Using Nmap to Scan Open Ports [with Examples]

Written by: Linuxopsys   |   Last updated: November 26, 2023

Nmap (Network Mapper) is a powerful open-source network scanning tool that allows you to discover open ports on remote systems.

By default, nmap scans only the most popular 1000 ports. To scan all ports we need to add a flag which we learn in the following section. If you don't have a target to practice Nmap scan you may use scanme.nmap.org.

Prerequisites

Nmap or network mapper tool is not installed by default on most Linux Distributions. You can typically install it using your system's package manager, such as apt, yum, or dnf. For example, on Ubuntu, you can install Nmap with the following command:

sudo apt install nmap

Basic Nmap Port Scanning

Syntax:

nmap [options] [target(s)]

Let's say you want to scan the open ports of a remote system with IP address 192.168.1.100. You would use the following command:

sudo nmap 192.168.0.1
nmap scan specific ip addresses

The Nmap scan report displays the host status and latency.

Similarly, you can specify a hostname to scan for the host:

sudo nmap example.com

Nmap scan Options

Here are some commonly used options:

  • -p-: Scans all ports in the range from 1 to 65535, including both TCP and UDP ports.
  • -p [port]: Scan a specific port.
  • -p [1-n]: Scan a range of ports. Replace [1-n] with the range of ports you want to scan.
  • -p [port1,port2]: Scan multiple specific ports by separating them with commas.
  • -sT: Limit the scan to TCP ports only.
  • -sU: Limit the scan to UDP ports only.
  • --top-ports [n]: Scan the most popular ports and specify the number of ports to scan, where [n] is the desired number.
  • -O: Attempt to determine the host's operating system.
  • -F: Perform a fast scan by checking only the 100 most popular ports.
  • -iL: Perform the scan using a list of target IP addresses or hostnames from a file.
  • -sV: Probe open ports to identify the service and version running on them.
  • -T[n]: Set the timing template, with [n] being a number from 0 (paranoid) to 5 (insane) to adjust the scan speed and aggressiveness.
  • --exclude [host1,host2]: Exclude specific hosts from the scan by specifying their IP addresses or hostnames separated by commas.

Examples

1. Scan Multiple IP Addresses

To scan multiple targets, specify nmap followed by a list of IPs separated by space:

sudo nmap 192.168.0.1 192.168.0.2 192.168.0.3

The same nmap scan report is displayed for multiple targets.

nmap scan multiple ip addresses

2. Scan for IP Range

You can specify a range of IPs after the nmap command, instead of a single IP or multiple targets to scan for an IP range:

sudo nmap 192.168.200.1-10

In this case, IP addresses from 192.168.200.1 to 190.168.200.10 are scanned and the report is generated.

3. Ping Scan for IP Addresses on Subnet

You can run nmap on a subnet to perform a ping scan to get a list of live hosts on the subnet:

sudo nmap 192.168.200.1/24
nmap to ping subnet

4. Scan for IPs from a Text File

You can create a list of IPs in a text file and specify the file to scan target IPs from the file:

sudo nmap -iL users.txt

5. Scan a Specific Port on Given IP

Use -p option followed by the port number to scan a specific port or multiple port (separated by a comma).

In the following example nmap scan for port 22 on the host 192.168.200.1

sudo nmap -p 22 192.168.200.1

To scan multiple ports, type:

sudo nmap -p 80,22 192.168.200.1

6. Scan for a Port Range on Given IP

Specify the range of ports followed by the IP to scan for the given port range on the specified host IP:

sudo nmap -p 1-100 192.168.200.1

7. Port Scanning for the Most Common Ports

Use the -F option with nmap to fastly list the common 100 ports on the specified host IP:

sudo nmap -F 192.168.200.1

8. Scan for all Ports on Given IP Address

Use the -p- option with nmap to list all ports on the given host IP address:

sudo nmap -p- 192.168.200.1

Alternatively, you can use -p "*" flag to scall all 65535 TCP and UDP ports.

sudo nmap -p "*" 192.168.0.100

9. TCP Ports Scanning

Use the -sT option to perform a TCP ports scan on the given host IP address:

sudo nmap -sT 192.168.200.1

10. Scan UDP Ports

Nmap works with both TCP and UDP ports. Use the -sU option to scan UDP ports on the given host IP address:

sudo nmap -sU 192.168.200.1

11. Check Operating System of Target Host

Use the -O option to identify the operating system of the specified host IP address.

The following command nmap command gives you information about the operating systems on the host computer with IP address 192.168.10.1.

sudo nmap -O 192.168.10.1
nmap find operating system

12. Scan for all information in the system

You can reveal all the information about a host system using the -A flag as shown below. This will reveal all the information pertaining to the host system such as the underlying OS, open ports, services running and their versions, etc.

sudo nmap -A 192.163.43.103

The command performs os and service detection, giving you detailed information such as the type of service and its version, and the port it is running on.  The command usually takes a while to run but it is thorough and gives you all you need about the particular host system.

13. Scan Most Popular Ports

Use the --top-ports option to scan the target for the most popular open ports. You can specify the number of ports you wish to scan.

The following example to scan the top 100 (out of 65,536 possible ) open ports for TCP protocol for the target:

sudo nmap --top-ports 100 target

To add UDP protocol, type:

sudo nmap -sTU --top-ports

14. Fast Scan with Nmap

You can use the time templates to instruct Nmap to perform a fast scan. Nmap supports five levels of time templates- T0 (paranoid), T1 (sneaky), T2 (polite), T3 (normal), T4 (aggressive), and T5 (insane).

The following example performs an insane fast Nmap port scan:

sudo nmap -T5 example.com

The following nmap output shows time differences in two command-line interfaces.

nmap fast scan

Nmap Scripting Engine

You can use the nmap scripting engine to perform a port scan using either pre-defined scripts or you can create custom scripts. This helps system administrators automate port scans using nmap.

The following example shows how to use the vuln script to perform a system vulnerability check:

sudo nmap -Pn --script vuln 127.0.0.1
nmap scripting engine vulnerability scanner
SHARE

Comments

Please add comments below to provide the author your ideas, appreciation and feedback.

Leave a Reply

Leave a Comment