Nmap: How to scan ports and services

This is the fourth in a series of tips on how to use Nmap in an enterprise network environment.

Nmap is the ideal tool for performing a simple network inventory or vulnerability assessment. By default, Nmap performs a SYN Scan, which works against any compliant TCP stack, rather than depending on idiosyncrasies of specific platforms. It can be used to quickly scan thousands of ports, and it allows clear, reliable differentiation between ports in open, closed and filtered states.

To perform a SYN scan on the host www.yourorg.com, use the command
nmap www.yourorg.com
Though not essential, it's best if you have root access on your Unix or Linux machine, or use an administrator account on Windows, as most of the scan types send and receive raw packets, and so are only available to privileged users. If you don't have the necessary privileges or you are scanning an IPv6 network, use the command
nmap –sT www.yourorg.com
to perform a TCP connect scan. Nmap scans all ports up to and including 1024, as well as higher numbered ports listed in the nmap-services file. You can also specify the ports you want to scan using –p, so:
nmap –p U:53,T:21-25 www.yourorg.com
will scan just UDP port 53 and TCP ports 21 to 25.

    Requires Free Membership to View

More about Nmap

Learn why Nmap is a valuable tool for network security

Get tips on installing and configuring Nmap on Windows

Or review these tips for installing and configuring Nmap on Linux 

A review of Nmap scan options and timing templates 

Once you discover a machine's visible ports, you need to know which services are running on them in order to inventory them or determine to which exploits the machine is vulnerable. The –sV option enables version detection interrogation, but a better option is –A which enables both OS detection and version detection. The following uses the nmap-service-probes database to try and determine the service protocol, the application name, the version number, hostname, device type, the OS family, and other miscellaneous details like the SSH protocol version or whether an X server is open to connections:
nmap –A www.yourorg.com
If Nmap is compiled with OpenSSL support, it can even connect to an SSL server to deduce the service listening behind that encryption layer. Another advantage of running version detection is that Nmap will try to get a response from TCP and UDP ports that a simple port scan can't determine are open or filtered, and Nmap will change the state to open if it succeeds.

Nmap offers various output formats for both human and machine consumption, including XML, which can be imported into a database or parsed by programs such as the Nmap graphical user interface NmapFE. For example, by adding the following options:
-oX and –oN
you can save the regular output for your own review while saving an XML version of the same scan for programmatic analysis, as in
nmap –A –oX scanreport.xml –oN scanreport.txt www.yourorg.com
There are also options for controlling the detail of the output as well as various debugging messages. If a prolonged scan doesn't complete for some reason it can be resumed at the target it was querying when execution stopped, but unfortunately, this feature does not support the XML output format.

In the next Nmap tip we'll be looking at more Nmap scanning techniques, including Idle scans.


  Nmap: A valuable open source tool for network security
  How to install and configure Nmap for Windows
  How to install and configure Nmap on Linux
 How to scan ports and services
  More port scanning techniques
  Firewall configuration testing
  Techniques for improving Nmap scan times
  Interpreting and acting on Nmap scan results
  Nmap parsers and interfaces
  Nmap and the open source debate

This was first published in June 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.