Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1 Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1
Networking

Port Scanning with NMAP - Installation & Usage of NMAP

Port scanning is a technique used to determine the states of network ports on a host and to map out hosts on a network. In this article, I’ll go over the very basics of port scanning with the NMAP tool.

NMAP Overview

Port States NMAP will categorize ports as being in one of the following states:

  • Open – The port is accepting TCP connections and UDP packets. This means that an application is running that is using this port.
  • Closed – The port responds to NMAP probe requests but no application is using this port
  • Filtered – The port state cannot be determined because packet filters prevent NMAP probes from reaching the port
  • Unfiltered – The port is accessible but NMAP cannot determine if it is open or closed
  • Open | Filtered – NMAP cannot determine if the port is open or filtered
  • Closed | Filtered – NMAP cannot determine if the port is closed or filtered

Port Scanning Techniques

NMAP supports different methods of port scanning. These methods are called scan techniques. Each technique is tailored to solving a specific problem. Often times you will have to run several scans using different techniques in order to get a more complete picture of the host(s) you are scanning.

  • TCP SYN scan (-sS) – Can be performed on many thousands of hosts very quickly on a fast network with no firewalls. It starts to open a connection by sending a SYN packet, but it never finishes the connection. The response from this packet is used to determine the port status:
    1. A SYN’ACK response indicates that the port is open and listening
    2. A RST response indicates that the port is closed
    3. A no response or ICMP unreachable error will result in the port being marked as filtered

    TCP SYN scans are difficult to detect since a connection is never actually opened. This scan type uses RAW sockets and requires root access under UNIX. This is the default scan.  

  • TCP connect scan (-sT) – Uses the OS to establish a TCP connection to the host. This scan type is slower and has more overhead than a SYN scan. A TCP connect scan is the default when a SYN scan (RAW sockets) is not possible.  
  • UDP scan (-sU) – Sends a data less UDP header to every specified port. The response from this header is used to determine the UDP port status:
    1. An ICMP Unreachable error response indicates that the port is closed
    2. Other ICMP errors indicate that the port is filtered
    3. UDP bases services (DHCP, DNS and SNMP) may respond. This indicates that the port is open.
    4. If after several attempts of communication no response is received, the port will be marked as open|filtered. This could mean that packet filtering may be blocking communication with an otherwise open port. The version detection option (-sV) may be used in order to determine if ports marked as open|filter are actually open.

    UDP port scanning may be done at the same time as TCP port scanning in order to speed up the process.  

  • Custom TCP scan (–scanflags) – Custom scans allow advanced users to create a scan type tailored to specific needs. This is useful to create scans that will less likely be detected by intrusion detection systems.  
  • IP protocol scan (-sO) – This scan scans a host for the protocols it supports by cycling through the 8 bit protocol header of an IP packet.

NMAP offers the following additional scans. I list them here for completeness, but will not discuss them further.

  • TCP Null, FIN and Xmas scans – Uses a loophole in TCP RFC to determine if a port is open or closed.
  • TCP ACK scan – Used to map firewall rulesets. It cannot tell between open and closed ports.
  • TCP Window scan – Used to map firewall rulesets. It can tell between open and closed ports depending on the host being scanned.
  • TCP Maimon scan – Similar to the TCP Null, Fin and Xmas scans but exploits a slightly different TCP stack implementation detail specific to many BSD systems.
  • Idlescan – Scans hosts using packets with a “falsified” ip address such that the scan appears to originate from another host.
  • FTP bounce scan – Scans for ftp servers configured as ftp proxies.

Installing NMAP

NMAP is an open source application and may be downloaded for free from insecure.org. Installation is straight forward. To install on Windows using the executable package:

  1. Double click the installer file
  2. Click the ‘I Agree’ button to accept the licensing terms  
  3. Accept the defaults on the Choose Components dialog box. Click the ‘Next’ button.  
  4. Choose an installation directory (or accept the default). Click the ‘Install’ button.  
  5. Installation of NMAP will proceed.  
  6. Winpcap is required component of NMAP. Its installation will start during the install if NMAP. Read the license agreement and click the ‘I Agree’ button.  
  7. Select an installation directory (or accept the default). Click the ‘Install’ button.  
  8. The installation of Winpcap will now proceed. Click the ‘Close’ button on the Winpcap completed dialog box.  
  9. Click the ‘Close’ button on the NMAP completed dialog box.  

Running NMAP on Windows

Launching NMAP

NMAP does not have GUI under windows and must be run from the command line.

NMAP Example Scan 1

This is a scan of all port on my laptop (running Windows XP sp2) from a Windows Server 2003 sp1 machine. Each of the interfaces on my laptop are fire walled. NMAP is using a SYN scan, so it reports that all ports scanned are filtered.

Options used: -v for increased verbosity -A for os and software version detection -p1-65535 to set the range of ports to scan

Notice that this scan took almost an hour to scan all ports on one host. This scan would take considerably longer if a TCP connect scan were used.

Also notice that at least one open and one closed port are required in order for OS version detection to work reliably.

Finally, ‘–vv’ may be used for even more detailed output reporting.

C:'Documents and Settings'Administrator>Nmap -v -A -p1-65535 192.168.1.124

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-23 22:04 Central America Standard Time
Initiating ARP Ping Scan at 22:04
Scanning 192.168.1.124 [1 port]
Completed ARP Ping Scan at 22:04, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:04
Completed Parallel DNS resolution of 1 host. at 22:04, 0.03s elapsed
Initiating SYN Stealth Scan at 22:04
Scanning 192.168.1.124 [65535 ports]
SYN Stealth Scan Timing: About 2.04% done; ETC: 22:29 (0:23:58 remaining)
SYN Stealth Scan Timing: About 58.48% done; ETC: 22:46 (0:17:26 remaining)
SYN Stealth Scan Timing: About 88.44% done; ETC: 22:52 (0:05:29 remaining)
SYN Stealth Scan Timing: About 96.95% done; ETC: 22:54 (0:01:30 remaining)
Completed SYN Stealth Scan at 22:54, 2951.77s elapsed (65535 total ports)
Initiating Service scan at 22:54
Warning: OS detection for 192.168.1.124 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.1.124
Host 192.168.1.124 appears to be up ... good.
All 65535 scanned ports on 192.168.1.124 are filtered
MAC Address: 00:16:41:17:9D:B1 (USI)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http:
//insecure.org/Nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 2976.652 seconds
 Raw packets sent: 131095 (5.770MB) | Rcvd: 1 (42B)

NMAP Example Scan 2

This is a TCP connect scan of all ports on my laptop from a Windows 2003 Server SP1 machine. Again all ports are filtered. This scan took almost two hours to complete.

Options used: -v for increased verbosity -sT for a TCP connect scan -p1-65535 to specify the port rage from 1 to 65535 (all tcp ports)

C:'WINDOWS'system32'drivers'etc>Nmap -sT -p1-65535 192.168.1.124

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-24 00:39 Central America Standard Time
All 65535 scanned ports on 192.168.1.124 are filtered
MAC Address: 00:16:41:17:9D:B1 (USI)

Nmap finished: 1 IP address (1 host up) scanned in 6925.996 seconds

NMAP Example Scan 3

This is a scan of select ports (all the ports defined in the Nmap-services file) on a host on my home network (running Windows 2000 sp4) from my laptop. No firewall is installed on the scanned host. More than a dozen open ports are found and the services associated with these ports are identified.

I must admit that I had forgotten I was running vnc and bittorrent on this host. This illustrates one of the uses of Nmap; finding out what services are being offered on your own hosts!

Note that Nmap will print a message containing a fingerprint code when a service or operating system either:

  1. Does not match a code in the Nmap internal database, or
  2. Multiple matches are found.

This fingerprint may be uploaded to the insecure.org website with a detailed description of the service or operating system (if it is known). This helps ensure the Nmap database is current and contains a large selection of operating system and service entries.

Options used: -v for increased verbosity -A for os and software version detection

C:'WINDOWS'system32'drivers'etc>Nmap -v -A 192.168.1.120

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-24 09:08 Central America S
tandard Time
Initiating ARP Ping Scan at 09:08
Scanning 192.168.1.120 [1 port]
Completed ARP Ping Scan at 09:08, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:08
Completed Parallel DNS resolution of 1 host. at 09:08, 0.04s elapsed
Initiating SYN Stealth Scan at 09:08
Scanning 192.168.1.120 [1697 ports]
Discovered open port 80/tcp on 192.168.1.120
Discovered open port 443/tcp on 192.168.1.120
Discovered open port 21/tcp on 192.168.1.120
Discovered open port 25/tcp on 192.168.1.120
Discovered open port 139/tcp on 192.168.1.120
Discovered open port 5900/tcp on 192.168.1.120
Discovered open port 6881/tcp on 192.168.1.120
Discovered open port 445/tcp on 192.168.1.120
Discovered open port 135/tcp on 192.168.1.120
Discovered open port 5800/tcp on 192.168.1.120
Discovered open port 3689/tcp on 192.168.1.120
Discovered open port 1031/tcp on 192.168.1.120
Discovered open port 1026/tcp on 192.168.1.120
Completed SYN Stealth Scan at 09:08, 0.97s elapsed (1697 total ports)
Initiating Service scan at 09:08
Scanning 13 services on 192.168.1.120
Completed Service scan at 09:10, 125.70s elapsed (13 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.120
Retrying OS detection (try #2) against 192.168.1.120
Retrying OS detection (try #3) against 192.168.1.120
Retrying OS detection (try #4) against 192.168.1.120
Retrying OS detection (try #5) against 192.168.1.120
Host 192.168.1.120 appears to be up ... good.
Interesting ports on 192.168.1.120:
Not shown: 1684 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd 5.0
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
80/tcp open http Microsoft IIS webserver 5.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1026/tcp open msrpc Microsoft Windows RPC
1031/tcp open mstask Microsoft mstask (task server - c:'winnt'syste
m32'Mstask.exe)
3689/tcp open rendezvous Apple iTunes 7.1.1
5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC TCP port:
 5900)
5900/tcp open vnc VNC (protocol 3.8)
6881/tcp open bittorent-tracker?
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi
cefp-submit.cgi :
SF-Port6881-TCP:V=4.20%I=7%D=4/24%Time=462E1DCA%P=i686-pc-windows-windows%
[snip]
SF:t'x1b'xbd'xa3X'xc9%'te");
MAC Address: 00:01:03:0A:E0:56 (3com)
No exact OS matches for host (If you know what OS is running on it, see http://i
nsecure.org/Nmap/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.20%D=4/24%OT=21%CT=1%CU=36922%PV=Y%DS=1%G=Y%M=000103%TM=462E1E0
[snip]
OS:%DLI=S)


Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IPID Sequence Generation: Incremental
Service Info: Host: johnson2; OS: Windows

OS and Service detection performed. Please report any incorrect results at http:
//insecure.org/Nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 137.185 seconds
 Raw packets sent: 1778 (81.800KB) | Rcvd: 1797 (84.498KB)

NMAP Example Scan 4

This is a UDP scan of a Windows 2000 sp4 machine from the machine itself.

Options used: -v for increased verbosity -A for os and software version detection -sU for UDP scanning

C:'WINDOWS'system32'drivers'etc>Nmap -v -A -sU -p1-65535 192.168.1.120

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-24 09:35 Central America Standard Time
Initiating ARP Ping Scan at 09:35
Scanning 192.168.1.120 [1 port]
Completed ARP Ping Scan at 09:35, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:35
Completed Parallel DNS resolution of 1 host. at 09:35, 0.03s elapsed
Initiating UDP Scan at 09:35
Scanning 192.168.1.120 [65535 ports]
Completed UDP Scan at 09:35, 33.47s elapsed (65535 total ports)
Initiating Service scan at 09:35
Scanning 11 services on 192.168.1.120
Discovered open port 137/udp on 192.168.1.120
Discovered open|filtered port 137/udp on 192.168.1.120 is actually open
Discovered open port 1434/udp on 192.168.1.120
Discovered open|filtered port 1434/udp on 192.168.1.120 is actually open
Service scan Timing: About 27.27% done; ETC: 09:39 (0:02:13 remaining)
Completed Service scan at 09:36, 50.09s elapsed (11 services on 1 host)
Warning: OS detection for 192.168.1.120 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.1.120
Host 192.168.1.120 appears to be up ... good.
Interesting ports on 192.168.1.120:
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
135/udp open|filtered msrpc
137/udp open netbios-ns Microsoft Windows XP netbios-ssn (workgroup
: JFAMWG)
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1035/udp open|filtered unknown
1434/udp open ms-sql-m Microsoft SQL Server 9.00.2047.00 (ServerNa
me: JOHNSON2; TCPPort: 1143)
3456/udp open|filtered IISrpc-or-vat
4500/udp open|filtered sae-urn
5353/udp open|filtered zeroconf
6881/udp open|filtered unknown
MAC Address: 00:01:03:0A:E0:56 (3com)
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000 Server SP4, Microsoft Windows 2000 AS SP4, Microsoft Windows 2000 Server SP4, Microsoft Windows 2000 SP3, Microsoft Windows
2000 SP4, Microsoft Windows 2000, SP0, SP1, or SP2
Network Distance: 1 hop
Service Info: Host: JOHNSON2; OSs: Windows XP, Windows

OS and Service detection performed. Please report any incorrect results at http:
//insecure.org/Nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 84.417 seconds
 Raw packets sent: 65553 (1.836MB) | Rcvd: 65597 (3.673MB)

NMAP Example Scan 5

This is a protocol scan of a Windows 2000 sp4 host. Nmap is running on the same host. Notice that this scan is very fast. It completes in just under two seconds.

Options used: -v for increased verbosity -sO for protocol scanning option

C:'WINDOWS'system32'drivers'etc>Nmap -v -sO 192.168.1.120

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-24 09:53 Central America Standard Time
Initiating ARP Ping Scan at 09:53
Scanning 192.168.1.120 [1 port]
Completed ARP Ping Scan at 09:53, 0.18s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:53
Completed Parallel DNS resolution of 1 host. at 09:53, 0.03s elapsed
Initiating IPProto Scan at 09:53
Scanning 192.168.1.120 [256 ports]
Discovered open port 1/ip on 192.168.1.120
Discovered open port 6/ip on 192.168.1.120
Completed IPProto Scan at 09:53, 1.34s elapsed (256 total ports)
Host 192.168.1.120 appears to be up ... good.
Interesting protocols on 192.168.1.120:
Not shown: 251 closed protocols
PROTOCOL STATE SERVICE
1 open icmp
2 open|filtered igmp
6 open tcp
17 filtered udp
47 open|filtered gre
MAC Address: 00:01:03:0A:E0:56 (3com)

Nmap finished: 1 IP address (1 host up) scanned in 1.753 seconds
 Raw packets sent: 259 (5238B) | Rcvd: 258 (14.384KB)

Where to Get More Information

I have not even scratched the surface on this topic. However, I hope that this introduction will pique the curiosity of anyone who has either never heard of port scanning or have never used the technique.

Use the following resources to learn more about NMAP and port scanning in general.

http://insecure.org/Nmap/man – Nmap documentation http://insecure.org/Nmap/install – Nmap install guide http://seclists.org – mail list for Nmap http://www.nabble.com/Nmap—Hackers-f394.html – Nmap forum

Books Secrets of Network Cartography by James Messer

Related Articles

Recent Security Forum threads

Got a question? Post it on our Security Forums!

Related Topics:

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.