In 2012 and 2013, I wrote a couple of articles called Scanning Open Ports in Windows: A Quick Guide and Scanning Open Ports in Windows: A Quick Guide (Part 2) that covered how to use a series of neat little utilities to view open ports and troubleshoot client or server side application network connectivity issues. The articles are still relevant today but I also wanted to follow up and discuss using NMAP to check for open ports.

Nmap (http://nmap.org)

Nmap is a free, open source and multi-platform network security scanner used for network discovery and security auditing. Amongst other things, it allows you to create a network inventory, manage service upgrade schedules, monitor host or service uptime and scan for open ports and services on a host.

This post will focus on how to use Nmap to scan for open ports. Nmap can be extremely useful for helping you get to the root of the problem you are investigating, verify firewall rules or validate your routing tables are configured correctly.

To get started, download and install Nmap from the nmap.org website and then launch a command prompt.

Typing nmap [hostname] or nmap [ip_address] will initiate a default scan. A default scan uses 1000 common TCP ports and has Host Discovery enabled.

Host Discovery performs a check to see if the host is online. In a large IP range, this is useful for identifying only active or interesting hosts, rather than scanning every single port on every single IP in the range (a lot of which may not even be there).

Note: nmap.scanme.org is a server the NMAP team spun up to allow you to test tool functionality.

When the scan is complete, you should see an Nmap scan report similar to the one shown in the image above. This confirms Nmap is installed and operating correctly.

You will notice the information returned is PORT | STATE | SERVICE. Before we take a deeper dive into the commands, it would be valuable to know what the different ‘STATES’ mean. The Nmap Reference Guide provides a pretty comprehensive explanation, but I’ll give you a brief summary here.

STATE Description
Open The target port actively responds to TCP/UDP/SCTP requests.
Closed The target port is active but not listening.
Filtered A firewall or packet filtering device is preventing the port state being returned.
Unfiltered The target port is reachable but Nmap cannot determine if it is open or closed.
Open/Filtered Nmap cannot determine if the target port is open or filtered.
Closed/Filtered Nmap cannot determine if the target port is closed or filtered.

Let us now look at some commands we can use for scanning open ports.

Nmap Port Scanning Commands

The “–open” parameter

In any of the commands below, you can specify the “–open” parameter in your Nmap command to have Nmap only show you ports with an “Open” state.

nmap –open [ip_address]

Scanning a single port

nmap -p 80 [ip_address]

This command will initiate a default scan against the target host and look for port 80.

Scanning a specific range of ports

nmap -p 1-200 [ip_address]

This command will initiate a default scan against the target host and look for ports between the range of 1-200.

Scanning the entire port range

nmap -p- [ip_address]

This command will initiate a scan against the target host looking for all ports (1-65535).

Scanning the top 100 ports (fast scan)

nmap -F [ip_address]

This command will initiate a fast scan against the target host looking only for the top 100 common TCP ports.

Scanning multiple TCP/UDP ports

nmap -p U:53,67-68,T:21-25,80,135 [ip_address]

This command will initiate a scan against the target host looking only for specified UDP and TCP ports.

Scanning for specific service names

nmap -p http,ssh,msrpc,microsoft-ds [ip_address]

This command will initiate a scan against the target host looking for ports associated with specified service names.

TCP SYN scan (default)

nmap -sS [ip_address]

This command will initiate a TCP SYN scan against the target host. A TCP SYN scan sends a SYN packet to the target host and waits for a response. If it receives an ACK packet back, this indicates the port is open. If an RST packet is received, this indicates the port is closed. If no response is received after multiple transmissions, the port is considered filtered (a device or application between the source and the target is filtering the packets).

TCP connect scan

nmap -sT [ip_address]

This command will initiate a TCP connect scan against the target host. A TCP connect scan is the default scan performed if a TCP SYN scan is not possible. This type of scan requests that the underlying operating system try to connect with the target host/port using the ‘connect’ system call.

UDP port scan

nmap -sU [ip_address]

This command will initiate a UDP port scan against the target host. A UDP scan sends a UDP packet to the target port(s). If a response is received, the port is classified as Open. If no response is received after multiple transmissions, the port is classified as open/filtered.

SCTP INIT scan

nmap -sY [ip_address]

This command will initiate an SCTP INIT scan against the target host. An SCTP INIT scan is similar to the TCP SYN scan but specific to the SCTP protocol. An INIT chunk is sent to the target port(s). If an INIT-ACK chunk is received back, the port is classified as open. If an ABORT chunk is received, the port is classified as closed. If no response is received after multiple transmissions, the port is classified as filtered.

Zenmap

The Nmap installation package comes with a front-end GUI for Nmap called Zenmap, used to control Nmap from a user interface rather than a command-line.

One of the key benefits of using the GUI front-end version is the ability to save scanning profiles. You can configure a profile to include customized scanning options, scan targets, ping options, scripts, and performance options.

You may wish to create a new profile before initiating a scan. To do this, go to Profile > New Profile or Command.

A default list of scan profiles is included and the description and options for each can be reviewed from Profile > Edit Selected Profile.

To kick off a scan, enter the target to be scanned and choose a scan profile before clicking ‘Scan’.

When the scan is complete, the results will be displayed in the ‘Nmap Output’ tab with a further breakdown available in the Ports/Hosts, Topology, Host Details, and Scans tabs.

Go to the Ports/Hosts tab for a detailed list of all the open ports found on the target host.

Zenmap saves a history of your scans and allows you to compare two scans side-by-side. To do this, go to Tools > Compare Results. This is useful for eyeballing whether two hosts have the same list of open ports.

Do you know of any other free or open source tools you use to check for open ports? If so, we’d love to hear from you.