Nmap (“Network Mapper”) is an open source tool for network discovery and security auditing. It can be used to scan open ports and services on devices in a network to determine what is running and if there are any vulnerabilities.
Scanning all TCP and UDP ports with Nmap can provide useful information about what services are available on target devices. However, a full scan of all 65,535 TCP and UDP ports can take a long time and be detected as a possible attack. It’s often better to use more focused scans instead.
Table of Contents
Scan Types in Nmap
Nmap offers several types of port scans to choose from:
- TCP connect scan (-sT): Attempts to connect to TCP ports on the target. Fast but doesn’t always work if a firewall is blocking connections.
- TCP SYN scan (-sS): Sends SYN packets and monitors for SYN-ACK responses to find open ports. This gets around some firewall rules.
- UDP scan (-sU): Sends UDP packets to target ports and monitors for port unreachable responses to determine open UDP ports.
- TCP/UDP port scan (-sO): Tests if target ports are open, closed or filtered. Useful if you aren’t sure if a device uses TCP or UDP on a given port.
There are many other advanced scan types as well. The examples below focus mainly on TCP SYN scans and UDP scans.
Scan All TCP Ports
To scan all TCP ports on a target IP address with Nmap, use the -p- option:
nmap -sS -p- targetipThis will perform a TCP SYN scan on ports 1-65535.
Some key points about full TCP port scans:
- Can take 5 minutes or more to complete due to the number of ports
- Many ports may show up as “filtered” if blocked by a firewall
- Requires root privileges on Linux/macOS (use
sudo)
Here is sample output:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-10 00:42 UTC
Nmap scan report for 192.168.1.1
Host is up (0.041s latency).
Not shown: 65529 closed tcp ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp filtered mysql
Nmap done: 1 IP address (1 host up) scanned in 121.42 secondsThis shows open TCP ports 22, 80, 443 open and 3306 filtered on the target.
Scan All UDP Ports
Scanning all UDP ports is very similar, using the -sU flag instead of -sS:
sudo nmap -sU -p- targetip Key points about full UDP scans:
- UDP scans require root privileges on Linux/macOS
- Can take a while to complete due to the number of ports
- Most UDP ports will show up as “open|filtered” instead of simply “open”
Here is some sample output:
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-10 00:47 UTC
Nmap scan report for 192.168.1.1
Host is up (0.041s latency).
Not shown: 65527 closed udp ports
PORT STATE SERVICE
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
123/udp open|filtered ntp
1900/udp open|filtered upnp
5353/udp open|filtered zeroconf
Nmap done: 1 IP address (1 host up) scanned in 63.94 secondsThis shows some UDP ports that are possibly open on the target device.
Improving Scan Speed
There are a few options to potentially speed up full TCP and UDP scans in Nmap:
- Parallel scans (-M): Use parallel scanning with the
-Moption to scan multiple ports simultaneously. This can drastically reduce scan times. - Exclude common closed ports (–exclude-ports): Exclude TCP ports 0, 1, 7, 9, 11, 13 and 15 which are usually closed to reduce the number of probes sent.
- Increase raw socket scan rate (–scan-delay): Increase the delay between probes sent to target ports to speed up scans. Use with caution as this can overload targets.
Here is an example command using some of these optimizations:
sudo nmap -sS -p- --exclude-ports 0,1,7,9,11,13,15 --scan-delay 10s -M targetipChecking for Vulnerabilities
Once open TCP/UDP ports are found, you can scan those specific ports for potential vulnerabilities.
Nmap includes over 2,200 Nmap Scripting Engine (NSE) scripts for detecting vulnerabilities including:
- Weak credentials
- Old software versions
- Insecure configuration
- Known exploits
Scan a specific port for potential issues with:
nmap -sV --script vuln targetip -p80This will scan TCP port 80 and run vulnerability checking scripts.
Conclusion
Scanning all TCP and UDP ports with Nmap can be useful but slow. Focus scans on specific ports of interest whenever possible.
Use optimizations like parallel scanning, port exclusion and increased probe rates to potentially speed up full port scans.
Check open ports for possible vulnerabilities by running Nmap’s built-in NSE scripts.
