This post will show you how to use NMAP to scan any port [TCP/UDP] on a target host in a network for ethical hacking and security audit purposes.
You can practice all NMAP commands in this guide by scanning the ports on your computer or use scanme.nmap.org as a target for your scans. But if you want to do this the right way, I recommend you set up your own virtual hacking lab in VirtualBox here.
This is a safe alternative if you don’t have another computer available to play within your local network or no VM test environment set up yet. If you don’t know how to find your IP address, HERE is a quick guide just for that.
Remember: unapproved vulnerability and port scanning on the Internet without permission can get you fired, banned by your ISP, or even jailed in some parts of the world [if you’re unlucky]. Don’t make the scan if you can’t do time.
Don’t have NMAP installed on your computer yet? Follow my installation guide for Windows, macOS, Linux, and FreeBSD here. It takes less than 5 minutes.
TIP: Run NMAP with root/Administrator privileges to get additional details of a target [e.g., MAC Address].
And with that out of the way, let’s get started.
There are 65,535 TCP and 65,535 UDP – a total of 131,070 ports available in a computer. A comprehensive list of all posts and descriptions for each can be found on the official IANA website.
By default, NMAP will scan only the most commonly used 1000 ports to save time. The rest of the ports are rarely used.
However, it can be helpful to scan outside the NMAP default range for uncommon services and vulnerabilities, for instance, if a port/service is forwarded to another machine.
We can use several NMAP command flags to scan specific TCP and UDP ports, as seen in Table 1.1 below.
|Description||NMAP Command Flag|
|Scan all ports||-p “*”|
|Scan top ports||–top-ports [number]|
|Scan specific ports||-p [port]|
|Scan ports by name||-p [name]|
|Scan ports by protocol||-p U:[UDP ports],T:[TCP ports]|
|Perform a fast scan||-F|
|Perform a sequential port scan||-r|
Let’s discuss each NMAP flag in the above table, their syntax, and use case.
Scan All Ports With NMAP
FLAG: -p “*”
Command syntax: nmap -p “*” [Target]
Description: Perform NMAP scan for all 65,535 TCP/UDP ports. This command do does not mandate elevated privileges.
The NMAP Scan All Ports flag will produce a scan for all 65,535 TCP and UDP ports on a target machine and output a list of open ports as well as the services running on a specific port [Figure 1.1].
Make sure your wildcard [*] statement is enclosed in quotes (“”); otherwise, NMAP will throw a syntax error, as seen in Figure 1.2 below.
Scan Top Ports With NMAP
Flag: –top-ports [Number]
Command Syntax: nmap –top-ports [Number] [Target]
Description: Perform an NMAP scan by specifying the number of top-ranked ports to scan.
The NMAP Scan Top Ports flag allows us to define the number of top-ranked ports to scan. For example, let’s assume we want to scan the top commonly used 50 ports.
The NMAP command for scanning the top commonly used ports is shown below with the output in Figure 1.3.
nmap --top-ports 10000 172.16.121.134
NOTE: Remember to replace the IP address in my example with your target IP address.
Let’s perform another scan, this time for the top 10000 commonly used ports on a target machine using the NMAP command below and the output shown in Figure 1.4
nmap --top-ports 10000 172.16.121.134
NOTE: Top commonly used ports e.g., 10000, do not refer to the range of ports starting with, e.g., 1 to 10000.
Scan Specific Ports With NMAP
Command Syntax: nmap -p [Port] [Target]
Description: Perform an NMAP scan for a specified port or range of ports.
The Scan Specific Port(s) flag instructs NMAP to perform a scan on a single port or multiple ports [separated by a comma and no spaces] on a specified target. Check out the list of the most commonly hacked ports for your reference.
Let’s practice this method by instructing NMAP to scan a single port, e.g., port 80, using the following command with the output shown in Figure 1.5.
nmap -p 80 172.16.121.134
Next, let’s instruct NMAP to scan multiple or a range of ports, e.g., 25, 53, 80-500 using the command below with the output seen in Figure 1.6.
nmap -p 25,53,80-500 172.16.121.134
Scan Ports By Name With NMAP
Command Syntax: nmap -p [Port name(s)] [Target]
Description: Perform an NMAP scan for a specified port or ports.
The NMAP Scan Ports By Name uses the same -p flag as used in the previous method. Here we will instruct NMAP to scan based on the port name [http,ftp,smtp] and not a number.
NOTE: When scanning multiple ports by name, make sure you separate the name with a comma and no spaces.
The port name must match the exact name as specified in the nmap-service file.
On Windows, you can find the nmap-service file in the c:\Program Files\Nmap\ folder. On Linux/UNIX, the nmap-service file is generally located in /usr/share/nmap folder [Kali Linux 2021].
Alternatively, you can access the list of NMAP port names included in the nmap-service file HERE.
Let’s instruct NMAP to scan the FTP  and HTTP  ports on a target using the following command and the output shown in Figure 1.7.
nmap -p ftp,http 172.16.121.134
This NMAP command flag also supports wildcard. Let’s filter all the FTP ports using the command below with the output shown in Figure 1.8.
nmap -p ftp* 172.16.121.134
Scan Ports By Protocol With NMAP
Additional Flags: U:[UDP Ports],T:[TCP Ports]
Command Syntax: nmap -p U:[UDP Ports],T:[TCP Ports] [Target]
Description: Search for a specific protocol and port combination.
As in previous examples, the Scan Ports By Protocol method uses the -p option followed by T: [for TCP ports] and U: [for UDP ports] flags. Simply said, we will instruct NMAP to scan for a specific TCP and UDP port on a target machine in a single command line.
Let’s execute a scan using this method for UDP port 53 [DNS] and TCP port 25 [SMTP], as shown in Figure 1.9 below. Pay attention to the NMAP WARNING message highlight in yellow.
By default, NMAP scans only the TCP ports. We need to instruct NMAP to check the UDP ports as well. To do that, we need to enforce our command with the additional -sU and -sT flags.
So let’s run the command again, this time including the additional flags as shown below with the output in Figure: 1.10.
nmap -sU -sT -p U:53,T:25 172.16.121.134
Voilà! Both TCP port 25 and UDP port 53 were successfully scanned on the target machine.
Fast Scan Flag With NMAP
Command Syntax: nmap -F [Target]
Description: Perform a fast scan of only 100 most commonly used ports. Do not mandate elevated privileges.
As explained in the previous sections, NMAP will scan by default only the commonly used 1000 ports.
The NMAP Fast Scan Flag will reduce the number of ports scanned from 1000 to 100 [commonly used ports] and drastically improve the time per scan while still providing us valuable information on the open ports in numerical order [Figure 1.11].
But wait! There’s a catch.
Each time NMAP shows an output will automatically sort the final result. We can use the additional flag -v [verbose mode] and see the sequential port scan in real-time [Figure 1.12].
That’s it. By now, you should know how to use NMAP to scan any TCP and UDP port(s) on a target computer.
Before You Go
NMAP is one of the essential tools in any hacker’s arsenal, ethical or otherwise. And you know what they say: practice makes us perfect. So go ahead and follow this guide a few times more to cement that knowledge.
I cover NMAP and other scanning tools and techniques quite deeply on this website. Check out my other posts to find more.
If you found this post useful, consider becoming my patron. Or, if it’s easier for you, buy me a coffee with crypto using one of the addresses below.
But most importantly, stay out of trouble.
Become a Patron!