Nmap (Network Mapper) is the most popular discovery tool used by Network Administrators for security auditing and mapping their network. This core tool is furthermore used for finding live hosts, OS detection, performing port scanning, and version detection.
In order to detect various available hosts on the network, the services they’re offering, the version of operating system they’re running, and the type of firewall they are using, nmap uses the raw IP address. Whenever we’re having connectivity issues of network or firewall configuration, the first thing we check is which ports are open.
There are several commands available to check open ports and scan them on your system, but nmap is the most used command for this purpose. In this article, we’ll discuss how to scan all open ports with nmap on your Linux system.
Applications listen to various network ports and these ports can be open or closed through a firewall. Here open ports are those that are accepting incoming packets from a location and they can pose a security risk as such ports can be used by various attackers.
Hence, we need to keep a check on ports that are open and close all the unnecessary ones not needed for any functionality. In order to scan various open ports on our system, we’ll use the command nmap.
Before scanning any open ports we need to have nmap installed on our Linux system. Use one of the following options to install nmap on your system first:
- On Ubuntu, Debian, & Linux Mint
sudo apt update && sudo apt install namp
- On CentOS, RHEL, & Fedora
Now that our packages are updated we’re all set to install nmap and for this execute the command given below:
sudo dnf install nmap
Scanning of ports using nmap command
We can scan any port, a range of IP addresses, or any host we can use the nmap command in the following way:
01. To scan a hostname we can execute the following commands:
sudo nmap localhost
OutputStarting Nmap 7.80 ( https://nmap.org ) at 2021-10-02 10:19 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.0000050s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
You can also run nmap without sudo but an unprivileged scan uses -sT (TCP Connect) while privileged (root) uses -sS (TCP SYN Stealth).
02. To tell nmap to scan all the TCP ports we use “sT” along with nmap and “-O” is used here for OS detection.
sudo nmap -sT -O 127.0.0.1
The output shows that 80, 443, and 3306 ports are open.
OutputStarting Nmap 7.80 ( https://nmap.org ) at 2021-10-02 10:23 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.000080s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 3306/tcp open mysql Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6.32 OS details: Linux 2.6.32 Network Distance: 0 hops OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds
03. In case we want to perform a SYN scan that performs only half of the tcp handshakes we use “-sS” along with the nmap command in the following way:
sudo nmap -sS 127.0.0.1
04. In order to tell nmap to scan all the UDP ports instead of TCP we use “-sU” and we’ll specify the port 80, 130 and 255 using -p along with nmap command:
sudo nmap -sU -p 80,130,255 127.0.0.1
Here the output shows that all the UDP ports that we specified in order to scan are closed.
Scan using “-v” with nmap
05. In order to get more information about the system and open ports you’ve to use the “-v” option along with nmap as we did in the below example:
sudo nmap -v 127.0.0.1
06. This way we can get all the detailed information about the machine as well as all the ports that are open.
sudo nmap -v 10.0.2.15
Scan multiple hosts with nmap
07. More than one hostname or IP addresses can be scanned using nmap by simply mentioning them with space in between as below:
sudo nmap 127.0.0.1 127.0.0.2 127.0.0.3
Scan single or multiple ports
08. Nmap can be used to scan various ports as well as a specific port as demonstrated below by the example:
sudo nmap -p 80 127.0.0.1
09. Here we’re scanning the port 80 on the provided ip address with the output telling us that it is closed. Now to scan a range of ports from 1-200 we’ll use the below command:
sudo nmap -p 1-200 127.0.0.1
10. Now to perform a fast scan on the system we use “-F” along with the nmap command in the following way:
sudo nmap -F 127.0.0.1
Scan whole subnet with nmap
11. In case you want to scan the whole range of IP or subnet we use “*” in the following way:
sudo nmap 127.0.0.*
This command scanned the whole subnet and provided us the result of each host and ports available on them.
In this way, we can perform various scans on IP addresses, specific hosts and check all the ports. Furthermore, a specific port or range of ports can be specified as shown above in the examples.
Checking ports open on a network is extremely crucial as any open port can easily be attacked by hackers and cause security threats. That’s why it is important to perform a scan and check all the open ports and if they’re not in use, close them.
Nmap is the command commonly used for the purpose of scanning the ports. In this article, we discussed how to scan open ports on Linux systems using nmap along with examples to demonstrate the use of these and various options to further specify the use.