/24
5. Scan for IPs from a Text File
You can create a list of IPs in a text file and specify the file to scan target IPs from the file:
sudo nmap -iL users.txt
6. Scan a Specific Port on Given IP
Use -p option followed by the port number to scan a specific port or multiple port (separated by a comma).
In the following example nmap scan for port 22 on the host 192.168.200.1
sudo nmap -p 22 192.168.200.1
To scan multiple ports, type:
sudo nmap -p 80,22 192.168.200.1
7. Scan for a Port Range on Given IP
Specify the range of ports followed by the IP to scan for the given port range on the specified host IP:
sudo nmap -p 1-100 192.168.200.1
8. Port Scanning for the Most Common Ports
Use the -F option with nmap to fastly list the common 100 ports on the specified host IP:
sudo nmap -F 192.168.200.1
9. Scan for all Ports on Given IP Address
Use the -p- option with nmap to list all ports on the given host IP address:
sudo nmap -p- 192.168.200.1
Alternatively, you can use
-p "*" flag to scall all 65535 TCP and UDP ports.
sudo nmap -p "*" 192.168.0.100
10. TCP Ports Scanning
Use the -sT option to perform a TCP ports scan on the given host IP address:
sudo nmap -sT 192.168.200.1
11. Scan UDP Ports
Nmap works with both TCP and UDP ports. Use the -sU option to scan UDP ports on the given host IP address:
sudo nmap -sU 192.168.200.1
12. Check Operating System of Target Host
Use the -O option to identify the operating system of the specified host IP address.
The following command nmap command gives you information about the operating systems on the host computer with IP address 192.168.10.1.
sudo nmap -O 192.168.10.1
13. Scan for all information in the system
You can reveal all the information about a host system using the
-A flag as shown below. This will reveal all the information pertaining to the host system such as the underlying OS, open ports, services running and their versions, etc.
sudo nmap -A 126.96.36.199
The command performs os and service detection, giving you detailed information such as the type of service and its version, and the port it is running on. The command usually takes a while to run but it is thorough and gives you all you need about the particular host system.
14. Scan Most Popular Ports
Use the --top-ports option to scan the target for the most popular open ports. You can specify the number of ports you wish to scan.
The following example to scan the top 100 (out of 65,536 possible ) open ports for TCP protocol for the target:
sudo nmap --top-ports 100 target
To add UDP protocol, type:
sudo nmap -sTU --top-ports
15. Fast Scan with Nmap
You can use the time templates to instruct Nmap to perform a fast scan. Nmap supports five levels of time templates- T0 (paranoid), T1 (sneaky), T2 (polite), T3 (normal), T4 (aggressive), and T5 (insane).
The following example performs an insane fast Nmap port scan:
sudo nmap -T5 example.com
The following nmap output shows time differences in two command-line interfaces.
Nmap Scripting Engine
You can use the nmap scripting engine to perform a port scan using either pre-defined scripts or you can create custom scripts. This helps system administrators automate port scans using nmap.
The following example shows how to use the vuln script to perform a system vulnerability check:
sudo nmap -Pn --script vuln 127.0.0.1
Some of the useful Nmap flags are:
|Scan all ports (1 to 65535) including TCP and UDP|
|Scan specific ports|
|Scan a range of ports|
|Scan multiple ports|
|To scan only TCP ports|
|To scan only UDP ports|
|Scan most popular ports and specify the number of ports to scan|
|Scan for host operating system|
|A fast scan of 100 popular ports|
|Scan from a file|
|Find the version of service running on a port|
|Template for fast scan|
|Exclude specific hosts from the scan|
In this tutorial, we learned how to use Nmap to scan for ports on your Linux computer. The examples in this tutorial cover the most common use cases of Nmap and will help you better understand the Nmap options. Nmap helps system administrators to evaluate and debug security errors.