Saturday, March 12, 2016

A Guide To Port Scanning Using Nmap

In TCP, ports are the ends of logical connections which are used for carrying long term conversations. And, Port Scanning is the process of acquiring information on the open and closed ports in systems, mainly with the purpose of getting information on what services and software are running behind them.

Nmap is a commonly used software for Port Scanning. In this article, I would explain how to use nmap for Port Scanning.

Numbering of Ports

Ports are specified by numbers ranging from 1 to 65535.

Out of these port numbers, port numbers

  • 0 – 1023 are used by various services of the Operating Systems.

  • 1024 – 49151 are registered to be used by certain services.

  • 49152 – 65535 are not registered and can be used for private use.

Installing nmap

In a Linux system, nmap can be easily installed following a few steps.

For example, in Ubuntu, it can be installed using :

#sudo apt-get insall nmap

Nmap Test Server

Nmap reveals lots of information about a host. Many a times attackers use nmap for malicious purposes. So, Port Scanning using nmap should not be tested on other machines without properly getting approval from the owner of the machine. is a test machine maintained by nmap developers for learning purpose. If someone wants to test Port Scanning using nmap for learning purpose, she can use this machine.

Port Scanning using nmap

In this article, I would explain some most commonly used nmap commands and their outputs.

1. To check list of common ports

One can see the list of common ports used in a system using the following command :

# less /etc/services

tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
qotd 17/tcp quote


2. Nmap with no arguments

To list ports used by various services in a host :
# sudo nmap

22/tcp open ssh
25/tcp open smtp
80/tcp open http
31337/tcp open Elite

3. Print software version in a host

To print version of software that are using the ports in the host :

# sudo nmap -sV

22/tcp open ssh (protocol 2.0)
25/tcp open smtp?
80/tcp open http Apache httpd 2.4.7
31337/tcp open tcpwrapped

4. Scan for host Operating System

Nmap can also detect OS running in remote host.

# sudo nmap -O
22/tcp open ssh
25/tcp open smtp
80/tcp open http
31337/tcp open Elite
Device type: general purpose|WAP|broadband router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (86%)
Aggressive OS guesses: Linux 2.6.18 (86%), DD-WRT v23 (Linux 2.4.34) (85%), OpenWrt Kamikaze 8.09 (Linux (85%), Linux 2.6.15 (Ubuntu) (85%), Linux 2.6.15 - 2.6.26 (85%), Linux 2.6.23 (85%), Linux (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 21 hops

5. Scan a number of hosts at once

Nmap can scan more than one hosts at a time.

For example, the following command will scan hosts ranging from IP addreses to :

# sudo nmap

You can also use -PN option to skip host discovery.

The following command can scan hosts ranging from to :

# sudo nmap -PN 10.0.0-255.1-254

Alternatively, the following format also can be used :

# sudo nmap -PN

This would scan hosts of 65535 IP addresses in the range from to

6. Do reverse DNS resolution

You can use the following command to tell nmap to do reverse DNS resolution on the active IP addresses it finds in the range of to :

# sudo nmap -PN -R

7. Do not do reverse DNS resolution

Alternatively, you can use the following command to tell nmap not to do reverse DNS resolution on the active IP addresses it finds in the range of to :

# sudo nmap -PNn

8. Exclude hosts from scanning

The following command would exclude the host with IP address while scanning ports of hosts ranging from to :

# sudo nmap -PN -n --exclude

To exclude more than one host, you can separate the IP addresses of those hosts using comma (,) :

# sudo nmap -PN -n --exclude,

9. Fast scan

You can use -F option with nmap to do fast scanning. This would scan fewer ports than the default scan.

# sudo nmap -F <host>

10. Select random targets
You can use -iR option to scan hosts randomly in the specified IP address range.

For example, the following command would scan hosts randomly in the range from to :

# sudo nmap -PN -iR 0

Here, the option '0' specifies to scan unlimited number of hosts within the range. You can specify other positive numbers to specify the maximum number of hosts to be scanned.

11. Scan a specific port

You can scan a specific port in a host using the -p option with nmap.

For example, the following command will scan for port 8000 of the host :

# sudo nmap -p 8000

8000/tcp filtered http-alt

12. Scan for port ranges

You can also scan more than one ports at a time with a specific range of port numbers.

For example, the following command will scan ports with port numbers ranging from 1 to 10 in the target host :

# sudo nmap -p1-10 <host>

13. TCP connect scan

This is the default TCP scan type. It scans the target machine by establishing TCP connection
with the host using connect() system call.

# sudo nmap -sT <host>

14. UDP scan

The following command can be used to scan UDP ports of a target host :

# sudo nmap -sU <host>

15. TCP SYN scan

SYN scan is a popular scanning option. It can scan thousands of ports quickly without getting hampered by the restrictive firewalls.

This technique is a half-open scanning technique. It does not open a full TCP connection. Instead, it sends a TCP SYN packet and waits for a response. The port is considered open if a SYN packet is received in response.

# sudo nmap -sS <host>

16. TCP ACK scan

This scan is normally used to get information on firewalls rulesets in the target host and to know whether the rules are stateful and which ports are filtered.

# sudo nmap -sA <host>

17. TCP Windows scan

This scan is quite similar to TCP ACK scan, the only difference is it relies on implementation details of certain systems to differentiate open ports from closed ones.

# sudo nmap -sW <host>

18. TCP Null, FIN and Xmas scan

These three scan types are exactly same in behavior, only difference is they set different TCP flags in probe packets to scan ports in the target host.

Null Scan – It does not set any bits, i.e. TCP flag header is null.

# sudo nmap -sN <host>
FIN Scan – It sets just the TCP FIN bit.

# sudo nmap -sF <host>

TCP Xmas Scan - It sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.# sudo nmap -sX <host>
19. Print host interfaces and routes

This scanning option is mainly used for debugging routing problems. It prints the interface list and system routes as detected by nmap.
# sudo nmap -iflist <host>
20. Save output to a file

You can save scanning output of nmap using -o option.

For example, -oA option is used to store scan results in normal, XML, and grepable formats at once.
# sudo nmap -PN -n -oA scan-output
# vi scan-output


  1. The reverse DNS vs no reverse DNS is the same command. Think you are missing the -n option.