LabEx
Log InJoin For Free

Scan with Custom Ports in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to scan custom ports using Nmap, a powerful network scanning tool. The lab focuses on specifying target ports for scanning, combining custom port scanning with SYN scans for efficiency, and saving scan results for later analysis.

You'll start by scanning specific ports like 1000 and 2000 on localhost (127.0.0.1) using the -p option. Then, you'll combine this with a SYN scan (-sS) to scan a range of ports, such as 1000-2000. The lab also covers adding verbosity with the -v option and saving the scan results to a file using the -oN option. Finally, you'll review the saved results and compare them with a scan of top ports.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/common_ports("Common Ports Scanning") nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/syn_scan("SYN Scan") subgraph Lab Skills nmap/common_ports -.-> lab-547112{{"Scan with Custom Ports in Nmap"}} nmap/output_formats -.-> lab-547112{{"Scan with Custom Ports in Nmap"}} nmap/save_output -.-> lab-547112{{"Scan with Custom Ports in Nmap"}} nmap/port_scanning -.-> lab-547112{{"Scan with Custom Ports in Nmap"}} nmap/target_specification -.-> lab-547112{{"Scan with Custom Ports in Nmap"}} nmap/verbosity -.-> lab-547112{{"Scan with Custom Ports in Nmap"}} nmap/syn_scan -.-> lab-547112{{"Scan with Custom Ports in Nmap"}} end

Scan custom ports with nmap -p 1000,2000 192.168.1.1

In this step, we will learn how to scan specific ports on a target machine using Nmap. Nmap is a powerful network scanning tool used to discover hosts and services on a computer network by sending packets and analyzing the responses. By default, Nmap scans a set of well-known ports. However, you can customize the scan to target specific ports of interest.

To scan custom ports, you can use the -p option followed by a comma-separated list of port numbers or a range of ports.

Let's start by scanning ports 1000 and 2000 on the target IP address 192.168.1.1. Since this is a lab environment, we will use 127.0.0.1 (localhost) as the target for demonstration purposes. This means we will scan the machine we are currently working on.

Open your Xfce terminal and execute the following command:

nmap -p 1000,2000 127.0.0.1

This command tells Nmap to scan ports 1000 and 2000 on the localhost (127.0.0.1).

You should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000082s latency).

PORT     STATE  SERVICE
1000/tcp closed unknown
2000/tcp closed cisco-sccp

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

The output shows the state of each scanned port. In this example, both ports are closed. If a service was running on either of these ports, the state would likely show as open.

Now, let's try scanning a range of ports.

Combine with SYN scan using nmap -sS -p 1000-2000 127.0.0.1

In this step, we will combine custom port scanning with a SYN scan. A SYN scan, also known as a half-open scan, is a type of Nmap scan that sends SYN packets to the target machine but doesn't complete the TCP connection. This technique is faster and less detectable than a full TCP connect scan.

The -sS option in Nmap specifies a SYN scan. We will use this option along with the -p option to scan a specific range of ports.

Open your Xfce terminal and execute the following command:

sudo nmap -sS -p 1000-2000 127.0.0.1

This command tells Nmap to perform a SYN scan on ports 1000 through 2000 on the localhost (127.0.0.1). You will need sudo privileges to perform a SYN scan, as it requires sending raw packets.

You should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000079s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
1000/tcp open  iss-realsecure

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

The output shows the state of each scanned port within the specified range. In this example, port 1000 is open and running the iss-realsecure service, while the other 999 ports are closed. The "Not shown: 999 closed ports" message indicates that Nmap is suppressing the display of closed ports to reduce clutter.

Add verbosity with nmap -v -p 1000,2000 192.168.1.1

In this step, we will add verbosity to our Nmap scan. Verbosity increases the amount of information Nmap provides during the scan. This can be helpful for understanding what Nmap is doing and for troubleshooting any issues.

The -v option in Nmap enables verbose mode. Using -v once increases the verbosity level. You can use -vv or even -vvv for even more detailed output.

Open your Xfce terminal and execute the following command:

nmap -v -p 1000,2000 127.0.0.1

This command tells Nmap to scan ports 1000 and 2000 on the localhost (127.0.0.1) and to provide verbose output.

You should see output similar to this (the exact output may vary):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Initiating Ping Scan at 10:10
Scanning localhost (127.0.0.1) [4 ports]
Completed Ping Scan at 10:10, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:10
Completed Parallel DNS resolution of 1 host. at 10:10, 0.00s elapsed
Initiating SYN Stealth Scan at 10:10
Scanning localhost (127.0.0.1) [2 ports]
Discovered open port 1000/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:10, 0.06s elapsed (2 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000079s latency).

PORT     STATE SERVICE
1000/tcp open  iss-realsecure
2000/tcp closed cisco-sccp

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Notice the additional information provided by Nmap, such as the scan initiation time, the type of scan being performed, and the elapsed time. This verbose output can be very useful for understanding the scan process and identifying potential problems.

Save custom port scan with nmap -p 1000-2000 -oN custom_ports.txt 127.0.0.1

In this step, we will save the results of our custom port scan to a file. This is useful for later analysis or for sharing the results with others.

The -oN option in Nmap specifies that the output should be saved in normal format to the specified file.

Open your Xfce terminal and execute the following command:

nmap -p 1000-2000 -oN custom_ports.txt 127.0.0.1

This command tells Nmap to scan ports 1000 through 2000 on the localhost (127.0.0.1) and to save the results in normal format to a file named custom_ports.txt in your current directory (~/project).

After the scan completes, you can view the contents of the file using the cat command:

cat custom_ports.txt

You should see the Nmap scan results in the terminal, similar to what you would see if you ran the scan without the -oN option. The difference is that the results are now also saved in the custom_ports.txt file.

The output will look something like this:

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000079s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
1000/tcp open  iss-realsecure

## Nmap done at Fri Oct 27 10:15:00 2023 -- 1 IP address (1 host up) scanned in 0.25 seconds

Review custom port results in Xfce terminal

In this step, we will review the results of the custom port scan that we saved to the custom_ports.txt file in the previous step. We will use the cat command to display the contents of the file in the Xfce terminal.

Open your Xfce terminal and execute the following command:

cat custom_ports.txt

This command will display the contents of the custom_ports.txt file in the terminal. You should see the Nmap scan results, including the open and closed ports that were found during the scan.

The output will look something like this:

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000079s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
1000/tcp open  iss-realsecure

## Nmap done at Fri Oct 27 10:15:00 2023 -- 1 IP address (1 host up) scanned in 0.25 seconds

Examine the output to identify the open ports. In this example, port 1000 is open. The "SERVICE" column provides a hint about the service that might be running on that port. In this case, it suggests "iss-realsecure".

You can also use other command-line tools like grep to filter the results and find specific information. For example, to find all lines containing the word "open", you can use the following command:

grep open custom_ports.txt

This will output only the lines from custom_ports.txt that contain the word "open".

1000/tcp open  iss-realsecure

This allows you to quickly identify the open ports from the scan results.

Compare with top ports scan in Xfce terminal

In this step, we will perform a scan of the top 1000 most common ports and compare the results with our previous custom port scan. This will help us understand if the services running on the custom ports are also running on commonly used ports.

First, run a scan of the top 1000 ports on the localhost (127.0.0.1) using the following command:

nmap -F 127.0.0.1

The -F option tells Nmap to scan only the ports listed in the nmap-services file, which contains a list of the most common ports. This is equivalent to scanning the top 100 ports. To scan the top 1000 ports, you can use the --top-ports 1000 option. However, for this lab, we will stick to the -F option for a faster scan.

The output will look something like this:

Starting Nmap 7.80 ( https://nmap.org ) at Fri Oct 27 10:20:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000079s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

Now, let's compare these results with the results from our custom port scan in custom_ports.txt. We know from the previous step that port 1000 was open. Let's check if the top ports scan also found port 1000 to be open.

You can use the grep command to search for port 1000 in the output of the top ports scan. Since the output is directly printed to the terminal, we can pipe the output to grep:

nmap -F 127.0.0.1 | grep 1000

If the command returns any output, it means that port 1000 was found in the top ports scan. If it returns no output, it means that port 1000 is not among the top ports.

In this case, you will likely not see any output, because port 1000 is not a common port. This demonstrates the difference between scanning common ports and scanning custom ports. Scanning common ports is useful for quickly identifying well-known services, while scanning custom ports is useful for finding less common or intentionally hidden services.

Summary

In this lab, we learned how to scan specific ports on a target machine using Nmap's -p option, specifying individual ports or a range. We practiced scanning ports 1000 and 2000, and then a range from 1000 to 2000, using localhost (127.0.0.1) as the target.

Furthermore, we combined custom port scanning with a SYN scan using the -sS option, allowing for a faster and less detectable scan of the specified port range. The lab demonstrated how to target specific ports of interest and analyze the scan results to determine the state of each port.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner