How to Use Nmap to Scan Open Ports - Examples + Screenshots

The network is one of the most complex and sensitive components of an IT infrastructure. System administrators must understand various layers, interfaces, protocols, tools, and ports to effectively handle network communication. You must use the correct ports to enable secure communication.

Nmap is an open-source command-line tool to scan ports, audit network security, detect hosts and services, and get a list of open ports. It was started as a Linux tool and later included on Windows, macOS, and BSD.

In this tutorial, we will learn how to use Nmap to scan open ports.

Prerequisites

• A working Linux operating system.
• Terminal access and understanding.
• Sudo or the root user privileges.

What is a Network Port

A network port is a logical endpoint for network communication. It is a numbered address to manage network traffic. Different components or services use different ports, and the most commonly used network ports are TCP/IP and UDP ports. You can run several services on a single IP, but each of these services needs a separate port to listen to requests, and communicate.

Common Linux Ports

When you install your Linux operating system and configure different services, some ports are automatically assigned to these services. The port numbers range from 1 to 65536. Ports below 1024 are usually reserved for significant and critical network functions.

The following table lists some of the most common Linux ports:

Port NumberUsage20For FTP data.21For FTP control.22For SSH.25For SMTP to send emails.53For DNS.80For HTTP web server.110For POP3 to receive emails.123For NTP.143For IMAP email.443For HTTPS secure web server.465For SMTPS to send secure emails.631For CUPS print server.993For IMPAS secure email.

At a given time, your Linux computer has multiple open ports on which the services listen to connections.

You can use any of the following commands to list open ports in Linux:

sudo lsof -i -P -n | grep LISTEN
sudo netstat -tulpn | grep LISTEN
sudo ss -tulpn | grep LISTEN

Nmap Scan Ports

To save time Nmap by default scan only the most popular 1000 ports. To scan all ports we need to add a flag which we learn in the following section. If you don't have a target to practice Nmap scan you may use scanme.nmap.org.

Nmap or network mapper tool is not installed by default on most Linux Distributions. Installing Nmap using Distro specific package manager is very simple and straightforward.

Let's check how to use nmap to scan for open ports.

1. Scan for the Specified IP or Host

Enter nmap followed by the IP to scan a particular IP:

sudo nmap 192.168.0.1

The Nmap scan report displays the host status and latency.

Similarly, you can specify a hostname to scan for the host:

sudo nmap example.com

2. Scan Multiple IP Addresses

To scan multiple targets, specify nmap followed by a list of IPs separated by space:

sudo nmap 192.168.0.1 192.168.0.2 192.168.0.3

The same nmap scan report is displayed for multiple targets.

3. Scan for IP Range

You can specify a range of IPs after the nmap command, instead of a single IP or multiple targets to scan for an IP range:

sudo nmap 192.168.200.1-10

In this case, IP addresses from 192.168.200.1 to 190.168.200.10 are scanned and the report is generated.

4. Ping Scan for IP Addresses on Subnet

You can run nmap on a subnet to perform a ping scan to get a list of live hosts on the subnet:

sudo nmap 192.168.200.1/24

5. Scan for IPs from a Text File

You can create a list of IPs in a text file and specify the file to scan target IPs from the file:

sudo nmap -iL users.txt

6. Scan a Specific Port on Given IP

Use -p option followed by the port number to scan a specific port or multiple port (separated by a comma).

In the following example nmap scan for port 22 on the host 192.168.200.1

sudo nmap -p 22 192.168.200.1

To scan multiple ports, type:

sudo nmap -p 80,22 192.168.200.1

7. Scan for a Port Range on Given IP

Specify the range of ports followed by the IP to scan for the given port range on the specified host IP:

sudo nmap -p 1-100 192.168.200.1

8. Port Scanning for the Most Common Ports

Use the -F option with nmap to fastly list the common 100 ports on the specified host IP:

sudo nmap -F 192.168.200.1

9. Scan for all Ports on Given IP Address

Use the -p- option with nmap to list all ports on the given host IP address:

sudo nmap -p- 192.168.200.1

Alternatively, you can use -p "*" flag to scall all 65535 TCP and UDP ports.

sudo nmap -p "*" 192.168.0.100

10. TCP Ports Scanning

Use the -sT option to perform a TCP ports scan on the given host IP address:

sudo nmap -sT 192.168.200.1

11. Scan UDP Ports

Nmap works with both TCP and UDP ports. Use the -sU option to scan UDP ports on the given host IP address:

sudo nmap -sU 192.168.200.1

12. Check Operating System of Target Host

Use the -O option to identify the operating system of the specified host IP address.

The following command nmap command gives you information about the operating systems on the host computer with IP address 192.168.10.1.

sudo nmap -O 192.168.10.1

13. Scan for all information in the system

You can reveal all the information about a host system using the -A flag as shown below. This will reveal all the information pertaining to the host system such as the underlying OS, open ports, services running and their versions, etc.

sudo nmap -A 192.163.43.103

The command performs os and service detection, giving you detailed information such as the type of service and its version, and the port it is running on.  The command usually takes a while to run but it is thorough and gives you all you need about the particular host system.

14. Scan Most Popular Ports

Use the --top-ports option to scan the target for the most popular open ports. You can specify the number of ports you wish to scan.

The following example to scan the top 100 (out of 65,536 possible ) open ports for TCP protocol for the target:

sudo nmap --top-ports 100 target

To add UDP protocol, type:

sudo nmap -sTU --top-ports

15. Fast Scan with Nmap

You can use the time templates to instruct Nmap to perform a fast scan. Nmap supports five levels of time templates- T0 (paranoid), T1 (sneaky), T2 (polite), T3 (normal), T4 (aggressive), and T5 (insane).

The following example performs an insane fast Nmap port scan:

sudo nmap -T5 example.com

The following nmap output shows time differences in two command-line interfaces.

Nmap Scripting Engine

You can use the nmap scripting engine to perform a port scan using either pre-defined scripts or you can create custom scripts. This helps system administrators automate port scans using nmap.

The following example shows how to use the vuln script to perform a system vulnerability check:

sudo nmap -Pn --script vuln 127.0.0.1

Nmap flags

Some of the useful Nmap flags are:

FlagsDescription-p-Scan all ports (1 to 65535) including TCP and UDP-p [port]Scan specific ports-p [1-n]Scan a range of ports-p [port1,port2]Scan multiple ports-sTTo scan only TCP ports-sUTo scan only UDP ports--top-ports [n]Scan most popular ports and specify the number of ports to scan-OScan for host operating system-FA fast scan of 100 popular ports-iLScan from a file-sVFind the version of service running on a port-T[n]Template for fast scan--excludeExclude specific hosts from the scan Conclusion

In this tutorial, we learned how to use Nmap to scan for ports on your Linux computer. The examples in this tutorial cover the most common use cases of Nmap and will help you better understand the Nmap options. Nmap helps system administrators to evaluate and debug security errors.