nmap

Nmap is included with many Linux distros. You can download Windows binaries, and source code for Unixish OSes (although I could not get it to compile on Mac OS X - first time I've had trouble with anything that was SUPPOSED to compile).

The simplest use is just:

nmap -v somehost.com
 

That might get you back a list like this:

(The 1600 ports scanned but not shown below are in state: filtered)
Port       State       Service
80/tcp     open        http                    

Nmap run completed -- 1 IP address (1 host up) scanned in 174 seconds
 

However, you can't blindly trust that. For example, the host I scanned here absolutely DOES have port 25 open for mail. Probably it was just busy or temporarily unavailable at the moment I ran this, because trying it again a minute later did list both 80 and 25 open. Nmap DOES try more than once, but in my testing, it's not unusual for it to miss things. That's probably helpful now and then if someone is scanning you with malicious intent.

We can be specific about ports to scan:

# nmap -v -p 20-25 somehost.com
Port       State       Service
20/tcp     filtered    ftp-data                
21/tcp     filtered    ftp                     
22/tcp     filtered    ssh                     
23/tcp     filtered    telnet                  
24/tcp     filtered    priv-mail               
25/tcp     open        smtp  
 

Note that -v only scans certain ports by default. You can see what those are by adding a "-d" to the command arguments. The machine above was also listening on certain odd ports above 1024, and nmap -v wouldn't tell us that unless we asked it to. Interestingly, nmap appears to skip certain ports. I captured output from a "-v -d" scan and then sorted it by port number so I could see what it actually looked at and found the following:

Ports 1 to 185 were scanned
Ports 187 to 550 were scanned
Ports 552 to 1027 were scanned
Ports 1029 to 1033 were scanned
 

There were several hundred higher number ports scanned, ending with 61439 through 61441 and 65301. Interestingly, a list of nmap scanned ports says it includes the 186 and 551 not seen in my dump. Perhaps even more interesting is that nmap said that it scanned 1600 ports, which would match my output if 186 and 551 were scanned. So, I added services on 186 and 551, and tried the scan again - it found both ports. The point of all this is that you need to be aware that nmap may indeed be doing what you want it to do, but its output isn't necessarily complete.

Here's Microsoft's version: http://www.counterhack.net/base_clippy_image.html

Comments?

More Articles by Tony Lawrence - Find me on Google+

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.