Overview
The Port Scanner identifies open TCP and UDP ports on target hosts using Nmap, the industry-standard port scanning tool. Knowing which network services are exposed to the Internet is a key step in network security assessments. The Port Scanner is a discovery tool: it maps your network’s exposed services but does not test them for vulnerabilities. Discovered ports, services, and OS information are added to your Attack Surface. It does not generate findings.Parameters
| Parameter | Description |
|---|---|
| Target | The hostname or IP address to scan. |
| Protocol | Choose between TCP (default) or UDP scanning. |
| Scan type | Light, Deep (default), or Custom mode. See Scan types below. |
| Check alive | When enabled (default), the scanner checks if the host is up before scanning. Disable this if the host doesn’t respond to ICMP but you know it’s online. Learn more about Check alive. |
Custom scan options
These parameters are only available when using Custom scan type:| Parameter | Description |
|---|---|
| Ports to scan | Choose from common presets, specify a range, or provide a comma-separated list. See Port presets below. |
| Detect service version | Enables Nmap service detection to identify what’s running on each port. |
| Detect operating system | Enables OS fingerprinting based on TCP/IP stack analysis. |
| Do traceroute | Shows the network path to the target (TCP only). |
| Scan technique | The TCP scan method to use. See Scan techniques below. |
Port presets
| Preset | TCP ports | UDP ports |
|---|---|---|
| Top 10 ports | ~10 | ~10 |
| Top 100 ports | ~112 | ~101 |
| Top 1000 ports | ~1,009 | ~1,000 |
| Top 5000 ports | ~5,003 | ~5,000 |
| Full port range | 65,535 | 65,535 |
1-1024 for privileged ports) or a port list (comma-separated, e.g., 22,80,443,3306,8080).
The “Top X ports” presets use different, curated port lists for TCP and UDP based on which ports are most commonly open for each protocol. TCP lists emphasize web (80, 443, 8080), SSH (22), and database ports, while UDP lists focus on DNS (53), DHCP (67-68), SNMP (161-162), and NTP (123) ports.
Scan techniques
For TCP scanning, you can choose the scan technique. For detailed explanations, see the Nmap port scanning techniques documentation.| Technique | Flag | Description | Use case |
|---|---|---|---|
| TCP SYN | -sS | Half-open scan, fast and stealthy | Default, recommended |
| Connect | -sT | Full TCP connection | When SYN scan isn’t possible |
| ACK | -sA | Examines firewall rules | Firewall mapping |
| Window | -sW | Analyzes TCP Window field | Specific systems |
| Maimon | -sM | FIN/ACK probe | BSD-derived systems |
| TCP NULL | -sN | No flags set | Bypass non-stateful firewalls |
| FIN | -sF | FIN flag only | Bypass non-stateful firewalls |
| Xmas | -sX | FIN, PSH, URG flags | Bypass non-stateful firewalls |
| SCTP INIT | -sY | SCTP protocol scan | SCTP services |
| COOKIE-ECHO | -sZ | Advanced SCTP scan | SCTP services |
| IP | -sO | IP protocol scan | Protocol identification |
Most scans should use TCP SYN (the default). Alternative techniques are useful for firewall evasion or specialized assessments.
Scan types
| Scan type | TCP ports scanned | UDP ports scanned | Features |
|---|---|---|---|
| Light | ~187 top ports | ~101 top ports | Service detection |
| Deep | ~3,845 top ports | ~1,000 top ports | Service detection, OS detection |
| Custom | User-defined | User-defined | All options configurable |
How it works
Check if host is alive (optional)
If enabled, the scanner sends ICMP echo requests and TCP/UDP probes to verify the host is reachable before scanning.
Port scanning
Nmap probes the specified ports using the selected technique (SYN scan for TCP by default, UDP scan for UDP).
Service detection
For Light and Deep scans, Nmap identifies services using banner grabbing, service-specific probes, and response analysis.
OS detection (Deep only)
Analyzes TCP/IP stack responses to fingerprint the operating system based on TCP options, sequence numbers, and timing characteristics.
UDP scanning considerations
UDP scanning is slower than TCP because UDP is connectionless. The scanner must wait for timeouts to determine if ports are closed or filtered. For UDP:- No response typically means
open|filtered - An ICMP “port unreachable” error indicates
closed
Follow-up actions
From the results, you can launch additional scans directly:| Discovered service | Suggested action |
|---|---|
| HTTP/HTTPS | Run Website Scanner, URL Fuzzer, or Website Recon |
| SSH, FTP, RDP, SMB | Test credentials with Password Auditor |
| HTTPS, SMTP, IMAP | Analyze encryption with SSL/TLS Scanner |
| Any service | Run Network Scanner to test for vulnerabilities |