How to Use Nmap to Scan for Open Ports (2024)

Introduction

Nmap (network mapper) is the world's leading network security scanning tool for Linux systems. It helps identify open ports and prevents potential network security threats.

Nmap is an essential network scanning tool due to its accurate, simple-to-use, and flexible interface with many advanced features.

This guide shows how to scan for open ports on Linux systems using Nmap.

How to Use Nmap to Scan for Open Ports (1)

Prerequisites

Nmap installed (see our guide for installing Nmap on Linux).
A user with sudo privileges.
Access to the command line/terminal.

How to Use Nmap to Check Ports

Nmap is a versatile command-line tool that performs powerful port scans. To conduct a simple scan, use the nmap command without any options:

nmap [target]

The target is either a domain name or an IP address. For example, to scan the website scanme.nmap.org, use:

nmap scanme.nmap.org

How to Use Nmap to Scan for Open Ports (2)

The command without any options scans the most common 1000 ports. Nmap can scan a single port, a port range, or all ports on a target. Below are step-by-step instructions on how to use Nmap to scan for open ports in various ways.

Scan a Single Port

To use Nmap to scan a single port on a target, use the following syntax:

Scan All Ports

To scan all port numbers (1-65535), use the following syntax:

nmap -p- [target]

For example:

nmap -p- scanme.nmap.org

How to Use Nmap to Scan for Open Ports (4)

The scan takes time to complete. The command performs a comprehensive scan of all port numbers. It thoroughly assesses the target network and shows open ports for the provided location.

Alternatively, to scan all standard ports, use the fast scan with the -F tag:

nmap -F [target]

For example:

nmap -F scanme.nmap.org

How to Use Nmap to Scan for Open Ports (5)

The fast scan checks the 100 most common ports. This method reduces the scan time, which is helpful with large networks.

Scan a Series of Ports

The Nmap tool offers several different ways to scan multiple ports. The examples below demonstrate how to use the tool.

To scan a port range, use the -p option, the starting and ending port numbers:

nmap -p [start]-[end] [target]

For example, to scan the first 200 ports, use:

nmap -p 1-200 scanme.nmap.org

How to Use Nmap to Scan for Open Ports (6)

To scan multiple specific ports, use a comma-separated list:

nmap -p [port1, port2, etc] [target]

For example:

nmap -p 22,53,80 scanme.nmap.org

How to Use Nmap to Scan for Open Ports (7)

Combine the two methods to scan both specific port numbers and ranges. For example:

nmap -p 22,80,100-200 scanme.nmap.org

How to Use Nmap to Scan for Open Ports (8)

Scanning targeted ports or a port range shortens the scan time.

Common Ports

There are many standardized ports associated with specific services. Use the list below as a reference for these ports and their related service:

21 (FTP). File transfer protocol.
22 (SSH). Secure shell.
25 (SMTP). Simple mail transfer protocol.
53 (DNS). Domain name system.
67, 68 (DHCP). Dynamic host configuration protocol.
80 (HTTP). Hypertext transfer protocol.
110 (POP3). Post office protocol version 3.
123 (NTP). Network time protocol.
143 (IMAP). Internet access message protocol.
443 (HTTPS). Hypertext transfer protocol secure.
465 (SMTPS). SMTP secure.
631 (CUPS). Common Unix printing system.
993 (IMAPS). IMAP secure.
995 (POP3S). POP3 secure.
3306 (MySQL). MySQL database server.
3389 (RDP). Remote desktop protocol.
8080 (HTTP alternate). HTTP alternate, used for proxy servers.

Nmap helps discover port statuses and indicates how to configure aLinux firewallto block traffic on a particular port or allow some traffic.

For example, setting afirewallto block all traffic on port 80 means users won't be able to load any website. Alternatively, firewall rules can be set to allow some traffic to ports.

Use Nmap, a firewall, and othernetwork security tools to scan traffic on a particular port and watch for suspicious activity.

Port States Recognized by Nmap

Nmap divides port status into six different states. The possible port states Nmap recognizes are:

open. The service on the associated port is active and listens for incoming connections. The port is available for connections.
closed. No service is listening on the port. No services are bound on the port, and the port will refuse all incoming connections.
filtered. The port state is unknown. The port's status is concealed or restricted due to packet filtering, firewall rules, or a network security device configuration.
unfiltered. The port state is unknown. The port is accessible and unrestricted but has no active service linked to it.
open|filtered. The port state is open or filtered. Nmap cannot determine which due to network conditions.
closed|filtered. The port state is closed or filtered. The exact state is indeterminate due to network conditions.

Note: Learn how to open a port in Linux.

Conclusion

After reading this guide, you have an overview of Nmap scanning and how to scan for open ports.

Next, see our server security tips that will help protect your server from various cybersecurity threats.

How to Use Nmap to Scan for Open Ports (2024)

FAQs

How do I scan only open ports in Nmap? ›

First, fire up your command line or GUI. Typing scanme.nmap.org will perform a default scan for open ports on the domain name scanme.nmap.org. Nmap provides this server to test out different scans. If you want to scan something else, type in the device's DNS name or IP address.

Read On ›

How to use Nmap to scan a range of ports? ›

Scanning specific port ranges

Port list separated by commas: $ nmap -p80,443 localhost.
Port range denoted with hyphens: $ nmap -p1-100 localhost.
Alias for all ports from 1 to 65535: # nmap -p- localhost.
Specific ports by protocol: # nmap -pT:25,U:53 <target>
Service name: # nmap -p smtp <target>

More items...

Jan 27, 2022

Discover More Details ›

How do I scan all 65535 ports in Nmap? ›

To instruct Nmap to scan all 65,535 ports on a target, use the (-p-) option in your command. For example, nmap -p- <target> would initiate a scan of all ports on the specified target, providing a comprehensive overview of all potential entry points for services and applications.

How to check for open ports? ›

Via a third-party website

Go to yougetsignal.com.
Fill in the IP address or hostname into the Remote Address field and the port number into the Port Number field.
Click Check to test the port status.
If the port is open, a message will say Port XXX is open on XXX. XXX. XXX.

See Details ›

Why is Nmap not showing open ports? ›

Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information.

Find Out More ›

Is it legal to port scan in Nmap? ›

Network probing or port scanning tools are only permitted when used in conjunction with a residential home network, or if explicitly authorized by the destination host and/or network. Unauthorized port scanning, for any reason, is strictly prohibited.

Tell Me More ›

How do I scan top 100 ports? ›

By default, Nmap scans the 1,000 most popular ports of each protocol it is asked to scan. Alternatively, you can specify the -F (fast) option to scan only the 100 most common ports in each protocol or --top-ports to specify an arbitrary number of ports to scan.

Show Me More ›

Why does Nmap only scan 1000 ports? ›

According to our research, the top 10 TCP ports and top 1,075 UDP ports represent half of the open ports for their protocol. To catch 90% of the open ports, you need to scan 576 TCP ports and 11,307 UDP ports. By default, Nmap scans the top 1,000 ports for each scan protocol requested.

Explore More ›

How many port scan Nmap scan? ›

By default, Nmap scans the most common 1,000 ports for each protocol.

Which tools are used to check for open ports? ›

Nmap is the de-facto tool for finding open ports and services due to how effective it is.

Show Me More ›

How to check if port 443 is open? ›

Check if port 443 is open:

On Windows: open the Command Prompt on your Windows machine > type telnet <IP address or domain name> 443 and press Enter.

Read The Full Story ›

How do I make sure certain ports are open? ›

How to open a port on the firewall

Click on Start then on Control Panel.
Click on Windows Firewall and then click on Advanced Settings.
Right click on Inbound Rules then on New Rule:
Select Port and click on Next:
Enter a specific local port (e.g. 8080) and click on Next:
Click on Next:
Name the rule and click on Finish:

Jun 16, 2023

See Details ›

How to scan for open ports in Linux? ›

To scan ports in your Linux system, you will need nmap tool to perform the activity on your local host or remote server.

Install the nmap package using your package manager within your Linux server. ...
Use the command sudo nmap -n -PN -sT -sU -p- localhost to scan ports on your local system.

Get More Info Here ›

How do you specify all ports to be scanned? ›

Ports can also be specified by name according to what the port is referred to in the nmap-services . You can even use the wildcards * and ? with the names. For example, to scan FTP and all ports whose names begin with “http”, use -p ftp,http* . Be careful about shell expansions and quote the argument to -p if unsure.

How do I scan open ports without Nmap? ›

If Nmap is not installed and you do not wish to use all of Nmap options/features, you can use the netcat/nc command for scanning ports. This may useful to know which ports are open and running services on a target machine.

How would you tell Nmap to only scan port 22? ›

Scan a single port (in this case port 22) by specifying just that number as the -p argument. Port names may be specified rather than numbers. Note that a name may match multiple ports. Multiple ports may be separated with commas.

View Details ›