Details

This week Shannon Morse discusses several port scanning options you can use in NMap.

Download HD  |   Download MP4

NMap scans 1000 commonly used ports by default, which include ones like 80 for TCP, and port 25 for SMTP, etc. If you want to scan other ports, these options are for you. Let’s start with -F which does a fast scan. Sometimes a scan for the 1000 common ports can still take a while, so you may want to cut that down to only the top 100 ports. It looks like every other scan you do, just add -F after the word NMap.

Scanning specific ports is pretty fun. If you want to scan a target for port 80, it would look like this: nmap -p 80 10.73.31.145. Using this option, you can also scan a range of ports or specific ones all in one go, like this: nmap -p 80,23,140-200 10.73.31.145.

If you don’t remember the number for a port, but you remember the name, type it like this: nmap -p http 10.73.31.145. If you know a port starts with “SM” but you don’t remember the rest of the port name, you can type: nmap -p “sm*” 10.73.31.145. This wildcard * will tell terminal to look for any services that nmap knows about that start with SM, such as SMTP. Keep in mind that all these ports can be found on that IANA website we referred to a few weeks back.

To scan ports by protocol, you’ll need to add a new option, like this: sudo nmap -sU -sT -p U:53,T:25 10.73.31.145. So you are using the syntax -p for the ports, then you are using -sU and -sT to specify UDP and TCP. U:53,T:25 tells nmap to scan for UDP on port 53 and TCP on port 25.

If you want to get really hardcore, try this one: nmap -p “*” 10.73.31.145. This wildcard in quotes tells nmap to scan all of the +65000 ports that are known.

If there is a specific number of most popular ports you’d like to scan, type: nmap –top-ports 54 10 73.31.145. This tells nmap I want to scan the 54 most popular ports on that target.
Lastly is scanning in sequential order with -r. NMap usually randomizes when it will scan what ports, which is useful to evade firewalls and avoid detection in some circumstances. If you just want it to scan in order, type: nmap -r 10.73.31.145. Things to note: you won’t see a difference in the output, because NMap will still type out the order however it wants. If you add -v to your syntax, it will show you the scans in real time order.

And that’s it for port scanning! What would you like to see next about NMAP? Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

1 Comment

  • Pete Lyons 7 months ago

    I’m a big fan of hack tip as it’s typically more task focused and easier to digest than the main show (which I am also a big fan of). I hear you like content suggestions.

    I recently learned how to break windows passwords very easily without a program that does it for you. It’s the first true hack I’ve ever done. It works in XP, Vista, and 7. Maybe 8? Not sure.

    First, either use a linux thumbdrive of choice or use the command line on a windows disc (which would have to be the same version you’re using). Use this to overwrite sethc.exe in system32 on the host machine with cmd.exe from the same folder.

    Reboot, then smash shift at the login screen. When windows tries to run sticky keys, it opens the command line instead, from which you can reset the admin password with the command “net user user_name new_password”. This does break access to encrypted folders though.

    The net user command isn’t supposed to work if you aren’t logged on as admin, but somehow it seems to work from the login screen. I have no idea why. I also can’t figure out why this was never fixed. On the same note, I once used windows system restore to reverse ‘windows is not genuine’. That totally shouldn’t work either.

    Great show!