Port scanning systems isn’t just something that happens in Hollywood, it’s a legitimate function of network security. Many security audits require you to disclose the open ports on your network, and it’s always worth a periodic scan of your systems to ensure things are actually how you’ve configured them.
Unlike many of our command-line basics posts, Nmap isn’t standard issue on Unix-like systems and will need to be installed.
Fortunately, it’s a pretty popular project, so it’s readily available for most operating systems, often times by way of the system’s package manager.
Also worth noting, Nmap does have a GUI front-end, if that’s your thing :)
🐊 Alligator.io recommends ⤵Learn Node, a video course by Wes Bos
Port scanning your local system
The easiest way to give
nmap a try, is by scanning your own system, also known as
localhost or by the IP addresses
$ nmap 0.0.0.0 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 16:16 CDT Nmap scan report for 0.0.0.0 Host is up (0.00011s latency). All 1000 scanned ports on 0.0.0.0 are closed Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Nothing too exciting here, as I had recently upgraded my system and rebooted, so I don’t have any local development environments running. To make things more interested, I started
docker up on a project that runs a web server as well as a
mongodb container and scanned again:
$ nmap 0.0.0.0 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 16:18 CDT Nmap scan report for 0.0.0.0 Host is up (0.00018s latency). Not shown: 999 closed ports PORT STATE SERVICE 3000/tcp open ppp Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
There we go, port
3000 is where the web server is running!
Scanning more than 1000 ports
As mentioned, my system also has
mongodb running, which didn’t show up in the previous scan. That’s because by default,
nmap only scans the most common 1,000 ports for each protocol.
This will get you pretty far in most scenarios, and the reasoning behind limiting the scan is because it can take quite a while to scan a system for every single port.
In scenarios where you want to find the less common ports being listened on we can explicitly tell
nmap the range of ports we’d like to scan:
$ nmap 0.0.0.0 -p1-65535 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 16:27 CDT Nmap scan report for 0.0.0.0 Host is up (0.000092s latency). Not shown: 65525 closed ports PORT STATE SERVICE 3000/tcp open ppp 6380/tcp open unknown 17500/tcp open db-lsp 17600/tcp open unknown 17603/tcp open unknown 27017/tcp open mongod 34394/tcp open unknown 38811/tcp open unknown 57621/tcp open unknown 59126/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 1.15 seconds
There we go! As you can see, the ports for
mongodb are now showing up, 6380 and 27017 respectively. There’s also a handful of other open ports showing up that belong to other services I can running on my system.
Port scanning a remote system
Port scanning a remote machine is exactly the same as scanning your
localhost. Just swap out the
0.0.0.0 in the previous example for the IP address or domain name of the server you’d like to scan.
Disclaimer, be sure you are scanning a system that you own and don’t have advanced security implemented, lest you may end up locking yourself out.
Discovering hosts on your network
In addition to scanning a specific machine for open ports, you can also use
nmap as a way to discover other machines on your network.
To scan your network, simply pass in the IP address range you’d like
nmap to scan. To speed things along, we can also tell
nmap to simply
ping the machines, instead of running a length port scan on them:
$ nmap -sP 192.168.1.1/24 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 16:40 CDT Nmap scan report for router.asus.com (192.168.1.1) Host is up (0.0022s latency). Nmap scan report for galagopro (192.168.1.14) Host is up (0.00015s latency). Nmap scan report for Roomba-3165050862320680 (192.168.1.74) Host is up (0.0011s latency). Nmap scan report for Dumbo (192.168.1.81) Host is up (0.038s latency). Nmap scan report for josh-iMac (192.168.1.138) Host is up (0.074s latency). Nmap scan report for Philips-hue (192.168.1.222) Host is up (0.0068s latency). Nmap scan report for amazon-aac753ead (192.168.1.243) Host is up (0.021s latency). Nmap done: 256 IP addresses (7 hosts up) scanned in 2.59 seconds
Fortunately, the list of hosts that were found are all known to me, so the list checks out, no bad actors on my network!
Even if you’re not a security expert, it’s good to know the basics of how to use security tools, like
They can help you better understand if you actually configured things properly, if your security mechanisms are actually working, and can come in handy when attempting to pass a security assessment.