Conduct Port Scanning with Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn to conduct port scanning using Nmap. The lab covers various types of scans, including TCP connect scan, SYN scan, scanning specific ports, port ranges, and top ports. You'll execute commands like nmap -sT, nmap -sS, and others on different IP addresses and ranges, and then check the results in the Xfce terminal.

Each scan type has its own characteristics and use - cases. For example, the TCP connect scan completes the full TCP three - way handshake, which is reliable but less stealthy. By the end of the lab, you'll have a better understanding of how to use Nmap for port scanning.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/tcp_connect_scan("Basic TCP Connect Scan") nmap/NmapGroup -.-> nmap/common_ports("Common Ports Scanning") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/syn_scan("SYN Scan") nmap/NmapGroup -.-> nmap/stealth_scanning("Stealth and Covert Scanning") subgraph Lab Skills nmap/tcp_connect_scan -.-> lab-530176{{"Conduct Port Scanning with Nmap"}} nmap/common_ports -.-> lab-530176{{"Conduct Port Scanning with Nmap"}} nmap/port_scanning -.-> lab-530176{{"Conduct Port Scanning with Nmap"}} nmap/target_specification -.-> lab-530176{{"Conduct Port Scanning with Nmap"}} nmap/syn_scan -.-> lab-530176{{"Conduct Port Scanning with Nmap"}} nmap/stealth_scanning -.-> lab-530176{{"Conduct Port Scanning with Nmap"}} end

Run TCP connect scan with nmap -sT 127.0.0.1

In this step, you will learn how to perform a TCP connect scan using Nmap. A TCP connect scan is a basic form of TCP scanning that completes the full TCP three-way handshake to establish a connection with the target. This method is less stealthy than other scan types but is reliable and doesn't require special privileges.

Before we begin, let's understand the TCP three-way handshake:

  1. SYN (Synchronize): The scanner sends a SYN packet to the target.
  2. SYN/ACK (Synchronize/Acknowledge): If the port is open, the target responds with a SYN/ACK packet.
  3. ACK (Acknowledge): The scanner completes the connection by sending an ACK packet back to the target.

Nmap's -sT option performs this full TCP connect scan. Because it completes the TCP connection, it's easily logged by the target system.

Now, let's perform a TCP connect scan on 127.0.0.1 (localhost). This address always refers to your own machine.

  1. Open the Xfce terminal.

  2. Execute the following command:

sudo nmap -sT 127.0.0.1

This command tells Nmap to perform a TCP connect scan (-sT) on the IP address 127.0.0.1. You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

  1. Observe the output. You should see a list of open ports on your local machine. The output will look similar to this:
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000063s latency).
Other addresses for localhost: ::1

PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    closed smtp
80/tcp    closed http
111/tcp   closed rpcbind
139/tcp   closed netbios-ssn
445/tcp   closed microsoft-ds
631/tcp   closed ipp
3306/tcp  closed mysql
5432/tcp  closed postgresql
8080/tcp  closed http-proxy
8443/tcp  closed https-alt
9090/tcp  closed zeus-admin
10000/tcp closed snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

The output shows the ports that are open, closed, or filtered on the target system. In this case, it's scanning your own machine. The STATE column indicates the status of each port. open means Nmap was able to establish a TCP connection to that port. closed means Nmap received a TCP reset (RST) packet in response to its SYN packet.

Execute SYN scan with nmap -sS 192.168.1.1

In this step, you will learn how to perform a SYN scan (also known as a "half-open" scan) using Nmap. A SYN scan is a more stealthy technique than a TCP connect scan because it doesn't complete the full TCP three-way handshake.

Here's how a SYN scan works:

  1. SYN (Synchronize): The scanner sends a SYN packet to the target.
  2. SYN/ACK (Synchronize/Acknowledge): If the port is open, the target responds with a SYN/ACK packet.
  3. RST (Reset): Instead of sending an ACK to complete the connection, the scanner sends a RST packet to abruptly terminate the connection.

Because the full TCP connection is never established, SYN scans are less likely to be logged by the target system compared to TCP connect scans. However, SYN scans typically require root privileges to craft raw packets.

Nmap's -sS option performs a SYN scan.

Now, let's perform a SYN scan on 192.168.1.1. Note: This IP address is likely a private IP address on a local network. Ensure you have permission to scan this address. In a real-world scenario, scanning a network without permission is illegal. For the purpose of this lab, we will assume this IP address represents a safe target within your testing environment. If you don't have a device at this address, the scan will likely show all ports as filtered.

  1. Open the Xfce terminal.

  2. Execute the following command:

sudo nmap -sS 192.168.1.1

This command tells Nmap to perform a SYN scan (-sS) on the IP address 192.168.1.1. You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

  1. Observe the output. The output will vary depending on the target system. It might look similar to this:
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds

The output shows the ports that are open, closed, or filtered on the target system. The STATE column indicates the status of each port. open means Nmap received a SYN/ACK packet in response to its SYN packet. closed means Nmap received a RST packet. filtered means Nmap couldn't determine whether the port is open or closed because network filtering is preventing Nmap from reaching the port.

Scan specific ports with nmap -p 22,80 192.168.1.1

In this step, you will learn how to scan specific ports on a target system using Nmap. This is useful when you want to focus your scan on particular services or applications that you suspect might be running on the target.

Nmap's -p option allows you to specify the ports you want to scan. You can specify individual ports, a range of ports, or a combination of both. In this case, we will scan ports 22 and 80 on the IP address 192.168.1.1.

  • Port 22 is commonly used for SSH (Secure Shell), a secure remote access protocol.
  • Port 80 is commonly used for HTTP (Hypertext Transfer Protocol), the protocol used for web browsing.

Note: As in the previous step, 192.168.1.1 is likely a private IP address on a local network. Ensure you have permission to scan this address. In a real-world scenario, scanning a network without permission is illegal. For the purpose of this lab, we will assume this IP address represents a safe target within your testing environment. If you don't have a device at this address, the scan will likely show the ports as filtered or closed.

  1. Open the Xfce terminal.

  2. Execute the following command:

sudo nmap -p 22,80 192.168.1.1

This command tells Nmap to scan ports 22 and 80 (-p 22,80) on the IP address 192.168.1.1. Nmap will use the default SYN scan unless otherwise specified. You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

  1. Observe the output. The output will vary depending on the target system. It might look similar to this:
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

The output shows the status of ports 22 and 80 on the target system. open means Nmap received a SYN/ACK packet in response to its SYN packet, indicating that the port is listening for connections.

Scan port range with nmap -p 1-100 127.0.0.1

In this step, you will learn how to scan a range of ports on a target system using Nmap. This is useful when you want to identify all the open ports within a specific range, which can help you understand the services running on the target.

As you learned in the previous step, Nmap's -p option allows you to specify the ports you want to scan. To scan a range of ports, you can use the syntax start-end, where start is the starting port number and end is the ending port number. In this case, we will scan ports 1 through 100 on the IP address 127.0.0.1.

127.0.0.1 is the loopback address, also known as localhost. It always refers to the current machine. Scanning 127.0.0.1 is safe and doesn't require any special permissions.

  1. Open the Xfce terminal.

  2. Execute the following command:

nmap -p 1-100 127.0.0.1

This command tells Nmap to scan ports 1 through 100 (-p 1-100) on the IP address 127.0.0.1. Since we are scanning the local machine, sudo is not required. Nmap will use the default SYN scan unless otherwise specified, but since we are not using sudo, it will fall back to a TCP connect scan.

  1. Observe the output. The output will vary depending on the services running on your LabEx VM. It might look similar to this:
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000081s latency).
Not shown: 97 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
631/tcp open  ipp
992/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

The output shows the status of ports 1 through 100 on the local machine. open means Nmap was able to establish a TCP connection to the port, indicating that the port is listening for connections. closed means Nmap received a RST packet, indicating that the port is not listening. filtered means Nmap couldn't determine whether the port is open or closed.

Scan top ports with nmap --top-ports 10 192.168.1.0/24

In this step, you will learn how to scan the most common ports on a network using Nmap. This is useful when you want to quickly identify the most likely services running on a range of hosts. Nmap maintains a list of the most frequently used ports, and the --top-ports option allows you to scan a specified number of these ports.

The --top-ports option tells Nmap to scan the specified number of most common ports, based on Nmap's service frequency list. This list is compiled from statistical data gathered over many years of network scanning.

In this case, we will scan the top 10 most common ports on the network 192.168.1.0/24.

  • 192.168.1.0/24 is a CIDR (Classless Inter-Domain Routing) notation that represents a network range. The /24 indicates that the first 24 bits of the IP address are fixed, meaning that the network includes all IP addresses from 192.168.1.0 to 192.168.1.255.

Important: Scanning a network range can potentially impact network performance and might be considered intrusive. Ensure you have permission to scan the network before proceeding. For the purpose of this lab, we will assume this IP address represents a safe target within your testing environment. If you don't have a network at this address, the scan will likely not find any open ports.

  1. Open the Xfce terminal.

  2. Execute the following command:

sudo nmap --top-ports 10 192.168.1.0/24

This command tells Nmap to scan the top 10 most common ports (--top-ports 10) on the network 192.168.1.0/24. You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter. Nmap will use the default SYN scan.

  1. Observe the output. The output will vary depending on the devices on your network. It might look similar to this:
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.00098s latency).

PORT     STATE SERVICE
21/tcp   filtered  ftp
22/tcp   open  ssh
23/tcp   filtered  telnet
25/tcp   filtered  smtp
53/tcp   filtered  domain
80/tcp   open  http
110/tcp  filtered  pop3
135/tcp  filtered  msrpc
139/tcp  filtered  netbios-ssn
443/tcp  filtered  https

Nmap scan report for 192.168.1.2
Host is up (0.00098s latency).

PORT     STATE SERVICE
21/tcp   filtered  ftp
22/tcp   filtered  ssh
23/tcp   filtered  telnet
25/tcp   filtered  smtp
53/tcp   filtered  domain
80/tcp   filtered  http
110/tcp  filtered  pop3
135/tcp  filtered  msrpc
139/tcp  filtered  netbios-ssn
443/tcp  filtered  https

Nmap done: 256 IP addresses (2 hosts up) scanned in 2.52 seconds

The output shows the status of the top 10 most common ports on each host in the network range. open means Nmap received a SYN/ACK packet in response to its SYN packet, indicating that the port is listening for connections. filtered means Nmap couldn't determine whether the port is open or closed, usually because a firewall is blocking the connection.

Check results in Xfce terminal

In this step, you will review the results of the Nmap scans you performed in the previous steps. The Xfce terminal displays the output of each command, allowing you to analyze the scan results and identify open ports and services on the target systems.

  1. Review the output of the TCP connect scan:

    Scroll back in the Xfce terminal to find the output of the command nmap -sT 127.0.0.1. This scan used the TCP connect scan method to determine the state of ports on your local machine. Look for the STATE column to see whether a port is open, closed, or filtered.

  2. Review the output of the SYN scan:

    Find the output of the command sudo nmap -sS 192.168.1.1. This scan used the SYN scan method, which is generally faster and stealthier than the TCP connect scan. Again, examine the STATE column to determine the status of the scanned ports.

  3. Review the output of the specific port scan:

    Locate the output of the command sudo nmap -p 22,80 192.168.1.1. This scan targeted ports 22 and 80 on the specified IP address. Check the output to see if these ports are open, closed, or filtered.

  4. Review the output of the port range scan:

    Find the output of the command nmap -p 1-100 127.0.0.1. This scan scanned ports 1 through 100 on your local machine. Analyze the output to identify any open ports within this range.

  5. Review the output of the top ports scan:

    Locate the output of the command sudo nmap --top-ports 10 192.168.1.0/24. This scan scanned the top 10 most common ports on the specified network. Examine the output to see which of these ports are open on the hosts in the network.

By reviewing the results of these scans, you can gain valuable information about the services running on your network and identify potential security vulnerabilities. Remember that the specific output will vary depending on the configuration of your LabEx VM and the network you are scanning.

Summary

In this lab, you learned to conduct various port scans using Nmap. You performed a TCP connect scan with the -sT option on 127.0.0.1, understanding the full TCP three - way handshake involved. You also executed a SYN scan with -sS on 192.168.1.1, scanned specific ports with -p 22,80 on 192.168.1.1, scanned a port range with -p 1 - 100 on 127.0.0.1, and scanned top ports with --top - ports 10 on 192.168.1.0/24. All results were checked in the Xfce terminal.