Nmap - Port Specification


Let's dig in deep with Port Specifications. Nmap offers options/commands for specifying which ports are scanned and whether the scan order should be sequential or randomized. By default, Nmap scans the most common 1,000 ports for each protocol.
Alert: Use Nmap as a root user. If you do not have root access, type sudo before every Nmap command.
First things first, you can use the help command for Nmap by typing nmap -h


Only Scan Specified ports (-p)

  • This option specifies which ports you want to scan and overrides the default.
  • You can define individual value separated by comma (,) or ranges can be used separated by a hyphen (-). Example (This will scan ports from 5 till 1010 and from 1024 till 1050. This will be an SYN scan which is the default).
nmap <IP> -p5-1010,1024-1050
  • The beginning and/or end values of a range may be omitted. Which will make Nmap scan 1 and 65535, respectively. Examples:
    • nmap <IP> -p- (This will scan all ports from 1 to 65535)
    • nmap <IP> -p-2000 (This will scan all ports from 1 as there is no initial value till 2000)
    • nmap <IP> -p0- (This will scan all ports from 0 as it is defined explicitly till 65535)
    • For the IP protocol (-sO) option, specify the protocol numbers you wish to scan for between 0–255
  • When scanning a combination of protocols (e.g. TCP and UDP), you can specify a particular protocol by preceding the port numbers by
    • T: for TCP
    • U: for UDP
    • S: for SCTP
    • P: for IP Protocol
    • Example (You can define any ports you want but note that to scan both UDP and TCP, you have to specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added to all protocol lists.
nmap <IP> -p U:53,111,137,5353,T:21-25,80-139-8080 -sU -sS
  • Ports can also be specified by name according to what the port is referred to in the nmap-services. You can use * with the name. Example - To scan FTP and all ports whose names begin with http
nmap <IP> -p ftp,http*

Exclude the specified ports (--exclude-ports)

  • This can be used to define which ports you want to exclude from Nmap to scan. 
  • The <port_ranges> are specified similar to -p.
  • For IP protocol scanning (-sO), this option specifies the protocol numbers you wish to exclude between 0–255.
  • When excluded, they will be excluded from all types of scans (i.e. they will not be scanned under any circumstances). This also includes the discovery phase.

Don't Randomize Ports (-r)

  • By default, Nmap randomizes the scanned port order.
  • This randomization is normally desirable, but you can specify this option for sequential (sorted from lowest to highest) port scanning instead.
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, which is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment