Pentest-Tools.com LogoPentest-Tools.com Tools Docs
  1. Port Scanner

Port Scanner

About this tool

Knowing which network services are exposed to the Internet is essential for securing the network perimeter of a company. With a Nmap portscan, you can easily obtain a quick view of the network attack surface that includes all open TCP and UDP ports and services.

How does the Nmap Scanner work?

Nmap is a very effective port scanner, known as the de-facto tool for finding open ports and services.

Nmap performs several phases to achieve its purpose:

1. Nmap host discovery

The first phase of a port scan is host discovery. Here the scanner attempts to check if the target host is live before actually probing for open ports. This phase is needed mainly when scanning a large range of IP addresses to optimize the time for the whole scan. It does not make any sense to waste time probing for open ports on a 'dead' host (ex. there is no server at a given IP).

However, this phase can sometimes lead to not finding some open ports because the host 'liveness' cannot be always correctly detected (ex. because of firewalls that permit access only to a certain port and drop everything else). In this case, you have to disable the option "Check if host is alive before scanning" which will skip the host discovery phase and only do the port scanning.

2. Open ports detection

To determine if a TCP port is open, Nmap takes advantage of the Three-way handshake mechanism used by TCP to establish a connection between a client and a server.

There are two main methods for detecting open TCP ports:

Connect-Scan (Nmap -sT)

!ptt-text-xs In this case, Nmap does a full three-way handshake with the target server, establishing a full TCP connection. The sequence of packets for this type of scan is SYN, SYN-ACK, ACK, RST.

The advantage of this method is that it does not require root/administrator access on the client machine, while the disadvantage is that it is rather noisy and the server can log the connections attempted from other hosts.

SYN-Scan (Nmap -sS)

This is the default scanning method, also enabled in our scanner. In this method, Nmap does a half-open TCP connection, knowing that the port is open immediately after the server responds with SYN-ACK. The sequence of packets, in this case, is SYN, SYN-ACK, RST.

The advantage of this method is that it is stealthier than a Connect-Scan but it does require Nmap to run with root/administrator privileges (because it needs to create low-level raw sockets to send the individual packets, instead of leaving the kernel stack to do the connection).

3. Nmap service detection

After Nmap has found a list of ports, it can do a more in-depth check to determine the exact type of service that is running on that port, including its version. This is needed because common services can run on non-standard ports (ex. a web server running on port 32566). Service detection is enabled with the command Nmap -sV.

Nmap does service detection by sending several predefined probes for various protocols to the target port to see if it responds accordingly. For example, it sends:

  • SSL CLIENT HELLO - to check for SSL services

  • HTTP GET request - to check for HTTP service

  • SIP OPTIONS - to check for SIP/RTSP protocol

  • and many others

You can find more details about Nmap and its internal functionality in our blog post Inside Nmap, the world’s most famous port scanner.

A brief history of Nmap Port Scanner

Nmap was first introduced in September 1997 in the article The Art of Scanning, in the well-known Phrack Magazine, by its author - Fyodor (Gordon Lyon).

Since it got a lot of notoriety, Nmap has been referenced in multiple books and it was also used in several artistic movies as a hacking tool (ex. The Matrix).

It has greatly evolved over time (the current version is 7.70) from a simple port scanner to a robust tool containing advanced fingerprinting capabilities and a complex scripting engine. Nmap currently has more than 500 scripts that can run after service detection has been disabled, covering aspects as advanced service discovery, brute-forcing, and some vulnerability identification.

Parameters

  • Target

    This is the hostname or IP address(es) to scan

  • Scan type

    This option allows choosing between a fast Nmap scan (Light), a more thorough scan (Deep) and a custom scan:

    • Deep scan is the default option. It is a thorough scan that will take longer to complete because it scans top 5000 TCP or UDP ports and performs service detection, traceroute and operating system detection.

    • Light scan performs a quick reconnaissance on top 100 TCP or UDP ports.

    • Custom scan allows you to specify the ports to scan and whether to perform service detection, traceroute and operating system detection.

  • Ports to scan - Common (Available only in custom mode):

    This option tells Nmap to scan either the top 10, 100, 1000, or 5000 most common TCP and UDP ports (Nmap --top-ports) or all available ports. Top 100 is the default scan option.

  • Ports to scan - Range (Available only in custom mode):

    You can specify a range of ports to be scanned. Valid ports are between 1 and 65535

  • Ports to scan - List (Available only in custom mode):

    You can specify a comma-separated list of ports to be scanned

  • Detect service version:

    In this case, Nmap will try to detect the version of the service that is running on each open port. This is done using multiple techniques like banner grabbing, reading server headers, and sending specific requests

  • Detect operating system:

    If enabled, Nmap will try to determine the type and version of the operating system that runs on the target host. The result is not always 100% accurate, depending on the way the target responds to probe requests

  • Do traceroute:

    If enabled, Nmap will also do a traceroute to determine the path packets take from our server to the target server, including the ip addresses of all network nodes (routers)

  • Check alive:

    If disabled, Nmap will not try to see if the host is up before scanning it. This option is useful when the target host does not respond to ICMP requests but it is up and it has open ports

How it works

The scanner calls Nmap with the most effective parameters to obtain the best results in terms of timing and quality.