Port Scan

A port scan using Nmap is the process of scanning a target system's network ports to determine which are open, closed, or filtered. This helps identify the services running on a device by checking for active ports that correspond to specific services (e.g., HTTP on port 80). Nmap sends probes to the target’s ports and analyzes the responses to assess the state of each port, providing valuable insights for network security, troubleshooting, and reconnaissance.

nmap [IP]

If no specific scan type flag is provided, Nmap performs a SYN scan by default. This scan is fast and stealthy, as it sends a SYN packet to initiate a connection but doesn’t complete the handshake, making it less likely to be logged by the target system.

Windows systems typically block ICMP ping requests or ping probes for security reasons. This means that traditional ping-based host discovery might fail against these systems.

The -Pn option in Nmap disables ping checks and treats all hosts as "up" without trying to ping them first. This is useful when scanning hosts that block ICMP pings, like many Windows machines.

By default, Nmap scans the 1,000 most common ports for both TCP and UDP. These are the ports that are most frequently used by services, making it an efficient way to discover open ports without scanning all 65,535 possible ports on a system.

nmap -Pn [IP]

# scan all ports
nmap -Pn -p- [IP]

# specify ports
nmap -Pn -p80,443,3389 [IP]

Basic Port Scan Commands

A fast scan of the most commonly used ports, skipping host discovery (ping checks).

nmap -Pn -F [IP]

Performs a UDP port scan to discover open UDP ports on the target.

nmap -Pn -sU [IP]

TCP SYN Scan (stealth scan) with fast scanning of the most common ports. It does not ping the host (-Pn), and requires sudo because it sends raw packets. It sends an RST (reset) packet after the SYN-ACK.

nmap -Pn -sS -F [IP]

TCP Connect Scan performs a full TCP three-way handshake, making it slower but doesn't require root privileges. It sends an ACK at the end of the handshake.

nmap -Pn -sT [IP]

Port Scanning Techniques

Here is the table summarizing different port scan types with flags and reasons:

Port Scan Type
Flag Sent First
Flag Replied from Port
Final Flag Sent
Why Scan Like This

TCP SYN Scan (-sS)

SYN

SYN-ACK (if open) / RST (if closed)

RST

Stealthy, doesn't complete 3-way handshake; faster and avoids detection. Requires sudo.

TCP Connect Scan (-sT)

SYN

SYN-ACK (if open) / RST (if closed)

ACK

Completes the full TCP handshake; does not need root privileges. Slower but reliable.

UDP Scan (-sU)

UDP packet

No response (if open) / ICMP Port Unreachable (if closed)

None

Checks for open UDP ports; slower and less reliable due to lack of responses.

TCP ACK Scan (-sA)

ACK

RST (if unfiltered) / No response (if filtered)

None

Used to map firewall rules; determines if a port is filtered (by firewall) or unfiltered.

TCP Xmas Scan (-sX)

FIN, PSH, URG

No response (if open) / RST (if closed)

None

Used to bypass firewalls; stealthy because many systems don’t log Xmas packets.

'filtered'

In Nmap results, "filtered" means that Nmap is unable to determine whether the port is open or closed because the probes sent to the port are being blocked by a firewall or filtering device. No response was received, indicating that the port is either protected by a security device or simply not responding.

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https
22/tcp  closed   ssh

Last updated