Scan Remote Host for Open Ports using nmap Port Scanner

May 12, 2016 Linux, Security

Extend LVM Volume Group
nmap (Network Mapper) is an open source tool for network exploration and security auditing and a powerfull port scanner. It can be used locally on localhost as netstat alternative, but it’s main use case is to scan remote hosts for open ports, system type, running services, etc…

Examples:

1. Scan remote host for open system ports (basic well know ports)

[root@tuxfixer ~]# nmap 192.168.2.1

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-12 21:28 CEST
Nmap scan report for router (192.168.2.1)
Host is up (0.00045s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
111/tcp open  rpcbind
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: FC:AA:14:2B:5A:B8 (Giga-byte Technology)

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

2. Scan remote host including OS detection and services detection

[root@tuxfixer ~]# nmap -A 192.168.2.1

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-12 21:30 CEST
Nmap scan report for router (192.168.2.1)
Host is up (0.00022s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.2
22/tcp  open  ssh         OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey: 
|   2048 78:34:be:d4:fd:87:e9:bd:fc:3a:e7:93:98:74:27:82 (RSA)
|_  256 cf:c8:d2:26:14:c3:38:f9:26:fe:ca:ff:57:37:67:a5 (ECDSA)
111/tcp open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|_  100000  2,3,4        111/udp  rpcbind
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: ROUTER)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: ROUTER)
MAC Address: FC:AA:14:2B:5A:B8 (Giga-byte Technology)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Network Distance: 1 hop
Service Info: OS: Unix

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.2.3)
|   Computer name: router
|   NetBIOS computer name: ROUTER
|   Domain name: 
|   FQDN: router
|_  System time: 2016-05-12T21:31:10+02:00
| smb-security-mode: 
|   account_used: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms router (192.168.2.1)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.38 seconds

3. Scan remote host for specific port number

[root@tuxfixer ~]# nmap -p 22 192.168.2.1

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-12 21:33 CEST
Nmap scan report for router (192.168.2.1)
Host is up (0.000096s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: FC:AA:14:2B:5A:B8 (Giga-byte Technology)

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

4. Scan remote host and skip pinging (use when remote host blocks the ping)

[root@tuxfixer ~]$ nmap -Pn 192.168.2.9

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-12 21:53 CEST
Nmap scan report for 192.168.2.9
Host is up (0.0011s latency).
Not shown: 844 closed ports, 154 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
3689/tcp open  rendezvous

Nmap done: 1 IP address (1 host up) scanned in 3.21 seconds

5. Scan whole subnet for hosts with open ports and skip pinging the hosts 

[root@tuxfixer ~]# nmap -Pn 192.168.2.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-12 22:07 CEST
Nmap scan report for 192.168.2.9
Host is up (0.000085s latency).
Not shown: 844 closed ports, 154 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
3689/tcp open  rendezvous
MAC Address: 00:21:85:5E:9B:F5 (Micro-star Int'l Co.)

Nmap scan report for 192.168.2.1
Host is up (0.000040s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
111/tcp open  rpcbind
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 256 IP addresses (2 hosts up) scanned in 3.76 seconds

6. Scan localhost for open ports

[root@tuxfixer ~]# nmap localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-12 22:12 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000040s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 994 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
111/tcp open  rpcbind
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

7. Scan remote host for specific port range

[root@tuxfixer ~]# nmap -p 1024-65535 192.168.2.1

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-12 22:15 CEST
Nmap scan report for router (192.168.2.1)
Host is up (0.00060s latency).
All 64512 scanned ports on router (192.168.2.1) are closed
MAC Address: FC:AA:14:2B:5A:B8 (Giga-byte Technology)

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds

Grzegorz Juszczak

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.