[Lesson 4] Network Vulnerability and Scanning: Port Statements Term/ Methods to Scan Ports in Nmap
6 min readMay 20, 2020
Well what do open, closed or filtered mean in the Nmap scan result? š
Letās take a closer look at the results of Nmap:
- When Nmap sends packets to a port and receives a positive response,the port is assigned with the state of āopenā.
- For instance, SYN scan receives a SYN/ACK from the destination system/machine when a port is open. We have discussed about this topic in the last lesson.
- If Nmap determines that a port is not available, then it assigns the port with the āclosedā state.
- This indicates that Nmap has received a result that a result clearly shows that the port is closed.
- A SYN scan that receive a RST in response to a port query is an example of a closed port.
- Filtered ports are the result of a packet filter or firewall.
- When no response at all is received from the remote device, the port is considered to be filtered āfilteredā.
- Since a response isnāt received from the port, Nmap often retries the communication to the port. This is done to make sure that the packet wasnāt simply dropped due to the error or congestion in network.
- Please note that usually this type of response is categorized differently. If this is a different scan type such as a UDP scan or a FIN scan.
- On the other hand, if the destination machine/system returns an unexpected response. Then again the port is considered filtered.
- If we get an ICMP unreachable response in a SYN scan, the port is also flagged as filtered.
- In some cases, the lack of response may not necessary mean that the port is filtered. It might mean that the port might also be open.
- Now in these kind of situations, Nmap indicates that the port is either filtered or open.
- For instance, in an UDP connection, in most of the cases where the destination system doesnāt send a response when it receives a UDP packet. Thus, if the destination system does not respond, Nmap categorizes it as āopen|filteredā. This make sense right? š
Some important default port:
Now, here the question: if the port 22 is open, is the service running there is absolutely an SSH? š¬ Could there be another service?
- Well, all of these are the default port numbers of the services that we know about it. You definitely can run any service in any port.
- For instance, yo can run HTTP on port 22. However for the ease of use, the default ports are used in general without any changing.
- If you are performing a pentest, then yo should probably look at the well known ports first. However, you should never just scan the default ports only.
There are different methods/techniques to scan port in Nmap. Letās dive into how we can scan ports:
Now, letās prepare a SYN scan for Metasploitable device.
Most used 1000 ports:
If you do not use any one of the port scanning parameters, the top 1000 ports are scanned (well known port). āTop portsā are the most used port in general.
Choose ports to scan:
- The first way of selecting the ports to scan is using -p parameter. After entering the scan type and target IP, enter the port numbers with -p parameter. You can enter the ports one by one separated by a comma or you can simply provide a range of ports by putting a dash(-) between the port numbers.
- For instance, the ports 22,80 and the ports between 100 and 200 are scanned in the figure above.
Perform both TCP scan and UDP scan together:
- If you perform both the TCP scan and UDP scan in a single Nmap query, you can choose both the UDP ports and TCP ports using -p parameter.
- In the figure above, we will use both the SYN scan and UDP scan at the same time. We havenāt talk about it yet but the UDP scan is performed using -sU parameter. As you know, the SYN scan is a type of TCP scan.
- After entering the target IP, add the -p parameter. The parameter is associated with TCP ports simply by adding the uppercase T with a colon(:) with the ports to scan.
- To specify the UDP ports, then adding the uppercase U with a colon(:) and insert the ports with same format mentioned.
- In the results, the TCP ports scanned first then the UDP ports.
Top ports parameter:
- Using with the number of ports will be scanned, you can scan the top ports with this parameter ā--top-portsā.
- The top 20 ports(well known ports) is illustrated in the figure above.
- F (fast scan) equivalent to top ports 100:
In figure above , the both nmap command line produced the same result because these are the same queries.
Scan All ports: -p1ā65535:
- Well you should scan all the ports of the systems in the penetration testing. Scan the parameter of ports with integer 1ā65535 as this is the range of possible port numbers.
- All the open ports of metasploitable machine is displayed in the figure above
Detecting Hosts Using Port Scan:
- By default, Nmap perform host discovery and performs a port scan on each hosts to determine whether the host is online.
- If you use -Pn in the Nmap query, you skip the host discovery and port scan all target hosts.
- Disabling the host discovery with -Pn causes the Nmap attempts to perform the requested scanning functions against every target IP address specified.
- If a class C target address space which means a slash 24 is used and specified in the command line. All the 255 IP addresses are scanned.
Why would we want to do this? š
As you know that if you are a privileged user, Nmap send 4 types of packets to discover hosts:
- ICMP echo request
- SYN packet to TCP 443 port
- ACK packet to TCP 80 port
- ICMP timestamp request
Why ā š
- If a system is configured not to answer the ICMP requests, and if the ports 80 and 443 are filtered, then nmap thinks that it is down even if itās up.
- Thus, if you find a system that is not found by Ping Scan, always use the -Pn for futher port scans. Otherwise, nmap doesnāt perform the port scan because it assumes that the host is not up.
- If your network is not huge or you have enough time to scan, you should skip ping scan and run the ping scan for every possible IP address.
- Use the port scan instead of ping scan if you are scanning a server block because those systems are configured to be more secure than usual. This will enable you to find more computers than the ping scan do.
In the figure above, the scan specified top 10 ports, open ports, address block, -Pn for port scan and -n (No DNS resolution).
In addition, the -n is used to tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. This option can slash scanning times.
Thanks for readingā¦ š
