How To Scan TCP and UDP Ports With Nmap? – POFTUT

How To Scan TCP and UDP Ports With Nmap?

Nmap is very popular tool among pentester and system/network administrators. We have all ready provided different nmap tutorials and cheat sheet but TCP and UDP port scan is important part of the scan. We will dive in detail in this tutorial.

Start Port Scan

The most simple usage without any parameter for a port scan is just providing the target. The target can be a single IP or hostname or multiple targets. In this example we will scan IP address with most common 1000 ports by default.

$ nmap
Start Port Scan
Start Port Scan

TCP Syn Scan

As we know TCP connection is initiated with 3-way handshake. The first step in 3-way handshake is sending Syn TCP packets. We can only send Syn packets to the target to scan and get status of the remote port without establishing connection. We will use -sS for this. This option requires Administrator or root privileges

$ nmap -sS
TCP Syn Scan
TCP Syn Scan

TCP Ack Scan

TCP Ack scan will similar to Syn scan but also send the ACK packets to the target system. We will use -sA option for this.

$ nmap -sA

UDP Port Scan

Nmap scans TCP ports by default and do not scan any UDP ports. Actually scanning UDP ports may not generate any reliable result but it may be beneficial in some situations. We can scan UDP ports with -sU option.

$ nmap -sU

Range Of Port Scan

We can specify a port range for TCP port scan. We will use -p option and the range of port numbers by delimiting with - . For example 0-100 will scan TCP ports from 0 to 100.

$ nmap -p 0-100
Range Of Port Scan
Range Of Port Scan

Multiple Port Scan

In previous step we have specified the target port range as bulk. We have option to specify multiple ports one by one for single scan. We will use -p option again but we will delimit ports with , comma . In this example we will scan remote TCP ports 22,80,443 and 8080 .

$ nmap -p 22,80,443,8080
Multiple Port Scan
Multiple Port Scan

Most Used Ports Scan

Nmap have a port usage frequency database. We can use this database to limit our scan for most common ports. We will use --top-ports option with most common port count. In this example we will scan most common 333 ports.

$ nmap --top-ports 333

Fast Port Scan

We can specify the TCP port scan speed with -T options. There are 5 levels and the default level or speed is 3 . We can use 5 for fastest scan. Be aware that this may interrupt network or remote targets.

$ nmap -T 5

Slower Port Scan

We can also use 1 for slower port scan which will make our scan invisible for security systems like IPS or IDS.

$ nmap -T 1

LEARN MORE  TCP and UDP Port List, Names and Usage Frequency

Leave a Comment