Port Scanning

Port Scanning

Once live hosts are identified, perform port scanning to discover exposed services.

Nmap Scan Types

TCP SYN Scan (Stealth Scan)

Default and most common scan type. Fast and relatively stealthy:

nmap -sS $RHOST

• -sS SYN scan (half-open scan)
• Doesn’t complete TCP handshake
• Requires root privileges on Unix systems
• Stealthier than full connect scan

TCP ACK Scan

Determine if ports are filtered (firewall detection):

nmap -sA $RHOST

• -sA ACK scan
• Doesn’t determine if port is open/closed
• Useful for firewall rule mapping

Port Specification

Common Port Lists

nmap -p 1-1000 $RHOST              # Port range
nmap -p 22,80,443,8080 $RHOST      # Specific ports
nmap -p- $RHOST                     # All 65,535 ports
nmap --top-ports 1000 $RHOST       # Top 1000 most common ports
nmap -sU -p 53,161,162 $RHOST  # Common UDP ports
nmap -p U:53,161,T:22,80,443 $RHOST # Mix UDP and TCP

Comprehensive Scans

Full Scan with Aggressive Options

nmap -p- -A -iL output.scan

• -p- scans all 65,535 TCP ports
• -A enables OS detection, version detection, scripts and traceroute
• -iL reads target hosts from a file

Firewall Evasion

Fragment Packets

nmap -f $RHOST                      # Fragment packets
nmap -f -f $RHOST                   # Double fragment (16 bytes)

Decoy Scans

nmap -D RND:10 $RHOST               # 10 random decoys
nmap -D 192.168.1.1,192.168.1.2,ME $RHOST  # Specific decoys

Spoof Source IP

nmap -S 192.168.1.100 -e eth0 $RHOST

• -S spoof source IP
• -e specify interface
• Note: Replies go to spoofed IP

Idle Scan (Zombie Scan)

nmap -sI zombie.host.com $RHOST

• Uses a “zombie” host for scanning
• Very stealthy (target sees zombie, not you)
• Requires a suitable zombie host

Source Port Spoofing

nmap --source-port 53 $RHOST        # Spoof as DNS traffic
nmap -g 53 $RHOST                   # Same as above

Additional Evasion

nmap --data-length 200 $RHOST       # Append random data
nmap --badsum $RHOST                # Invalid checksum (firewall testing)
nmap -sS -f -T2 -D RND:5 $RHOST     # Combine multiple techniques

Alternative Tools

Masscan

Ultra-fast port scanner:

masscan $RHOST/24 -p1-65535 --rate=1000
masscan $RHOST -p80,443,8080 --rate=10000

• Much faster than nmap
• --rate packets per second
• Less accurate, may miss ports

Netcat

Lightweight port scanning using Netcat. Typically installed on most hosts and useful when other tools like Nmap are not available.

Scan Common Ports:

nc -zv $RHOST 1-1024

Quiet Output (Open Ports Only):

nc -z $RHOST 1-65535 2>/dev/null

Scan Specific Ports:

for port in 22 80 443 8080; do nc -zv $RHOST $port; done

IPv6 Scanning

nmap -6 -sS $RHOSTv6                # IPv6 SYN scan
nmap -6 -sU $RHOSTv6                # IPv6 UDP scan

Best Practices

1. Start with top ports: Use --top-ports 1000 before full scans
2. Use appropriate timing: Balance speed vs stealth (-T2 or -T3 default)
3. Respect rate limits: Adjust --rate or timing to avoid overwhelming targets