How To Find Open Ports in Nmap
As the world’s top port security network scanner, Nmap can help you see if your network’s security settings and firewalls work as intended. Its hosted security tool lets you scan all of the open ports on a Linux-based system as long as you have the appropriate perquisites.
Assuming you do, you can use Nmap to find open ports that create security vulnerabilities. Here, we look at several ways you can use Nmap to locate open ports in your network.
What You Need for Nmap
You need the following before running any of these scans:
- A computer with a Linux-based operating system.
- Access to a terminal window or command line.
- An account that has either root or sudo privileges.
- The yum package manager.
- The apt package manager.
What Are Ports?
A port is a numbered address used to denote network traffic. Every modern operating system uses them, and every service on your network has its own ports by default. Examples include normal web traffic, which uses port 80, and POP3 email, which uses port 110.
Ports are important because they provide access to your network. An open port allows access to all, making it vulnerable to hackers. Many overcome this issue using firewalls, which restrict the flow of traffic over a port so it only provides access to authorized users.
How to Install Nmap
Installing Nmap is fairly simple on machines running Debian or Ubuntu. Enter the following into your terminal window:
$ sudo apt-get update
$ sudo apt-get install nmap
With the software installed, you can access a better port mapping file than you can access using Linux’s default netstat port scanning tool. Nmap also provides a test server, which you can find at scanme.namp.org. Use this, or your own servers, when practicing Nmap.
How to Use Nmap to Check Open Ports
You can use Nmap to create an extensive list of ports and their associations with different services. The following command allows you to do this using Nmap’s test servers:
$ less /usr/share/nmap/nmap-services
This produces over 20,000 lines, each denoting a single port, which is arranged into columns. The third column lists the port’s open frequency, which is pulled from research scans conducted via the internet.
Of course, sifting through thousands of lines of output is time-consuming and inefficient. Thankfully, Nmap allows you to run more specific scans to check ports for individual machines, hosts, and IP addresses.
How to Scan Nmap Ports on Remote Systems
You’ll need the system’s IP address to scan for open ports on the remote system. Once you have it, enter the following into your terminal:
$ sudo nmap 000.000.0.0
Replace the zeroes in this command with the system’s IP address. Nmap will return all of the information about the ports on that system, including the open or blocked status of each one.
How to Scan a Host
Scanning a host is a simple process that just requires the host’s URL:
$ nmap www.hostname.com
Replace the www.hostname.com URL with the URL of the host you’re scanning, and you should get a full list of ports. This list shows you which ports are open and which are blocked.
How to Scan Several IP Addresses
You can scan a range of up to 10 IP addresses using the following command:
$ nmap 000.000.0.1-10
Replace all of the zeroes with the IP address you want to scan, with the 1-10 range kept in place to scan the full range.
How to Scan Targets From a Text File
You may choose to compile port information in a text file. For example, you could pull the full list of ports generated via the “$ less /usr/share/nmap/nmap-services” command to create your list. Then, you pull that list into a text file. Use the following command if you wish to run a scan on that text file:
$ nmap -iL textlist.txt
Replace “textlist.txt” with the full name of the file you wish to scan.
Scanning Specific Ports
You can use Nmap commands to scan individual ports or a series of ports by using port numbers in your commands.
To scan an individual port, type:
$ nmap -p 80 000.000.0.0
Replace “80” with the port number you want to scan and replace the zeroes with the IP address for the relevant machine.
To scan a range of ports, such as all ports between 1 and 500, enter the following command:
$ nmap –p 1-500 000.000.0.0
Again, replace the zeroes with your IP address. As for the range, you can run a scan for open ports up to port number 65535, so set the range as required.
Finally, you may want to run a full scan of every port associated with an IP address. Nmap allows you to do this with a simple command:
$ nmap -p- 000.000.0.0
The “-p-“ command denotes the full range of ports available. The zeroes get replaced with the IP address for the device you’re running the scan on. Expect this command to take a long time to execute as Nmap has to scan a huge number of ports.
Common Ports to Run Scans On
It’s unlikely that you’ll want to include irrelevant ports in your Nmap scans. Doing so increases the time taken for the scan and creates more results that are difficult the sift through. Instead, use this list to run scans on commonly-used ports that your network likely requires:
- 21 – File Transfer Protocol (FTP)
- 22 – Secure Shell (SSH)
- 25 – Simple Mail Transfer Protocol (SMTP)
- 53 – Domain Name Server (DNS)
- 80 – Hypertext Transfer Protocol (HTTP)
- 110 – Post Office Protocol 3 (POP3)
- 123 – Network Time Protocol (NTP)
- 143 – Internet Message Access Protocol (IMAP)
- 443 – Hypertext Transfer Protocol Secure (HTTPS)
- 465 – Simple Mail Transfer Protocol Secure (SMTPS)
- 631 – Common UNIX Printing System (CUPS)
- 993 – Internet Message Access Protocol Secure (IMAPS)
- 995 – POP3 when used over an encrypted connection
This collection of ports allows you to check a network’s main functions, including internet access, email, and printer access. It also checks the ports used for transferring files. Use these numbers with the “$ nmap -p 80 000.000.0.0” command to run individual checks.
The Best Practices for Nmap Open Port Scans
There are several poor practices to avoid when using Nmap to scan for open ports.
First, avoid running the command for any server that you don’t own or have permission to access. Not only do these commands tie up a server’s resources, but some people may take an unauthorized Nmap scan as a sign that an attack is imminent. Hackers sometimes use Nmap scans to find open ports in a network that they can exploit.
Second, avoid running multiple scans on the same target in a short period. Doing this ties up the server’s resources and may affect network performance.
In addition to highlighting open ports, your scans may demonstrate unusual activity, such as a service that runs a higher number of ports than expected. While this is a red flag, it doesn’t mean you have to immediately jump to finding a fix. There may be a reason for the unusual activity. Consider running an operating system or service scan to get more information as part of your investigation. While unusual activity is often a sign that something untoward is happening, it may also occur by design. It’s considered best practice to gather as much information as possible before you take action.
Understand More About Port Configuration
Using Nmap to scan for open ports lets you find vulnerabilities that hackers might use to access your network and its servers. While a scan won’t fix the problems, it’ll show you where to look so you can work on creating a fix yourself.
Scanning for open ports also helps you see what information somebody can glean from the services that accept connections to these ports. Again, this helps you see what you need to do to lock out your servers, as well as showing you what information should come out of your machine. If your machine leaks more information than it’s supposed to, hackers can use that information to exploit or create vulnerabilities.
So, what do you think about Nmap as an open port scanning tool? Do you think you could use it to identify issues with your network security setup? Let us know in the comments below.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.