> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Port Scanner

> Discover open TCP and UDP ports and running services on target hosts

## Overview

The Port Scanner identifies open TCP and UDP ports on target hosts using [Nmap](https://nmap.org/), the industry-standard port scanning tool. Knowing which network services are exposed to the Internet is a key step in network security assessments.

The Port Scanner is a **discovery tool**: it maps your network's exposed services but does not test them for vulnerabilities. Discovered ports, services, and OS information are added to your [Attack Surface](/capabilities/attack-surface). It does not generate [findings](/core/findings/findings).

## Parameters

| Parameter   | Description                                                                                                                                                                                                        |
| ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Target      | The hostname or IP address to scan.                                                                                                                                                                                |
| Protocol    | Choose between **TCP** (default) or **UDP** scanning.                                                                                                                                                              |
| Scan type   | **Light**, **Deep** (default), or **Custom** mode. See [Scan types](#scan-types) below.                                                                                                                            |
| Check alive | When enabled (default), the scanner checks if the host is up before scanning. Disable this if the host doesn't respond to ICMP but you know it's online. Learn more about [Check alive](/core/assets#check-alive). |

### Custom scan options

These parameters are only available when using **Custom** scan type:

| Parameter               | Description                                                                                                              |
| ----------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| Ports to scan           | Choose from common presets, specify a range, or provide a comma-separated list. See [Port presets](#port-presets) below. |
| Detect service version  | Enables Nmap service detection to identify what's running on each port.                                                  |
| Detect operating system | Enables OS fingerprinting based on TCP/IP stack analysis.                                                                |
| Do traceroute           | Shows the network path to the target (TCP only).                                                                         |
| Scan technique          | The TCP scan method to use. See [Scan techniques](#scan-techniques) below.                                               |

#### Port presets

| Preset              | TCP ports | UDP ports |
| ------------------- | --------- | --------- |
| **Top 10 ports**    | \~10      | \~10      |
| **Top 100 ports**   | \~112     | \~101     |
| **Top 1000 ports**  | \~1,009   | \~1,000   |
| **Top 5000 ports**  | \~5,003   | \~5,000   |
| **Full port range** | 65,535    | 65,535    |

You can also specify a **port range** (e.g., `1-1024` for privileged ports) or a **port list** (comma-separated, e.g., `22,80,443,3306,8080`).

<Note>
  The "Top X ports" presets use **different, curated port lists for TCP and UDP** based on which ports are most commonly open for each protocol. TCP lists emphasize web (80, 443, 8080), SSH (22), and database ports, while UDP lists focus on DNS (53), DHCP (67-68), SNMP (161-162), and NTP (123) ports.
</Note>

See [Port lists](/core/scans/portlists) for the exact ports covered by each preset.

#### Scan techniques

For TCP scanning, you can choose the scan technique. For detailed explanations, see the [Nmap port scanning techniques documentation](https://nmap.org/book/man-port-scanning-techniques.html).

| Technique       | Flag | Description                       | Use case                      |
| --------------- | ---- | --------------------------------- | ----------------------------- |
| **TCP SYN**     | -sS  | Half-open scan, fast and stealthy | Default, recommended          |
| **Connect**     | -sT  | Full TCP connection               | When SYN scan isn't possible  |
| **ACK**         | -sA  | Examines firewall rules           | Firewall mapping              |
| **Window**      | -sW  | Analyzes TCP Window field         | Specific systems              |
| **Maimon**      | -sM  | FIN/ACK probe                     | BSD-derived systems           |
| **TCP NULL**    | -sN  | No flags set                      | Bypass non-stateful firewalls |
| **FIN**         | -sF  | FIN flag only                     | Bypass non-stateful firewalls |
| **Xmas**        | -sX  | FIN, PSH, URG flags               | Bypass non-stateful firewalls |
| **SCTP INIT**   | -sY  | SCTP protocol scan                | SCTP services                 |
| **COOKIE-ECHO** | -sZ  | Advanced SCTP scan                | SCTP services                 |
| **IP**          | -sO  | IP protocol scan                  | Protocol identification       |

<Note>
  Most scans should use **TCP SYN** (the default). Alternative techniques are useful for firewall evasion or specialized assessments.
</Note>

## Scan types

| Scan type  | TCP ports scanned | UDP ports scanned | Features                        |
| ---------- | ----------------- | ----------------- | ------------------------------- |
| **Light**  | \~187 top ports   | \~101 top ports   | Service detection               |
| **Deep**   | \~3,845 top ports | \~1,000 top ports | Service detection, OS detection |
| **Custom** | User-defined      | User-defined      | All options configurable        |

<Tip>
  **Light** is a quick reconnaissance scan. **Deep** (the default) covers a wide range of ports and is recommended for security assessments.
</Tip>

## How it works

<Steps>
  <Step title="Check if host is alive (optional)">
    If enabled, the scanner sends ICMP echo requests and TCP/UDP probes to verify the host is reachable before scanning.
  </Step>

  <Step title="Port scanning">
    Nmap probes the specified ports using the selected technique (SYN scan for TCP by default, UDP scan for UDP).
  </Step>

  <Step title="Service detection">
    For Light and Deep scans, Nmap identifies services using banner grabbing, service-specific probes, and response analysis.
  </Step>

  <Step title="OS detection (Deep only)">
    Analyzes TCP/IP stack responses to fingerprint the operating system based on TCP options, sequence numbers, and timing characteristics.
  </Step>

  <Step title="Traceroute (Custom, TCP only)">
    If enabled, determines the network path to the target, showing IP addresses of intermediate routers.
  </Step>
</Steps>

### UDP scanning considerations

UDP scanning is slower than TCP because UDP is connectionless. The scanner must wait for timeouts to determine if ports are closed or filtered. For UDP:

* No response typically means `open|filtered`
* An ICMP "port unreachable" error indicates `closed`

<Tip>
  If the scanner reports "host seems down" or finds no open ports on a host you know is up, re-run the scan with **Check alive** disabled. The host may be blocking ICMP probes.
</Tip>

## Follow-up actions

From the results, you can launch additional scans directly:

| Discovered service | Suggested action                                                                                                         |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------ |
| HTTP/HTTPS         | Run [Website Scanner](/tools/website-scanner), [URL Fuzzer](/tools/url-fuzzer), or [Website Recon](/tools/website-recon) |
| SSH, FTP, RDP, SMB | Test credentials with [Password Auditor](/tools/password-auditor)                                                        |
| HTTPS, SMTP, IMAP  | Analyze encryption with [SSL/TLS Scanner](/tools/ssl-tls-scanner)                                                        |
| Any service        | Run [Network Scanner](/tools/network-scanner) to test for vulnerabilities                                                |

<Tip>
  Use [VPN profiles](/capabilities/vpn/overview) to scan internal networks behind firewalls.
</Tip>
