HOW TO USE NMAP TO SCAN ANY PORT [UDP/TCP] [2021]

This post will show you how to use NMAP to scan any port [TCP/UDP] on a target host in a network for ethical hacking and security audit purposes. 

You can practice all NMAP commands in this guide by scanning the ports on your computer or use scanme.nmap.org as a target for your scans. But if you want to do this the right way, I recommend you set up your own virtual hacking lab in VirtualBox here.

This is a safe alternative if you don’t have another computer available to play within your local network or no VM test environment set up yet. If you don’t know how to find your IP address, HERE is a quick guide just for that.

Remember: unapproved vulnerability and port scanning on the Internet without permission can get you fired, banned by your ISP, or even jailed in some parts of the world [if you’re unlucky]. Don’t make the scan if you can’t do time.

Don’t have NMAP installed on your computer yet? Follow my installation guide for Windows, macOS, Linux, and FreeBSD here. It takes less than 5 minutes. 

TIP: Run NMAP with root/Administrator privileges to get additional details of a target [e.g., MAC Address].

And with that out of the way, let’s get started.

Quick Overview

There are 65,535 TCP and 65,535 UDP – a total of 131,070 ports available in a computer. A comprehensive list of all posts and descriptions for each can be found on the official IANA website.

By default, NMAP will scan only the most commonly used 1000 ports to save time. The rest of the ports are rarely used. 

However, it can be helpful to scan outside the NMAP default range for uncommon services and vulnerabilities, for instance, if a port/service is forwarded to another machine.  

We can use several NMAP command flags to scan specific TCP and UDP ports, as seen in Table 1.1 below.

DescriptionNMAP Command Flag
Scan all ports-p “*”
Scan top ports–top-ports [number]
Scan specific ports-p [port]
Scan ports by name-p [name]
Scan ports by protocol -p U:[UDP ports],T:[TCP ports]
Perform a fast scan-F
Perform a sequential port scan-r
Table 1.1: [NMAP Scan Any Port]: Flags summary

Let’s discuss each NMAP flag in the above table, their syntax, and use case. 

Scan All Ports With NMAP

FLAG: -p “*”

Command syntax: nmap -p “*” [Target] 

Description: Perform NMAP scan for all 65,535 TCP/UDP ports. This command do does not mandate elevated privileges.

The NMAP Scan All Ports flag will produce a scan for all 65,535 TCP and UDP ports on a target machine and output a list of open ports as well as the services running on a specific port [Figure 1.1].

[NMAP Scan Any Port]: Scan All Ports example. Source: nudesystems.com
Figure 1.1: [NMAP Scan Any Port]: Scan All Ports example. 

Make sure your wildcard [*] statement is enclosed in quotes (“”); otherwise, NMAP will throw a syntax error, as seen in Figure 1.2 below.

[NMAP Scan Any Port]: Use of wrong wildcard quotes. Source: nudesystems.com
Figure 1.2: [NMAP Scan Any Port]: Use of wrong wildcard quotes.

Scan Top Ports With NMAP

Flag: –top-ports [Number]

Command Syntax: nmap –top-ports [Number] [Target] 

Description: Perform an NMAP scan by specifying the number of top-ranked ports to scan. 

The NMAP Scan Top Ports flag allows us to define the number of top-ranked ports to scan. For example, let’s assume we want to scan the top commonly used 50 ports. 

The NMAP command for scanning the top commonly used ports is shown below with the output in Figure 1.3.

nmap – top-ports 10000 172.16.121.134

NOTE: Remember to replace the IP address in my example with your target IP address. 

[NMAP Scan Any Port]: Scan top 50 most commonly used ports. Source: nudesystems.com
Figure 1.3: [NMAP Scan Any Port]: Scan top 50 most commonly used ports.

Let’s perform another scan, this time for the top 10000 commonly used ports on a target machine using the NMAP command below and the output shown in Figure 1.4

nmap – top-ports 10000 172.16.121.134
[NMAP Scan Any Port]: Scan the top 10000 top ports. Source: nudesystems.com
Figure 1.4: [NMAP Scan Any Port]: Scan the top 10000 top ports.

NOTE: Top commonly used ports e.g., 10000, do not refer to the range of ports starting with, e.g., 1 to 10000. 

Scan Specific Ports With NMAP

Flag: -p

Command Syntax: nmap -p [Port] [Target]

Description: Perform an NMAP scan for a specified port or range of ports.

The Scan Specific Port(s) flag instructs NMAP to perform a scan on a single port or multiple ports [separated by a comma and no spaces] on a specified target. Check out the list of the most commonly hacked ports for your reference.

Let’s practice this method by instructing NMAP to scan a single port, e.g., port 80, using the following command with the output shown in Figure 1.5. 

nmap -p 80 172.16.121.134
[NMAP Scan Any Port]: Scan port 80. Source: nudesystems.com
Figure 1.5: [NMAP Scan Any Port]: Scan port 80.

Next, let’s instruct NMAP to scan multiple or a range of ports, e.g., 25, 53, 80-500 using the command below with the output seen in Figure 1.6.

nmap -p 25,53,80-500 172.16.121.134
[NMAP Scan Any Port]: Scan port 80. Source: nudesystems.com
Figure 1.6: [NMAP Scan Any Port]: Scan port 80.

Scan Ports By Name With NMAP

Flag: -p

Command Syntax: nmap -p [Port name(s)] [Target]

Description: Perform an NMAP scan for a specified port or ports.

The NMAP Scan Ports By Name uses the same -p flag as used in the previous method. Here we will instruct NMAP to scan based on the port name [http,ftp,smtp] and not a number. 

NOTE: When scanning multiple ports by name, make sure you separate the name with a comma and no spaces.

The port name must match the exact name as specified in the nmap-service file.

On Windows, you can find the nmap-service file in the c:\Program Files\Nmap\ folder. On Linux/UNIX, the nmap-service file is generally located in /usr/share/nmap folder [Kali Linux 2021].

Alternatively, you can access the list of NMAP port names included in the nmap-service file HERE.

Let’s instruct NMAP to scan the FTP [21] and HTTP [80] ports on a target using the following command and the output shown in Figure 1.7.

nmap -p ftp,http 172.16.121.134
[NMAP Scan Any Port]: Scan FTP and HTTP ports using the port name. Source: nudesystems.com
Figure 1.7: [NMAP Scan Any Port]: Scan FTP and HTTP ports using the port name.

This NMAP command flag also supports wildcard. Let’s filter all the FTP ports using the command below with the output shown in Figure 1.8.

nmap -p ftp* 172.16.121.134
[NMAP Scan Any Port]: Scan FTP and HTTP ports using the port name wildcard. Source: nudesystems.com
Figure 1.8: [NMAP Scan Any Port]: Scan FTP and HTTP ports using the port name wildcard.

Scan Ports By Protocol With NMAP

Flag: -p 

Additional Flags: U:[UDP Ports],T:[TCP Ports]

Command Syntax: nmap -p U:[UDP Ports],T:[TCP Ports] [Target]

Description: Search for a specific protocol and port combination. 

As in previous examples, the Scan Ports By Protocol method uses the -p option followed by T: [for TCP ports] and U: [for UDP ports] flags. Simply said, we will instruct NMAP to scan for a specific TCP and UDP port on a target machine in a single command line. 

Let’s execute a scan using this method for UDP port 53 [DNS] and TCP port 25 [SMTP], as shown in Figure 1.9 below. Pay attention to the NMAP WARNING message highlight in yellow.

 [NMAP Scan Any Port]: Scan ports by protocol. Source: nudesystems.com
Figure 1.9: [NMAP Scan Any Port]: Scan ports by protocol.

By default, NMAP scans only the TCP ports. We need to instruct NMAP to check the UDP ports as well. To do that, we need to enforce our command with the additional -sU and -sT flags.

So let’s run the command again, this time including the additional flags as shown below with the output in Figure: 1.10.

nmap -sU -sT -p U:53,T:25 172.16.121.134
[NMAP Scan Any Port]: Scan ports by protocol. Source: nudesystems.com
Figure 1.10: [NMAP Scan Any Port]: Scan ports by protocol.

Voilà! Both TCP port 25 and UDP port 53 were successfully scanned on the target machine. 

Fast Scan Flag With NMAP

FLAG: -F

Command Syntax: nmap -F [Target] 

Description: Perform a fast scan of only 100 most commonly used ports. Do not mandate elevated privileges.

As explained in the previous sections, NMAP will scan by default only the commonly used 1000 ports. 

The NMAP Fast Scan Flag will reduce the number of ports scanned from 1000 to 100 [commonly used ports] and drastically improve the time per scan while still providing us valuable information on the open ports in numerical order [Figure 1.11].

[NMAP Scan Any Port]: Fast Scan Flag. Source: nudesystems.com
Figure 1.11: [NMAP Scan Any Port]: Fast Scan Flag.

But wait! There’s a catch.

Each time NMAP shows an output will automatically sort the final result. We can use the additional flag -v [verbose mode] and see the sequential port scan in real-time [Figure 1.12].

[NMAP Scan Any Port]: Example of a sequential port scan in verbose mode. Source: nudesystems.com
Figure 1.12: [NMAP Scan Any Port]: Example of a sequential port scan in verbose mode.

That’s it. By now, you should know how to use NMAP to scan any TCP and UDP port(s) on a target computer.

Before You Go

NMAP is one of the essential tools in any hacker’s arsenal, ethical or otherwise. And you know what they say: practice makes us perfect. So go ahead and follow this guide a few times more to cement that knowledge.

I cover NMAP and other scanning tools and techniques quite deeply on this website. Check out my other posts to find more. 

If you found this post useful, consider becoming my patron. Or, if it’s easier for you, buy me a coffee with crypto using one of the addresses below. 

But most importantly, stay out of trouble.

Become a Patron!

  • Bitcoin
  • Ethereum
  • Monero
Scan to Donate Bitcoin to bc1qytp4akadp5lash9pd6rvnrjlnm8920fza5zchc

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0xB8109313e704a2B0aB1a70d67baB66a2Fd3b590d

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Monero to 47tC9drbgyaerFMu8s9XqsaAuY4K6rgC9UDM3yHhbyWP9pUNwdAH7kEMuDbFMEgiY3JgYgQipwZoWSLSZAsUvkkjQmHLj6r

Donate Monero to this address

Scan the QR code or copy the address below into your wallet to send some Monero