This recipe describes how to use Nmap to determine the port states on a remote host, a process used to identify running services commonly referred to as port scanning. This is one of the tasks Nmap excels at, so it is important to learn the essential Nmap options related to port scanning.
Listing open ports on a target host
How to do it...
To launch a default scan, the bare minimum you need is a target. A target can be an IP address, a host name, or a network range:
$nmap scanme.nmap.org
The scan results will show all the host information obtained, such as IPv4 (and IPv6 if available) address, reverse DNS name, and interesting ports with service names. All listed ports have a state. Ports marked as opened are of special interest as they represent services running on the target host:
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.16s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 333.35 seconds
How it works...
The basic default Nmap scan nmap <target> executes a simple port scan that returns a list of ports. In addition, it returns a service name from a database distributed with Nmap and the port state for each of the listed ports.
Nmap categorizes ports into the following states:
- Open: Open indicates that a service is listening for connections on this port.
- Closed: Closed indicates that the probes were received, but it was concluded that there was no service running on this port.
- Filtered: Filtered indicates that there were no signs that the probes were received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
- Unfiltered: Unfiltered indicates that the probes were received but a state could not be established.
- Open/Filtered: This indicates that the port was filtered or open but the state could not be established.
- Close/Filtered: This indicates that the port was filtered or closed but the state could not be established.
Even for this simplest port scan, Nmap does many things in the background that can be configured as well. Nmap begins by converting the hostname to an IPv4 address using DNS name resolution. If you wish to use a different DNS server, use --dns-servers <serv1[,serv2],...>, or use-n if you wish to skip this step, as follows:
$ nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org
Afterward, it performs a host discovery process to check whether the host is alive (see the Finding live hosts in your network recipe). To skip this step, use -Pn as follows:
$ nmap -Pn scanme.nmap.org
Nmap then converts the IPv4 or IPv6 address back to a hostname using a reverse DNS query. Use -n to skip this step, as follows:
$ nmap -n scanme.nmap.org
Finally, it launches either a SYN stealth scan or TCP connect scan depending on the user privileges.
There's more...
Port scanning is one of the most powerful features available, and it is important that we understand the different techniques and Nmap options that affect the scan behavior.
Privileged versus unprivileged
Running the simplest port scan command, nmap <target>, as a privileged user by default launches a SYN Stealth Scan, whereas unprivileged users that cannot create raw packets use the TCP Connect Scan technique. The difference between these two techniques is that TCP Connect Scan uses the high-level connect() system call to obtain the port state information, meaning that each TCP connection is fully completed and therefore slower. SYN Stealth Scans use raw packets to send specially crafted TCP packets to detect port states with a technique known as half open.
Scanning specific port ranges
Setting port ranges correctly during your scans will be very handy. You might be looking for infected machines that use a specific port to communicate or a specific service and do not really care about the rest. Narrowing down the port list also optimizes performance, which is very important when scanning multiple targets.
There are several accepted formats for the argument -p:
- Port list:
# nmap -p80,443 localhost
- Port range:
# nmap -p1-100 localhost
- All ports:
# nmap -p- localhost
- Specific ports by protocols:
# nmap -pT:25,U:53 <target>
- Service name:
# nmap -p smtp <target>
- Service name wildcards:
# nmap -p smtp* <target>
- Only ports registered in Nmap services:
# nmap -p[1-65535] <target>
Selecting a network interface
Nmap attempts to automatically detect your active network interface; however, there are some situations where it will fail or perhaps we will need to select a different interface in order to test networking issues. To force Nmap to scan using a different network interface, use the argument -e:
#nmap -e <interface> <target>
#nmap -e eth2 scanme.nmap.org
You will need to set your network interface manually if you ever encounter the message WARNING: Unable to find appropriate interface for system route to.
More port scanning techniques
In this recipe, we talked about the two default scanning methods used in Nmap: SYN Stealth Scan and TCP Connect Scan. However, Nmap supports several more port scanning techniques. Use nmap -h or visit https://nmap.org/book/man-port-scanning-techniques.html to learn more about them.