How To Detect Open Ports and Services Using Nmap Network Scanner

Nmap is a free, open source and powerful network scanner used by cybersecurity professionals and system administrators to discover hosts, services, operating systems, and vulnerabilities on computer networks. This article provides a step-by-step guide on using Nmap to detect open ports and services running on hosts on a network.

Introduction to Nmap

Nmap, short for “Network Mapper”, was created in 1997 by Gordon Lyon (aka Fyodor) and has become one of the most popular network scanners used today. Nmap uses raw IP packets to determine what hosts and services are available on a network.

Some key features and capabilities of Nmap include:

  • Host discovery – Identifying active hosts on a network
  • Port scanning – Detecting open ports and services running on hosts
  • Operating system (OS) detection – Guessing OS version from network fingerprint
  • Service and version detection – Determining application versions listening on ports
  • Scriptable interaction with services – Gathering additional info via Nmap Scripting Engine (NSE) scripts
  • Flexible target specification – Ability to scan single hosts, subnets, or entire networks
  • Powerful output formats – Support for XML, grepable, and normal output

Installing Nmap

Nmap runs on various operating systems including Linux, Windows, and macOS. Here are some quick steps to get Nmap installed:

Linux

Most Linux distributions have Nmap in their package repositories. To install, run:

sudo apt install nmap       # Debian/Ubuntu
sudo yum install nmap       # RHEL/CentOS 
sudo dnf install nmap       # Fedora

Windows

Download the latest Windows installer from nmap.org and run it. This will install Nmap and add it to your system path.

macOS

Install Nmap through Homebrew:

brew install nmap

Detecting Live Hosts with Ping Scan

The first step is to identify live and active hosts on the network you want to scan. This is done using Nmap’s ping scan, which sends ICMP echo request packets to hosts.

To ping scan a network subnet:

nmap -sn 192.168.1.0/24

This will ping all 254 hosts on the 192.168.1.0/24 subnet and list the hosts that respond and are active.

Detecting Open Ports with TCP Connect Scan

Once you identify active hosts, the next step is to detect open ports and services. The default TCP connect scan is a good start:

nmap 192.168.1.1

This will scan 1000 most common TCP ports on the host 192.168.1.1 using a TCP connect scan, which attempts to establish a full TCP 3-way handshake with each port.

Any successful connections are marked as open ports, while ports that reject connections or don’t respond are marked as closed.

Service and Version Detection

To take port scanning further and determine services and application versions running on open ports, use the -sV option:

nmap -sV 192.168.1.1

This will connect to each open port, send protocol-specific probes, and match responses against Nmap’s service fingerprint database to identify services and application versions.

Detecting All Open Ports

To scan all 65535 TCP and UDP ports instead of just the 1000 most common ports, use the -p- option:

nmap -sU -sS -p- 192.168.1.1

This will perform a TCP SYN scan and UDP scan across all ports on the host.

Useful Nmap Options

Here are some other useful Nmap options:

  • -O: Remote OS detection using TCP/IP stack fingerprinting
  • -sC: Run default NSE scripts for service discovery and more info gathering
  • -v: Increase verbosity level for more debug info
  • –reason: Display reason a port is in certain state (open, closed, filtered, etc)
  • -oN: Save output in a normal format to the given filename

Conclusion

Nmap is a versatile network scanner that all cybersecurity professionals should know how to use effectively. Key things to remember when using Nmap include:

  • Ping scan first to identify live hosts
  • Use TCP connect scan to find open ports and services
  • Enable version detection to determine application versions on ports
  • Scan all ports, not just the common ones, for complete coverage
  • Take advantage of Nmap’s advanced features as needed

With practice, you can use Nmap to thoroughly map out and understand any network environment.