Nmap is very popular tool among pentester and system/network administrators. We have all ready provided different nmap tutorials and cheat sheet but TCP and UDP port scan is important part of the scan. We will dive in detail in this tutorial.
Start Port Scan
The most simple usage without any parameter for a port scan is just providing the target. The target can be a single IP or hostname or multiple targets. In this example we will scan IP address
192.168.1.1 with most common 1000 ports by default.
$ nmap 192.168.1.1
TCP Syn Scan
As we know TCP connection is initiated with 3-way handshake. The first step in 3-way handshake is sending
Syn TCP packets. We can only send
Syn packets to the target to scan and get status of the remote port without establishing connection. We will use
-sS for this. This option requires Administrator or root privileges
$ nmap -sS 192.168.1.1
TCP Ack Scan
TCP Ack scan will similar to Syn scan but also send the ACK packets to the target system. We will use
-sA option for this.
$ nmap -sA 192.168.1.1
UDP Port Scan
Nmap scans TCP ports by default and do not scan any UDP ports. Actually scanning UDP ports may not generate any reliable result but it may be beneficial in some situations. We can scan UDP ports with
$ nmap -sU 192.168.1.1
Range Of Port Scan
We can specify a port range for TCP port scan. We will use
-p option and the range of port numbers by delimiting with
- . For example
0-100 will scan TCP ports from 0 to 100.
$ nmap -p 0-100 192.168.1.1
Multiple Port Scan
In previous step we have specified the target port range as bulk. We have option to specify multiple ports one by one for single scan. We will use
-p option again but we will delimit ports with
, comma . In this example we will scan remote TCP ports 22,80,443 and 8080 .
$ nmap -p 22,80,443,8080 192.168.1.1
Most Used Ports Scan
Nmap have a port usage frequency database. We can use this database to limit our scan for most common ports. We will use
--top-ports option with most common port count. In this example we will scan most common
$ nmap --top-ports 333 192.168.1.1
Fast Port Scan
We can specify the TCP port scan speed with
-T options. There are 5 levels and the default level or speed is
3 . We can use
5 for fastest scan. Be aware that this may interrupt network or remote targets.
$ nmap -T 5 192.168.1.1
Slower Port Scan
We can also use
1 for slower port scan which will make our scan invisible for security systems like IPS or IDS.
$ nmap -T 1 192.168.1.1