Host & Port Scanning with Nmap
Goals After Host Discovery
Gather details on:
-
Open ports & services
-
Service versions
-
OS detection
-
Info/services running on each port
| Port State | Technical Description |
|---|---|
open |
A service is actively listening on the port. For TCP, a SYN/ACK is received; for UDP, an app-level response; SCTP returns INIT-ACK. |
closed |
The port is accessible but no service is listening. Typically, a TCP RST is received. |
filtered |
Nmap cannot determine whether the port is open or closed. No response or an ICMP unreachable error was received. |
unfiltered |
The port is accessible, but its state is unclear. Usually observed in TCP ACK scans. |
open|filtered |
No response was received. The port might be open or blocked by a firewall or packet filter. |
closed|filtered |
Seen in IP ID idle scans. Nmap cannot determine if the port is closed or being filtered. |
Scanning TCP Ports
Basic Scan (Top 10 TCP Ports)
sudo nmap <target> --top-port-10
Custom Port Scan (Range & Specific)
sudo nmap -p 22,25,80,139,445 <target>
sudo nmap -p 22-445 <target>
sudo nmap -p- <target>
The above command scans all 65535 ports.
sudo nmap -F <target>
The above command scans the top 100 ports (Fast scan).
Interpreting Packet Trace
SENT Line
-
You → Target: TCP SYN
-
Shows source IP:PORT → destination IP:PORT
-
SYN flag (S), TTL, sequence, MSS, etc.
RCVD Line
-
Target → You: TCP RST+ACK (RA)
-
RST = reset (closed), ACK = acknowledge receipt
TCP Connect Scan (-sT)
Connect to TCP Port 443 with full packet trace
sudo nmap -sT -p 443 <target> --packet-trace --disable-arp-ping -Pn -n --reason
Notes:
-
Performs full TCP handshake (SYN → SYN-ACK → ACK)
-
Accurate but not stealthy — logs are generated
-
Useful if raw packets can’t be sent (non-root)
Firewalled Ports Behavior
Dropped (No Response)
sudo nmap <target> -p 139 --packet-trace -n --disable-arp-ping -Pn
Multiple SYNs sent → no reply → marked filtered
Rejected (ICMP Error Returned)
sudo nmap <target> -p 445 --packet-trace -n --disable-arp-ping -Pn
ICMP type 3, code 3 → Port Unreachable → likely firewall reject rule
📡 Discovering Open UDP Ports
Top 100 UDP Ports
sudo nmap -sU -F <target>
The above command scans UDP Port 137
sudo nmap -sU -Pn -n --disable-arp-ping --packet-trace -p 137 --reason <target>
No response ≠ closed. Many UDP ports don’t respond unless app does.
Scan Closed UDP Port (ICMP Unreachable)
sudo nmap -sU -Pn -n --disable-arp-ping --packet-trace -p 100 --reason <target>
ICMP Type 3, Code 3 = Port closed
Open|Filtered UDP Port
sudo nmap -sU -Pn -n --disable-arp-ping --packet-trace -p 138 --reason <target>
No clear response - could be open or filtered