We can use several NMAP command flags to scan specific TCP and UDP ports, as seen in Table 1.1 below.
| Description | NMAP Command Flag |
| Scan all ports | -p “*” |
| Scan top ports | –top-ports [number] |
| Scan specific ports | -p [port] |
| Scan ports by name | -p [name] |
| Scan ports by protocol | -p U:[UDP ports],T:[TCP ports] |
| Perform a fast scan | -F |
| Perform a sequential port scan | -r |
Let’s discuss each NMAP flag in the above table, their syntax, and use case.
Scan All Ports With NMAP
FLAG: -p “*”
Command syntax: nmap -p “*” [Target]
Description: Perform NMAP scan for all 65,535 TCP/UDP ports. This command do does not mandate elevated privileges.
The NMAP Scan All Ports flag will produce a scan for all 65,535 TCP and UDP ports on a target machine and output a list of open ports as well as the services running on a specific port [Figure 1.1].
![[NMAP Scan Any Port]: Scan All Ports example. Source: nudesystems.com](https://lh4.googleusercontent.com/Y3e0WVaK5crit2V8-fGEnFAZKR3lM7niuYiHj7UBisQ3Cf2xTu1pMR7Uo_2_qFAKQSildq26dlmMmjuxnp0fjfC_7xKqhz4AaX2dQxmZufR1Pin-WQA2CYxyaWAMbLEFvolC_A0)
Make sure your wildcard [*] statement is enclosed in quotes (“”); otherwise, NMAP will throw a syntax error, as seen in Figure 1.2 below.
![[NMAP Scan Any Port]: Use of wrong wildcard quotes. Source: nudesystems.com](https://lh4.googleusercontent.com/TQ3A7FyS7BmUNwdaLDyFD6SUQKKJwtkijfVDP4MT7Xli2Ey-TaUa9hm_cDwix1OrKu8w1g8LgDzknMmcZ2pdmm5_1qG3XhXoPO4Otk4eglcf8hu_PPpdU-exsfAJyu62fw1DIis)
Scan Top Ports With NMAP
Flag: –top-ports [Number]
Command Syntax: nmap –top-ports [Number] [Target]
Description: Perform an NMAP scan by specifying the number of top-ranked ports to scan.
The NMAP Scan Top Ports flag allows us to define the number of top-ranked ports to scan. For example, let’s assume we want to scan the top commonly used 50 ports.
The NMAP command for scanning the top commonly used ports is shown below with the output in Figure 1.3.
nmap – top-ports 10000 172.16.121.134NOTE: Remember to replace the IP address in my example with your target IP address.
![[NMAP Scan Any Port]: Scan top 50 most commonly used ports. Source: nudesystems.com](https://nudesystems.com/wp-content/uploads/2021/05/Scan-any-port-Figure-6.png)
Let’s perform another scan, this time for the top 10000 commonly used ports on a target machine using the NMAP command below and the output shown in Figure 1.4
nmap – top-ports 10000 172.16.121.134![[NMAP Scan Any Port]: Scan the top 10000 top ports. Source: nudesystems.com](https://lh5.googleusercontent.com/qjXruRepZ1FuxKhkSnNJHu64pumn7SUtSm2X8EBtCOCGuAKOpfYnJDX_L2OizIakjM8yzdYIQeP3CfUDrbSCu0JXmLHTw-Wb3iujlROS4hyIStMmX-R55MhYnddFmeI-Vq27Bj8)
NOTE: Top commonly used ports e.g., 10000, do not refer to the range of ports starting with, e.g., 1 to 10000.
Scan Specific Ports With NMAP
Flag: -p
Command Syntax: nmap -p [Port] [Target]
Description: Perform an NMAP scan for a specified port or range of ports.
The Scan Specific Port(s) flag instructs NMAP to perform a scan on a single port or multiple ports [separated by a comma and no spaces] on a specified target. Check out the list of the most commonly hacked ports for your reference.
Let’s practice this method by instructing NMAP to scan a single port, e.g., port 80, using the following command with the output shown in Figure 1.5.
nmap -p 80 172.16.121.134![[NMAP Scan Any Port]: Scan port 80. Source: nudesystems.com](https://lh3.googleusercontent.com/pw74O9XZNx5UWPSEZYcO2cxqd_Bxd3ID--aadgtmHexqoOlqkdKwxbjxm-2VUHASUp7v3Dzo-pTyNT9UxS4qMx0YbKZ6u80RpsA7YP9HHw0PxvnaVHBqSISzUIUkZHsneegWnus)
Next, let’s instruct NMAP to scan multiple or a range of ports, e.g., 25, 53, 80-500 using the command below with the output seen in Figure 1.6.
nmap -p 25,53,80-500 172.16.121.134![[NMAP Scan Any Port]: Scan port 80. Source: nudesystems.com](https://lh5.googleusercontent.com/XGh0sZ0AvrDh4HhnA713MkHxppYauzrP4bBU611Kccq8s89GtnyuOpVyfdstni-Ku-HO1DIdbfWgXnjvwi3Y5MQnJJ22nCm_DpcK8tEukKYsQ2LPEbC7a9HR1EBfN1dShQg_zfM)
Scan Ports By Name With NMAP
Flag: -p
Command Syntax: nmap -p [Port name(s)] [Target]
Description: Perform an NMAP scan for a specified port or ports.
The NMAP Scan Ports By Name uses the same -p flag as used in the previous method. Here we will instruct NMAP to scan based on the port name [http,ftp,smtp] and not a number.
NOTE: When scanning multiple ports by name, make sure you separate the name with a comma and no spaces.
The port name must match the exact name as specified in the nmap-service file.
On Windows, you can find the nmap-service file in the c:\Program Files\Nmap\ folder. On Linux/UNIX, the nmap-service file is generally located in /usr/share/nmap folder [Kali Linux 2021].
Alternatively, you can access the list of NMAP port names included in the nmap-service file HERE.
Let’s instruct NMAP to scan the FTP [21] and HTTP [80] ports on a target using the following command and the output shown in Figure 1.7.
nmap -p ftp,http 172.16.121.134![[NMAP Scan Any Port]: Scan FTP and HTTP ports using the port name. Source: nudesystems.com](https://lh6.googleusercontent.com/XMe7XpWJcEm3a7wfGntPboDdJur79UkdOFMim3JZ1WSYBzZON6E83iuChRMCv36223UXrryzl44NaYXWoFfe1bq2SVBU28B94YMunll6XNmpztMImAWR10UuJcqNB7xyjw_RWqM)
This NMAP command flag also supports wildcard. Let’s filter all the FTP ports using the command below with the output shown in Figure 1.8.
nmap -p ftp* 172.16.121.134![[NMAP Scan Any Port]: Scan FTP and HTTP ports using the port name wildcard. Source: nudesystems.com](https://lh5.googleusercontent.com/y8Xic-KA2vngNbNaXqsomwcuU1CLCRboYQRMIc2NxJFkwnA-O4WDcdzL0IAa3XfBW5wTS5nUGDR_9ydbSfotld5BY5sqNprmCyGNQ_-_kmRwr743pOx8vQl1En9eHs4mX5_nZ6k)
Scan Ports By Protocol With NMAP
Flag: -p
Additional Flags: U:[UDP Ports],T:[TCP Ports]
Command Syntax: nmap -p U:[UDP Ports],T:[TCP Ports] [Target]
Description: Search for a specific protocol and port combination.
As in previous examples, the Scan Ports By Protocol method uses the -p option followed by T: [for TCP ports] and U: [for UDP ports] flags. Simply said, we will instruct NMAP to scan for a specific TCP and UDP port on a target machine in a single command line.
Let’s execute a scan using this method for UDP port 53 [DNS] and TCP port 25 [SMTP], as shown in Figure 1.9 below. Pay attention to the NMAP WARNING message highlight in yellow.
![[NMAP Scan Any Port]: Scan ports by protocol. Source: nudesystems.com](https://lh4.googleusercontent.com/hDZ44Zr1ZhEiwID4Y-yi1F3KvLJ6LDUxiqpVSzASSx6Ru3fM310lA4eGRCypzz28TxUa1mNzDs8sgym7Nk1WQ1GYjVzZKvVWhglkG7MzOzPBHHqE2ziRaJyd4w4pdT1t97Zq4do)
By default, NMAP scans only the TCP ports. We need to instruct NMAP to check the UDP ports as well. To do that, we need to enforce our command with the additional -sU and -sT flags.
So let’s run the command again, this time including the additional flags as shown below with the output in Figure: 1.10.
nmap -sU -sT -p U:53,T:25 172.16.121.134![[NMAP Scan Any Port]: Scan ports by protocol. Source: nudesystems.com](https://lh4.googleusercontent.com/uWw33cVlxNIOkGCSwJtjZhhhekHDZAt3PShdlH3Mi7F2xtpSAvb93paCScPyf8GHwbs6YX1LzDsQnX7vzN6urjmy-uVlPOE8ksSvIbBxglSXc9nXMu76Nluvhk9hBUDuLRMSBPs)
Voilà! Both TCP port 25 and UDP port 53 were successfully scanned on the target machine.
Fast Scan Flag With NMAP
FLAG: -F
Command Syntax: nmap -F [Target]
Description: Perform a fast scan of only 100 most commonly used ports. Do not mandate elevated privileges.
As explained in the previous sections, NMAP will scan by default only the commonly used 1000 ports.
The NMAP Fast Scan Flag will reduce the number of ports scanned from 1000 to 100 [commonly used ports] and drastically improve the time per scan while still providing us valuable information on the open ports in numerical order [Figure 1.11].
![[NMAP Scan Any Port]: Fast Scan Flag. Source: nudesystems.com](https://nudesystems.com/wp-content/uploads/2021/05/scan-FTP-and-HTTP.png)
But wait! There’s a catch.
Each time NMAP shows an output will automatically sort the final result. We can use the additional flag -v [verbose mode] and see the sequential port scan in real-time [Figure 1.12].
![[NMAP Scan Any Port]: Example of a sequential port scan in verbose mode. Source: nudesystems.com](https://lh4.googleusercontent.com/n-B6sG7_IhsE7DP5sozBQRL43hUJn-8Pr8R-fYQquXrLNWzkoglHszYI66IhUEzhYp3vhTZzwhSvX3cE44Zah0bHsJsLla_8NdLjkoh4JLMC7BkStlvkGBIctfHrKv6rDB6aYq0)
That’s it. By now, you should know how to use NMAP to scan any TCP and UDP port(s) on a target computer.
Source: https://nudesystems.com/how-to-use-nmap-to-scan-any-port-udp-tcp-2021/
No comments:
Post a Comment