Command-line Basics: Port Scanning with Nmap

joshtronic

Port scanning systems isn’t just something that happens in Hollywood, it’s a legitimate function of network security. Many security audits require you to disclose the open ports on your network, and it’s always worth a periodic scan of your systems to ensure things are actually how you’ve configured them.

Getting started

Unlike many of our command-line basics posts, Nmap isn’t standard issue on Unix-like systems and will need to be installed.

Fortunately, it’s a pretty popular project, so it’s readily available for most operating systems, often times by way of the system’s package manager.

Also worth noting, Nmap does have a GUI front-end, if that’s your thing :)

Port scanning your local system

The easiest way to give nmap a try, is by scanning your own system, also known as localhost or by the IP addresses 127.0.0.1 and 0.0.0.0:

$ nmap 0.0.0.0
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 16:16 CDT
Nmap scan report for 0.0.0.0
Host is up (0.00011s latency).
All 1000 scanned ports on 0.0.0.0 are closed

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Nothing too exciting here, as I had recently upgraded my system and rebooted, so I don’t have any local development environments running. To make things more interested, I started docker up on a project that runs a web server as well as a redis and mongodb container and scanned again:

$ nmap 0.0.0.0
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 16:18 CDT
Nmap scan report for 0.0.0.0
Host is up (0.00018s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

There we go, port 3000 is where the web server is running!

Scanning more than 1000 ports

As mentioned, my system also has redis and mongodb running, which didn’t show up in the previous scan. That’s because by default, nmap only scans the most common 1,000 ports for each protocol.

This will get you pretty far in most scenarios, and the reasoning behind limiting the scan is because it can take quite a while to scan a system for every single port.

In scenarios where you want to find the less common ports being listened on we can explicitly tell nmap the range of ports we’d like to scan:

$ nmap 0.0.0.0 -p1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 16:27 CDT
Nmap scan report for 0.0.0.0
Host is up (0.000092s latency).
Not shown: 65525 closed ports
PORT      STATE SERVICE
3000/tcp  open  ppp
6380/tcp  open  unknown
17500/tcp open  db-lsp
17600/tcp open  unknown
17603/tcp open  unknown
27017/tcp open  mongod
34394/tcp open  unknown
38811/tcp open  unknown
57621/tcp open  unknown
59126/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.15 seconds

There we go! As you can see, the ports for redis and mongodb are now showing up, 6380 and 27017 respectively. There’s also a handful of other open ports showing up that belong to other services I can running on my system.

Port scanning a remote system

Port scanning a remote machine is exactly the same as scanning your localhost. Just swap out the 0.0.0.0 in the previous example for the IP address or domain name of the server you’d like to scan.

Disclaimer, be sure you are scanning a system that you own and don’t have advanced security implemented, lest you may end up locking yourself out.

Discovering hosts on your network

In addition to scanning a specific machine for open ports, you can also use nmap as a way to discover other machines on your network.

To scan your network, simply pass in the IP address range you’d like nmap to scan. To speed things along, we can also tell nmap to simply ping the machines, instead of running a length port scan on them:

$ nmap -sP 192.168.1.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 16:40 CDT
Nmap scan report for router.asus.com (192.168.1.1)
Host is up (0.0022s latency).
Nmap scan report for galagopro (192.168.1.14)
Host is up (0.00015s latency).
Nmap scan report for Roomba-3165050862320680 (192.168.1.74)
Host is up (0.0011s latency).
Nmap scan report for Dumbo (192.168.1.81)
Host is up (0.038s latency).
Nmap scan report for josh-iMac (192.168.1.138)
Host is up (0.074s latency).
Nmap scan report for Philips-hue (192.168.1.222)
Host is up (0.0068s latency).
Nmap scan report for amazon-aac753ead (192.168.1.243)
Host is up (0.021s latency).
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.59 seconds

Fortunately, the list of hosts that were found are all known to me, so the list checks out, no bad actors on my network!

Conclusion

Even if you’re not a security expert, it’s good to know the basics of how to use security tools, like nmap.

They can help you better understand if you actually configured things properly, if your security mechanisms are actually working, and can come in handy when attempting to pass a security assessment.

  Tweet It

🕵 Search Results

🔎 Searching...

Sponsored by #native_company# — Learn More
#native_title# #native_desc#
#native_cta#