Introduction

Nmap is the world’s leading port scanner. The Nmap hosted security tool can help you determine how well your firewall and security configuration is working.

This guide will show you how to use Nmap to scan all open ports on Linux systems.

Prerequisites

  • Linux operating system
  • Access to a user account with sudo or root privileges
  • Access to a command line / terminal window
  • The apt package manager, included by default (Debian / Ubuntu)
  • The yum package manager, included by default (Red Hat, CentOS)

What Are Ports?

On modern operating systems, ports are numbered addresses for network traffic. Different kinds of services use different ports by default.

For example, normal web traffic uses Port 80, while POP3 email uses Port 110. One of the ways that a firewall works is by allowing or restricting traffic over a particular port.

Because the ports into your computer can cause a security risk, it’s critical to know which ports are open and which are blocked.

Install Nmap on Linux

To install Nmap on Ubuntu or Debian, access a terminal window and enter the following:

sudo apt-get update

sudo apt-get install nmap

To install Nmap on Red Hat/CentOS systems, access a terminal and enter the following:

sudo yum update

sudo yum install nmap

How To Scan Nmap Ports

To scan Nmap Ports on a  remote system, enter the following:

sudo nmap 192.168.0.1

Replace the IP address with the IP address of the system you’re testing. This is the basic format for Nmap, and it will return information about the ports on that system.

In addition to scanning by IP address, you can also use the following commands to specify a target:

nmap www.hostname.com – To scan a host

nmap 192.168.0.1-10 – To Scan a range of IP addresses (.1 – .10)

nmap 192.168.0.1/13 – Runs Nmap on a subnet

nmap –iL textlist.txt – To scan targets from a text file.

Note: The developers at nmap.org provide a test server that you can experiment on, located at scanme.nmap.org. You can use this to test your Nmap utility.

Scan a Single Port, All, or Series

Nmap can be used to scan a single port or a series of ports:

Scan port 80 on the target system: nmap –p 80 192.168.0.1

Scan ports 1 through 200 on the target system: nmap –p 1-200 192.168.0.1

Scan (Fast) the most common ports: nmap –F 192.168.0.1

To scan all ports (1 – 65535): nmap –p– 192.168.0.1

Other Types of Nmap Port Scans

Different types of scans can be performed:

nmap –sT 192.168.0.1 – This scan uses TCP connect – it takes longer, but is more likely to connect

nmap –sS 192.168.0.1 – This is the default SYN scan – it tests by performing only half of the TCP handshake.

nmap –sU –p 80,130,255 192.168.0.1 – This instructs Nmap to scan UDP ports instead of TCP ports (the –p switch specifies ports 80, 130, and 255 in this example.)

nmap –Pn –F 192.168.0.1 – Run a Fast scan on the target system, but bypass host discovery. (Host discovery uses ping, but many server firewalls do not respond to ping requests. This option forces the test without waiting for a reply that may not be coming.)

The nmap utility can be used to detect the operating system of a particular target:

nmap –A 192.168.0.1

It can also be used to probe for the services that might be using different ports:

nmap –sV 192.168.0.1

Note: The –sV option can be tuned to be more or less aggressive in its scan. Use the ––version-intensity 2 option to specify the level of testing. Replace the number 2 with a number from 0 (light testing) to 9 (run all probes). The more intense the testing, the longer the scan will take.

Common Ports

Here is a brief list of standard ports and their designations:

  • 21 – FTP
  • 22 – SSH
  • 25 – SMTP (sending email)
  • 53 – DNS (domain name service)
  • 80 – HTTP (web server)
  • 110 – POP3 (email inbox)
  • 123 – NTP (Network Time Protocol)
  • 143 – IMAP (email inbox)
  • 443 – HTTPS (secure web server)
  • 465 – SMTPS (send secure email)
  • 631 – CUPS (print server)
  • 993 – IMAPS (secure email inbox)
  • 995 – POP3 (secure email inbox)

A firewall can be configured to block all traffic on a particular port. For example, a firewall can be set to block Port 80, but users won’t be able to view any websites! You can use firewall rules to allow some ports, but to block others. Use a firewall in conjunction with other security tools and software to scan traffic on a particular port, and to watch for suspicious traffic.

Nmap Scanning Best Practices

You should only use Nmap port scanning on servers that you own, or that you have permission to scan. Often, port-scanning is seen as aggressive, or a prelude to a cyber attack. It is also considered a bad practice tie up a server’s resources by using Nmap to run repeated scans on the same target.

It is possible that during your scan, you may find unusual activity. For example, you may see a service running on an unusual port number. This means the target has something strange going on, which should be investigated.

The OS and Service scanning options are very helpful for scanning a particular port and/or service to get more information. If a service is running on a non-default port, it might be by design – or it might signify a security breach.

Ports often have a default usage. Most ports under 1000 are dedicated and assigned for a specific usage.

Conclusion

You should have a good overview of Nmap scanning and how it can be used for testing ports in Linux. You should also now understand how ports work, and why it’s important to know how they’re being used on a system.

Nmap adds a versatile tool to any system administrator’s arsenal for debugging and locating security flaws.