HakTip 98 – NMap 101: Port Scanning Options
This week Shannon Morse discusses several port scanning options you can use in NMap.
NMap scans 1000 commonly used ports by default, which include ones like 80 for TCP, and port 25 for SMTP, etc. If you want to scan other ports, these options are for you. Let’s start with -F which does a fast scan. Sometimes a scan for the 1000 common ports can still take a while, so you may want to cut that down to only the top 100 ports. It looks like every other scan you do, just add -F after the word NMap.
Scanning specific ports is pretty fun. If you want to scan a target for port 80, it would look like this: nmap -p 80 10.73.31.145. Using this option, you can also scan a range of ports or specific ones all in one go, like this: nmap -p 80,23,140-200 10.73.31.145.
If you don’t remember the number for a port, but you remember the name, type it like this: nmap -p http 10.73.31.145. If you know a port starts with “SM” but you don’t remember the rest of the port name, you can type: nmap -p “sm*” 10.73.31.145. This wildcard * will tell terminal to look for any services that nmap knows about that start with SM, such as SMTP. Keep in mind that all these ports can be found on that IANA website we referred to a few weeks back.
To scan ports by protocol, you’ll need to add a new option, like this: sudo nmap -sU -sT -p U:53,T:25 10.73.31.145. So you are using the syntax -p for the ports, then you are using -sU and -sT to specify UDP and TCP. U:53,T:25 tells nmap to scan for UDP on port 53 and TCP on port 25.
If you want to get really hardcore, try this one: nmap -p “*” 10.73.31.145. This wildcard in quotes tells nmap to scan all of the +65000 ports that are known.
If there is a specific number of most popular ports you’d like to scan, type: nmap –top-ports 54 10 73.31.145. This tells nmap I want to scan the 54 most popular ports on that target.
Lastly is scanning in sequential order with -r. NMap usually randomizes when it will scan what ports, which is useful to evade firewalls and avoid detection in some circumstances. If you just want it to scan in order, type: nmap -r 10.73.31.145. Things to note: you won’t see a difference in the output, because NMap will still type out the order however it wants. If you add -v to your syntax, it will show you the scans in real time order.
And that’s it for port scanning! What would you like to see next about NMAP? Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.