In this tutorial, you will learn the basics of port scanning, what are ports, the most popular ports, and the different Nmap port scanning techniques.
I also walk through a real-world example of running a port scan on a large network to find an insecure FTP server.
What is a Port?
A computer networking port is simply a communication channel that allows networked devices to connect and send data to each other. When you use your phone, laptop, server, or anything that is connected to a network it makes connections to other networked devices on a port. The port will identify specific applications in use on the remote system.
In the above example, the server on the left is running two applications: a web server on port 443 and a mail server on port 25. When the computer on the right makes a request to espn.com it will do so on port 443 this is how the server then knows to send that traffic to the web server application.
If the computer opens the outlook app to check email it would send a request to port 25, the server then knows to send that traffic to the mail server application.
On a Windows computer, you can run the command “netstat-an” to view what ports are open on the local computer.
In the above picture, you can see all the open ports that are listening. This means at the system level the computer can accept connections to these ports. For example, PC1 can connect to this server on port 88 because it is open and listening. This means there is an application running and it is waiting for connections by listening on port 88.
A way to see these connections in real-time is by using a free tool called Wireshark. Wireshark is a packet capturing tool that can capture and analyze network packets. You can use it to see how two systems are connecting to each other such as what ports they are connecting on.
In the above picture, you can see the source IP 192.168.100.101 made a connection to destination IP 192.168.100.10 on port 88. This is the basics of how computers and networks work and is important to understand when doing port scanning.
What is Port Scanning?
Port scanning is a way to check the port state on devices connected to the network. For example, If you want to know if any computer on your network can accept FTP connections (meaning port 21 is open) then you would use Nmap to run a port scan on your network.
Why Scan for Open Ports?
Port scanning is primarily done for security reasons. It is used to find devices with open ports on your network and close or secure them before the bad guys find them. The more ports your systems have open the greater the security risk. If you have a server that has port 3389 or port 21 open to the internet then this is a big risk that can lead to a compromise in your network.
Running a port scan can help you determine what ports are open on your systems. You want to discover any security risks and resolve them before the bad guys do. Port scanning can also be used for inventory and network troubleshooting.
In the picture above, a port scan was run on 2 servers and the entire 192.168.100.0/24 network. The scan found that server 2 had port 21 open which has internet access. This could be a huge risk and the port needs to be secured.
How Firewalls Block/Filter Ports
Most networks have a network and or a host-based firewall. This can block connections to a system even when the system has the port open. See the picture below.
In the above example, the server on the left has both DNS ports and FTP ports opened and listening. When a firewall is in use it can block connections to the server even though the server has the ports open. So in this example, the firewall blocks the FTP request but allows the DNS request from PC1.
Nmap has different scanning techniques that can evade firewalls to determine if a port is open but doesn’t always work. I’ll go over this in a separate tutorial.
The Six Port States Recognized by Nmap
With the many security systems in place, it can be challenging to determine if a port is simply open or closed. Like in the above example the system has the port open but the firewall blocks the request and doesn’t respond back to the port scan. Nmap provides more details on the port states by dividing the states into 6 categories.
Open – This means the remote system is actively accepting TCP or UDP connections on the port.
Closed – This means the remote port is accessible but there are no applications listening on it. Nmap received a response back from the remote system probably an RST, ACK packet.
Filtered – Nmap cannot determine whether the port is open most likely due to a firewall filtering the packets. It did not receive a packet back from the remote system so it cannot determine the status.
Unfiltered – The port is accessible but Nmap is unable to determine where it is open or closed. Only the Nmap AC scan classifies ports into this state.
Open | Filtered – Nmap is unable to determine where a port is open or filtered. This occurs for scan types in which open ports give no response.
Closed | Filtered – Nmap is unable to determine where a port is closed or filtered.
Below is a port scan example showing the state of the ports.
Port Scanning Techniques
Nmap offers several port scanning techniques. It offers different techniques for several reasons:
- Speed up the scanning process
- To detect systems that use different protocols
- Different systems respond differently to port scans.
Before learning about the different scan techniques it helps to understand the TCP 3-way handshake as Nmap uses the process to determine the status of ports. The 3-way handshake is a process used when one networked device wants to communicate with another device using the TCP protocol. See the below picture.
Step 1 (SYN): In the first step the client (PC1) is sending a message to Server 1 that it would like to communicate with.
Step 2 (SYN-ACK): Server 1 responds back to the client with a SYN-ACK, this is an acknowledgment letting PC1 know it received its request.
Step 3 (ACK): PC1 responds back to the Server saying I acknowledge and now the connection can be established and the two systems can send data between each other.
Now let’s look at how Nmap uses the three-way handshake for different scanning techniques.
TCP SYN Stealth Scan (-sS)
The TCP SYN scan is Nmap’s default port scanning method. This scan method can quickly detect if a port is open, closed, or filtered. Nmap will send a SYN packet to target devices to determine the status of ports.
I’ll walk through an example and use Nmap’s –packet-trace option to display the packets sent and received. I mention the –packet-trace command many many times in my Nmap articles because it’s such a great way to learn what Nmap is doing.
I’m going to run the below command, this will send a TCP SYN packet to port 22.
nmap -p22 scanme.nmap.org --packet-trace
In the above picture, you can see Nmap sends a SYN packet to the target host on port 22. The remote host responds back with a SYN-ACK packet. This tells Nmap that the port is open.
Next, I’ll test port 113 with this command.
nmap -p113 scanme.nmap.org --packet-trace
The last TCP SYN scan example will test if port 139 is open.
nmap -p139 scanme.nmap.org --packet-trace
In this example, Nmap sends SYN packet to port 139 but the remote target never responds. Nmap tries again but still no response. This typically means a firewall is filtering the request and blocking it. When this happens Nmap cannot determine if the port is open or closed and will say filtered.
TCP Connect Scan (-sT)
A TCP Connect scan goes a little further than an SYN scan and actually completes the 3-way handshake by sending an ACK packet in response to the SYN-ACK. If there is a service or application running on the port it might even send data, as soon as Nmap hears back that the connection is successful it sends a reset packet and kills the connection. The below picture is what happens during a TCP connect scan.
Try it yourself with the following command:
nmap -sT scanme.nmap.org
Sometimes the –packet-trace option doesn’t display all the packets. When this happens you can use Wireshark if you want to see the packets. Again this is for learning and troubleshooting reasons. When doing a large scan you don’t need to use the option. Here is a Wireshark capture of a connect scan.
You can see computer 192.168.100.103 sends a SYN packet to target 192.168.100.10 port 389, the remote computer responds with a SYN-ACK then my computer responds back with an ACK, remember this completes the 3 way handshake. Then you see the computer send a Reset packet to kill the connection.
UDP Scan (-sU)
Most popular applications use the TCP protocol but UDP is also widely used. DNS, DHCP, SNMP, NTP are some popular services that run on the UDP protocol. UDP is a connectionless protocol so it doesn’t use the 3-way handshake as TCP does. UDP either responds by sending data or sends no data. Some systems can respond with an ICMP packet that the port is unreachable, this helps Nmap determine that the port is closed.
Let’s look at some UDP port scanning examples. I’m going to scan one of my local servers as I know it has some services running on UDP.
nmap -sU -p53 192.168.100.10
In this example, a UDP packet was sent to port 53, and the remote target responded. This tells Nmap the port is open. Port 53 is the DNS service and it is running on my local server.
nmap -sU -p500 192.168.100.10
In this example, I sent a UDP packet to port 500 but the remote target doesn’t respond. Nmap reports the state as open|filtered since it cannot determine if it is open or closed. This is one of the biggest challenges to scanning for UDP ports since they don’t res
nmap -sU -p5 192.168.100.10
In this example, I sent a UDP port scan to port 5. This time the remote host responds with ICMP unreachable, this tells Nmap the port is closed.
The TCP Syn scan, Connect Scan the UDP port scan are the basic port scanning techniques. These three options will cover most port scanning scenarios. Nmap does offer several other options that I consider to be advanced port scanning techniques, I will cover these in a separate tutorial.
Port Scanning Examples
Which ports to scan depends on your goals. Below are some port scanning examples.
Example #1: Scan the Top 1000 ports for a single host
The default Nmap command will scan for the top 1000 ports. The command below scans the target for the top 1000 ports.
Example #2: Scan the entire network for open ports
To scan a network just enter the network address. The below command will scan the 192.168.100.0/24 network (254 addresses).
Example #3: Scan ports for a range of IP addresses
Instead of scanning an entire network, you can scan an IP range.
Example #4: Scan specific TCP ports
Use the -p<port number> command to scan for a specific port. The below command scans the entire network for TCP port 21.
nmap -p21 192.168.100.0/24
Example #5: Scan all TCP Ports
Remember the default command scans the top 1000 ports. To scan all 65535 TCP ports use this command.
nmap -p1-65535 192.168.100.024
Example #6: Scan the top 100 ports
To scan for the top 100 ports use -top-ports 100
nmap -top-ports 100 scanme.nmap.org
Example #7: Scan port range
This command will scan TCP ports 1-100.
nmap -p 1-100 192.168.100.0/24
Example #8: Scan UDP Port
Use -sU to scan for a UDP port. The below command will scan for UDP port 53.
nmap -sU -p53 192.168.100.0./24
Example #9: Scan all UDP ports
nmap -sU -p- 192.168.100.0/24
Nmap Port Scanning Tips
Here are some port scanning tips. These are optional but are some really great options you should know about.
Tip #1 Disable DNS lookups
Nmap will do a DNS lookup on every target, this can slow down port scans. You can disable it with the -n option
nmap -n scaneme.nmap.org
Tip #2 Disable Host Discovery
To force Nmap to treat all hosts online use the -Pn option. Remember firewalls can make devices appear offline to Nmap. This option will treat the host as online and force the port scan.
nmap -Pn 192.168.100.0/24
Tip #3 Display progress during a large scan
Use –stats-every <time> to display scan progress during a large scan. The below command will output the scan status every 30 sec.
nmap -Pn --stats-every 30s 10.100.0.0/16
Tip #4 Use –packet-trace
Use this option to see all the packets sent and received by Nmap. This is great for troubleshooting and learning. Probably just want to use this on single hosts as it will be a lot of extra output when scanning a network.
nmap --packet-trace scanme.nmaporg
Tip #5 Use –reason
This command will display the reason for the port status.
nmap --reason scanme.nmap.org
Tip #6 Run a ping scan first
For large networks, it’s a good idea to run a ping scan first to get a list of online hosts. You can then pass this list to Nmap to run a port scan. This way you are not wasting time scanning an entire IP range.
See my guide on the Nmap Host Discovery Process.
Tip #7 Save scans to a file
There are multiple options for saving to a file.
nmap -oN scan.txt scanme.nmap.org
Example Video – Scanning a large network for open ports
In this video, I go over several port scanning examples I then scan a large network for open ports. Here is the command I use at the end of the video.
nmap 10.100.0.0/16 -Pn -n --stats-every 30s -oN scan.txt