This recipe describes how to use Nmap to determine the port states on a remote host, a process used to identify running services commonly referred to as port scanning. This is one of the tasks Nmap excels at, so it is important to learn the essential Nmap options related to port scanning.

To launch a default scan, the bare minimum you need is a target. A target can be an IP address, a host name, or a network range:

$nmap scanme.nmap.org  

The scan results will show all the host information obtained, such as IPv4 (and IPv6 if available) address, reverse DNS name, and interesting ports with service names. All listed ports have a state. Ports marked as opened are of special interest as they represent services running on the target host:

   Nmap scan report for scanme.nmap.org (45.33.32.156) 
   Host is up (0.16s latency). 
   Other addresses for scanme.nmap.org (not scanned):      
   2600:3c01::f03c:91ff:fe18:bb2f 
   Not shown: 995 closed ports 
   PORT      STATE    SERVICE  
   22/tcp    open     ssh 
   25/tcp    filtered smtp 
   80/tcp    open     http 
   9929/tcp  open     nping-echo 
   31337/tcp open     Elite 
   Nmap done: 1 IP address (1 host up) scanned in 333.35 seconds 

The basic default Nmap scan nmap <target> executes a simple port scan that returns a list of ports. In addition, it returns a service name from a database distributed with Nmap and the port state for each of the listed ports.

Nmap categorizes ports into the following states:

• Open: Open indicates that a service is listening for connections on this port.
• Closed: Closed indicates that the probes were received, but it was concluded that there was no service running on this port.
• Filtered: Filtered indicates that there were no signs that the probes were received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
• Unfiltered: Unfiltered indicates that the probes were received but a state could not be established.
• Open/Filtered: This indicates that the port was filtered or open but the state could not be established.
• Close/Filtered: This indicates that the port was filtered or closed but the state could not be established.

Even for this simplest port scan, Nmap does many things in the background that can be configured as well. Nmap begins by converting the hostname to an IPv4 address using DNS name resolution. If you wish to use a different DNS server, use --dns-servers <serv1[,serv2],...>, or use-n if you wish to skip this step, as follows:

$ nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org  

Afterward, it performs a host discovery process to check whether the host is alive (see the Finding live hosts in your network recipe). To skip this step, use -Pn as follows:

$ nmap -Pn scanme.nmap.org  

Nmap then converts the IPv4 or IPv6 address back to a hostname using a reverse DNS query. Use -n to skip this step, as follows:

$ nmap -n scanme.nmap.org  

Finally, it launches either a SYN stealth scan or TCP connect scan depending on the user privileges.

Port scanning is one of the most powerful features available, and it is important that we understand the different techniques and Nmap options that affect the scan behavior.

Running the simplest port scan command, nmap <target>, as a privileged user by default launches a SYN Stealth Scan, whereas unprivileged users that cannot create raw packets use the TCP Connect Scan technique. The difference between these two techniques is that TCP Connect Scan uses the high-level connect() system call to obtain the port state information, meaning that each TCP connection is fully completed and therefore slower. SYN Stealth Scans use raw packets to send specially crafted TCP packets to detect port states with a technique known as half open.

Setting port ranges correctly during your scans will be very handy. You might be looking for infected machines that use a specific port to communicate or a specific service and do not really care about the rest. Narrowing down the port list also optimizes performance, which is very important when scanning multiple targets.

There are several accepted formats for the argument -p:

• Port list:

# nmap -p80,443 localhost 

• Port range:

# nmap -p1-100 localhost  

• All ports:

# nmap -p- localhost  

• Specific ports by protocols:

# nmap -pT:25,U:53 <target>  

• Service name:

# nmap -p smtp <target>  

• Service name wildcards:

# nmap -p smtp* <target>  

• Only ports registered in Nmap services:

# nmap -p[1-65535] <target> 

Nmap attempts to automatically detect your active network interface; however, there are some situations where it will fail or perhaps we will need to select a different interface in order to test networking issues. To force Nmap to scan using a different network interface, use the argument -e:

#nmap -e <interface> <target>
#nmap -e eth2 scanme.nmap.org  

You will need to set your network interface manually if you ever encounter the message WARNING: Unable to find appropriate interface for system route to.

In this recipe, we talked about the two default scanning methods used in Nmap: SYN Stealth Scan and TCP Connect Scan. However, Nmap supports several more port scanning techniques. Use nmap -h or visit https://nmap.org/book/man-port-scanning-techniques.html to learn more about them.