Port scanning is a technique used to determine the states of network ports on a host and to map out hosts on a network. In this article, I’ll go over the very basics of port scanning with the NMAP tool.
Port States NMAP will categorize ports as being in one of the following states:
NMAP supports different methods of port scanning. These methods are called scan techniques. Each technique is tailored to solving a specific problem. Often times you will have to run several scans using different techniques in order to get a more complete picture of the host(s) you are scanning.
TCP SYN scans are difficult to detect since a connection is never actually opened. This scan type uses RAW sockets and requires root access under UNIX. This is the default scan.
UDP port scanning may be done at the same time as TCP port scanning in order to speed up the process.
NMAP offers the following additional scans. I list them here for completeness, but will not discuss them further.
NMAP is an open source application and may be downloaded for free from insecure.org. Installation is straight forward. To install on Windows using the executable package:
Launching NMAP
NMAP does not have GUI under windows and must be run from the command line.
NMAP Example Scan 1
This is a scan of all port on my laptop (running Windows XP sp2) from a Windows Server 2003 sp1 machine. Each of the interfaces on my laptop are fire walled. NMAP is using a SYN scan, so it reports that all ports scanned are filtered.
Options used: -v for increased verbosity -A for os and software version detection -p1-65535 to set the range of ports to scan
Notice that this scan took almost an hour to scan all ports on one host. This scan would take considerably longer if a TCP connect scan were used.
Also notice that at least one open and one closed port are required in order for OS version detection to work reliably.
Finally, ‘–vv’ may be used for even more detailed output reporting.
C:'Documents and Settings'Administrator>Nmap -v -A -p1-65535 192.168.1.124 Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-23 22:04 Central America Standard Time Initiating ARP Ping Scan at 22:04 Scanning 192.168.1.124 [1 port] Completed ARP Ping Scan at 22:04, 0.17s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:04 Completed Parallel DNS resolution of 1 host. at 22:04, 0.03s elapsed Initiating SYN Stealth Scan at 22:04 Scanning 192.168.1.124 [65535 ports] SYN Stealth Scan Timing: About 2.04% done; ETC: 22:29 (0:23:58 remaining) SYN Stealth Scan Timing: About 58.48% done; ETC: 22:46 (0:17:26 remaining) SYN Stealth Scan Timing: About 88.44% done; ETC: 22:52 (0:05:29 remaining) SYN Stealth Scan Timing: About 96.95% done; ETC: 22:54 (0:01:30 remaining) Completed SYN Stealth Scan at 22:54, 2951.77s elapsed (65535 total ports) Initiating Service scan at 22:54 Warning: OS detection for 192.168.1.124 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Initiating OS detection (try #1) against 192.168.1.124 Host 192.168.1.124 appears to be up ... good. All 65535 scanned ports on 192.168.1.124 are filtered MAC Address: 00:16:41:17:9D:B1 (USI) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http: //insecure.org/Nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 2976.652 seconds Raw packets sent: 131095 (5.770MB) | Rcvd: 1 (42B)
NMAP Example Scan 2
This is a TCP connect scan of all ports on my laptop from a Windows 2003 Server SP1 machine. Again all ports are filtered. This scan took almost two hours to complete.
Options used: -v for increased verbosity -sT for a TCP connect scan -p1-65535 to specify the port rage from 1 to 65535 (all tcp ports)
C:'WINDOWS'system32'drivers'etc>Nmap -sT -p1-65535 192.168.1.124 Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-24 00:39 Central America Standard Time All 65535 scanned ports on 192.168.1.124 are filtered MAC Address: 00:16:41:17:9D:B1 (USI) Nmap finished: 1 IP address (1 host up) scanned in 6925.996 seconds
NMAP Example Scan 3
This is a scan of select ports (all the ports defined in the Nmap-services file) on a host on my home network (running Windows 2000 sp4) from my laptop. No firewall is installed on the scanned host. More than a dozen open ports are found and the services associated with these ports are identified.
I must admit that I had forgotten I was running vnc and bittorrent on this host. This illustrates one of the uses of Nmap; finding out what services are being offered on your own hosts!
Note that Nmap will print a message containing a fingerprint code when a service or operating system either:
This fingerprint may be uploaded to the insecure.org website with a detailed description of the service or operating system (if it is known). This helps ensure the Nmap database is current and contains a large selection of operating system and service entries.
Options used: -v for increased verbosity -A for os and software version detection
C:'WINDOWS'system32'drivers'etc>Nmap -v -A 192.168.1.120 Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-24 09:08 Central America S tandard Time Initiating ARP Ping Scan at 09:08 Scanning 192.168.1.120 [1 port] Completed ARP Ping Scan at 09:08, 0.19s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:08 Completed Parallel DNS resolution of 1 host. at 09:08, 0.04s elapsed Initiating SYN Stealth Scan at 09:08 Scanning 192.168.1.120 [1697 ports] Discovered open port 80/tcp on 192.168.1.120 Discovered open port 443/tcp on 192.168.1.120 Discovered open port 21/tcp on 192.168.1.120 Discovered open port 25/tcp on 192.168.1.120 Discovered open port 139/tcp on 192.168.1.120 Discovered open port 5900/tcp on 192.168.1.120 Discovered open port 6881/tcp on 192.168.1.120 Discovered open port 445/tcp on 192.168.1.120 Discovered open port 135/tcp on 192.168.1.120 Discovered open port 5800/tcp on 192.168.1.120 Discovered open port 3689/tcp on 192.168.1.120 Discovered open port 1031/tcp on 192.168.1.120 Discovered open port 1026/tcp on 192.168.1.120 Completed SYN Stealth Scan at 09:08, 0.97s elapsed (1697 total ports) Initiating Service scan at 09:08 Scanning 13 services on 192.168.1.120 Completed Service scan at 09:10, 125.70s elapsed (13 services on 1 host) Initiating OS detection (try #1) against 192.168.1.120 Retrying OS detection (try #2) against 192.168.1.120 Retrying OS detection (try #3) against 192.168.1.120 Retrying OS detection (try #4) against 192.168.1.120 Retrying OS detection (try #5) against 192.168.1.120 Host 192.168.1.120 appears to be up ... good. Interesting ports on 192.168.1.120: Not shown: 1684 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 5.0 25/tcp open smtp Microsoft ESMTP 5.0.2195.6713 80/tcp open http Microsoft IIS webserver 5.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1026/tcp open msrpc Microsoft Windows RPC 1031/tcp open mstask Microsoft mstask (task server - c:'winnt'syste m32'Mstask.exe) 3689/tcp open rendezvous Apple iTunes 7.1.1 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC TCP port: 5900) 5900/tcp open vnc VNC (protocol 3.8) 6881/tcp open bittorent-tracker? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi cefp-submit.cgi : SF-Port6881-TCP:V=4.20%I=7%D=4/24%Time=462E1DCA%P=i686-pc-windows-windows% [snip] SF:t'x1b'xbd'xa3X'xc9%'te"); MAC Address: 00:01:03:0A:E0:56 (3com) No exact OS matches for host (If you know what OS is running on it, see http://i nsecure.org/Nmap/submit/ ). TCP/IP fingerprint: OS:SCAN(V=4.20%D=4/24%OT=21%CT=1%CU=36922%PV=Y%DS=1%G=Y%M=000103%TM=462E1E0 [snip] OS:%DLI=S) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IPID Sequence Generation: Incremental Service Info: Host: johnson2; OS: Windows OS and Service detection performed. Please report any incorrect results at http: //insecure.org/Nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 137.185 seconds Raw packets sent: 1778 (81.800KB) | Rcvd: 1797 (84.498KB)
NMAP Example Scan 4
This is a UDP scan of a Windows 2000 sp4 machine from the machine itself.
Options used: -v for increased verbosity -A for os and software version detection -sU for UDP scanning
C:'WINDOWS'system32'drivers'etc>Nmap -v -A -sU -p1-65535 192.168.1.120 Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-24 09:35 Central America Standard Time Initiating ARP Ping Scan at 09:35 Scanning 192.168.1.120 [1 port] Completed ARP Ping Scan at 09:35, 0.16s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:35 Completed Parallel DNS resolution of 1 host. at 09:35, 0.03s elapsed Initiating UDP Scan at 09:35 Scanning 192.168.1.120 [65535 ports] Completed UDP Scan at 09:35, 33.47s elapsed (65535 total ports) Initiating Service scan at 09:35 Scanning 11 services on 192.168.1.120 Discovered open port 137/udp on 192.168.1.120 Discovered open|filtered port 137/udp on 192.168.1.120 is actually open Discovered open port 1434/udp on 192.168.1.120 Discovered open|filtered port 1434/udp on 192.168.1.120 is actually open Service scan Timing: About 27.27% done; ETC: 09:39 (0:02:13 remaining) Completed Service scan at 09:36, 50.09s elapsed (11 services on 1 host) Warning: OS detection for 192.168.1.120 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Initiating OS detection (try #1) against 192.168.1.120 Host 192.168.1.120 appears to be up ... good. Interesting ports on 192.168.1.120: Not shown: 65524 closed ports PORT STATE SERVICE VERSION 135/udp open|filtered msrpc 137/udp open netbios-ns Microsoft Windows XP netbios-ssn (workgroup : JFAMWG) 138/udp open|filtered netbios-dgm 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 1035/udp open|filtered unknown 1434/udp open ms-sql-m Microsoft SQL Server 9.00.2047.00 (ServerNa me: JOHNSON2; TCPPort: 1143) 3456/udp open|filtered IISrpc-or-vat 4500/udp open|filtered sae-urn 5353/udp open|filtered zeroconf 6881/udp open|filtered unknown MAC Address: 00:01:03:0A:E0:56 (3com) Device type: general purpose Running: Microsoft Windows 2000 OS details: Microsoft Windows 2000 Server SP4, Microsoft Windows 2000 AS SP4, Microsoft Windows 2000 Server SP4, Microsoft Windows 2000 SP3, Microsoft Windows 2000 SP4, Microsoft Windows 2000, SP0, SP1, or SP2 Network Distance: 1 hop Service Info: Host: JOHNSON2; OSs: Windows XP, Windows OS and Service detection performed. Please report any incorrect results at http: //insecure.org/Nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 84.417 seconds Raw packets sent: 65553 (1.836MB) | Rcvd: 65597 (3.673MB)
NMAP Example Scan 5
This is a protocol scan of a Windows 2000 sp4 host. Nmap is running on the same host. Notice that this scan is very fast. It completes in just under two seconds.
Options used: -v for increased verbosity -sO for protocol scanning option
C:'WINDOWS'system32'drivers'etc>Nmap -v -sO 192.168.1.120 Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-24 09:53 Central America Standard Time Initiating ARP Ping Scan at 09:53 Scanning 192.168.1.120 [1 port] Completed ARP Ping Scan at 09:53, 0.18s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:53 Completed Parallel DNS resolution of 1 host. at 09:53, 0.03s elapsed Initiating IPProto Scan at 09:53 Scanning 192.168.1.120 [256 ports] Discovered open port 1/ip on 192.168.1.120 Discovered open port 6/ip on 192.168.1.120 Completed IPProto Scan at 09:53, 1.34s elapsed (256 total ports) Host 192.168.1.120 appears to be up ... good. Interesting protocols on 192.168.1.120: Not shown: 251 closed protocols PROTOCOL STATE SERVICE 1 open icmp 2 open|filtered igmp 6 open tcp 17 filtered udp 47 open|filtered gre MAC Address: 00:01:03:0A:E0:56 (3com) Nmap finished: 1 IP address (1 host up) scanned in 1.753 seconds Raw packets sent: 259 (5238B) | Rcvd: 258 (14.384KB)
I have not even scratched the surface on this topic. However, I hope that this introduction will pique the curiosity of anyone who has either never heard of port scanning or have never used the technique.
Use the following resources to learn more about NMAP and port scanning in general.
http://insecure.org/Nmap/man – Nmap documentation http://insecure.org/Nmap/install – Nmap install guide http://seclists.org – mail list for Nmap http://www.nabble.com/Nmap—Hackers-f394.html – Nmap forum
Books Secrets of Network Cartography by James Messer
Got a question? Post it on our Security Forums!