How to use Nmap to scan for open ports | TechTarget (2023)

The Nmap network reconnaissance and security auditing tool, released in 1997, is one of the most basic and most used cybersecurity tools today. From its beginnings as an advanced port scanner, it evolved into a multifunctional tool with a family of useful projects that can discover weak passwords, scan IPv6 addresses, perform IP address geolocation, detect vulnerabilities and more.

The open source tool helps security pros, networking teams, sys admins and other IT personnel scan hosts, networks, applications, mainframes, Unix and Windows environments, supervisory control and data acquisition systems, and industrial control systems.

Paulino Calderon, co-founder of Websec and part-time Nmap developer, wrote Nmap Network Exploration and Security Auditing Cookbook, Third Edition, published by Packt, to offer firsthand insights into using the multifaceted tool.

In this excerpt from Chapter 1, "Nmap Fundamentals," Calderon shares a recipe on how to use Nmap to find open ports. Follow along to learn how to perform the quintessential Nmap task, and review Calderon's tips on port scanning techniques, options that affect the scan behavior of Nmap and more. Download a PDF of Chapter 1 to read more.

Listing open ports on a target

This recipe describes how to use Nmap to determine the port states of a target, a process used to identify running services commonly referred to as port scanning. This is one of the tasks Nmap excels at, so it is important to learn about the essential Nmap options related to port scanning.

How to do it...

To launch a default scan, the bare minimum you need is a target. A target can be an IP address, a hostname, or a network range:

$ nmap

The scan results will show all the host information obtained, such as the IPv4 (and IPv6 if available) address, reverse DNS name, and interesting ports with service names. All listed ports have a state. Ports marked as open or filtered are of special interest as they represent services running on the target host:

Nmap scan report for (
Host is up (0.16s latency).
Other addresses for (not scanned):
Not shown: 995 closed ports PORT STATE SERVICE
22/tcp open ssh 25/tcp filtered smtp 80/tcp open http
9929/tcp open nping-echo 31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 333.35 seconds

How it works...

The default Nmap scan returns a list of ports. In addition, it returns a service name from a database distributed with Nmap and the port state for each of the listed ports.

(Video) How To Use nmap To Scan For Open Ports

How to use Nmap to scan for open ports | TechTarget (1)Learn more about Calderon's
Nmap cookbook, published
by Packt.

Nmap categorizes ports into the following states:

  • Open: Open indicates that a service is listening for connections on this port.
  • Closed: Closed indicates that the probes were received, but it was concluded that there was no service running on this port.
  • Filtered: Filtered indicates that there were no signs that the probes were received and the state could not be established. This could indicate that the probes are being dropped by some kind of filtering.
  • Unfiltered: Unfiltered indicates that the probes were received but a state could not be established.
  • Open/Filtered: This indicates that the port was filtered or open, but the state could not be established.
  • Closed/Filtered: This indicates that the port was filtered or closed but the state could not be established.

Even for this simple port scan, Nmap does many things in the background that can be configured as well. Nmap begins by converting the hostname to an IPv4 address using DNS name resolution. If you wish to use a different DNS server, use --dns-servers <serv1[,serv2],...>, or use -n if you wish to skip this step, as follows:

$ nmap --dns-servers,

Afterward, it performs the host discovery process to check whether the target is online (see the Finding online hosts recipe). To skip this step, use the no ping option, -Pn:

$ nmap -Pn

Nmap then converts the IPv4 or IPv6 address back to a hostname using a reverse DNS query. Use -n to skip this step as well if you do not need that information:

$ nmap -n

The previous command will launch either a SYN stealth scan or a TCP connect scan depending on the privileges of the user running Nmap.

There's more...

Port scanning is one of the most powerful features available, and it is important that we understand the different techniques and options that affect the scan behavior of Nmap.

Privileged versus unprivileged

Running the simplest port scan command, nmap <target>, as a privileged user by default launches a SYN stealth scan, whereas unprivileged users that cannot create raw packets use the TCP connect scan technique. The difference between these two techniques is that a TCP connect scan uses the high-level connect() system call to obtain the port state information, meaning that each TCP connection is fully completed and therefore slower. SYN stealth scans use raw packets to send specially crafted TCP packets to detect port states with a technique known as half-open.

(Video) How to Scan IP address and find all open ports

Scanning specific port ranges

Setting port ranges correctly during your scans is a task you often need to do when running Nmap scans. You can also use this to filter machines that run a service on a specific port, for example, finding all the SMB servers open in port 445. Narrowing down the port list also optimizes performance, which is very important when scanning multiple targets.

There are several ways of using the Nmap -p option:

  • Port list separated by commas: $ nmap -p80,443 localhost
  • Port range denoted with hyphens: $ nmap -p1-100 localhost
  • Alias for all ports from 1 to 65535: # nmap -p- localhost
  • Specific ports by protocol: # nmap -pT:25,U:53 <target>
  • Service name: # nmap -p smtp <target>
  • Service name with wildcards: # nmap -p smtp* <target>
  • Only ports registered in the Nmap services database: # nmap -p[1-65535] <target>

Selecting a network interface

Nmap attempts to automatically detect your active network interface; however, there are some situations where it will fail or perhaps you will need to select a different interface in order to test networking issues. To force Nmap to scan using a different network interface, use the -e argument:

#nmap -e <interface> <target>
#nmap -e eth2

This is only necessary if you have problems with broadcast scripts or see the WARNING: Unable to find appropriate interface for system route to message.

More port scanning techniques

In this recipe, we talked about the two default scanning methods used in Nmap: SYN stealth scan and TCP connect scan. However, Nmap supports several more advanced port scanning techniques. Use nmap -h or visit to learn more about them as Fyodor has done a fantastic job describing how they work in depth.

Target specification

Nmap supports several target formats that allow users to work with IP address ranges. The most common type is when we specify the target's IP or host, but it also supports the reading of targets from files and ranges, and we can even generate a list of random targets as we will see later.

Any arguments that are not valid options are read as targets by Nmap. This means that we can tell Nmap to scan more than one range in a single command, as shown in the following command:

# nmap -p25,80 -O -T4

There are several ways that we can handle IP ranges in Nmap:

(Video) Nmap Tutorial to find Network Vulnerabilities

  • Multiple host specification
  • Octet range addressing (they also support wildcards)
  • CIDR notation

To scan the,, and IP addresses, the following command can be used:

$ nmap

We can also specify octet ranges using -. For example, to scan hosts,, and, we could use the expression, as shown in the following command:

$ nmap

Octet range notation also supports wildcards, so we could scan from to with the expression 192.168.1.*:

$ nmap 192.168.1.*

Excluding hosts from scans

In addition, you may exclude hosts from the ranges by specifying the --exclude option, as shown next:

$ nmap --exclude
$ nmap --exclude,

Otherwise, you can write your exclusion list in a file using the --exclude-file option:

$ cat dontscan.txt
$ nmap --exclude-file dontscan.txt

CIDR notation for targets

The CIDR notation (pronounced cider) is a compact method for specifying IP addresses and their routing suffixes. This notation gained popularity due to its granularity when compared with classful addressing because it allows subnet masks of variable length.

The CIDR notation is specified by an IP address and network suffix. The network or IP suffix represents the number of network bits. IPv4 addresses are 32-bit, so the network can be between 0 and 32. The most common suffixes are /8, /16, /24, and /32.

To visualize it, take a look at the following CIDR-to-netmask conversions:

(Video) NMap 101: Scanning Networks For Open Ports To Access, HakTip 94

  • /8:
  • /16:
  • /24:
  • /32:

For example, represents the 256 IP addresses from to represents all the IP addresses between 50.0-255.0-255.0-255. The /32 network suffix is also valid and represents a single IP address.

The CIDR notation can also be used when specifying targets. To scan the 256 hosts in using the CIDR notation, you will need the /24 suffix:

$ nmap

Working with target lists

Many times, we will need to work with multiple targets, but having to type a list of targets in the command line is not very practical. Fortunately, Nmap supports the loading of targets from an external file. Enter the list of targets into a file, each separated by a new line, tab, or space(s):

$cat targets.txt

To load the targets from the targets.txt file, use the Nmap -iL <filename> option:

$ nmap -iL targets.txt

Important note

This feature can be combined with any scan option or method, except for exclusion rules set by --exclude or --exclude-file. The --exclude and --exclude-file options will be ignored when -iL is used.

You can also use different target formats in the same file. In the following file, we specify an IP address and an IP range inside the same file:

(Video) How to Use Nmap to Scan for Open Ports | Beginners Guide | Mix Net

$ cat targets.txt

You can enter comments in your target list by starting the new line with the # character:

$ cat targets.txt
# FTP servers

How to use Nmap to scan for open ports | TechTarget (2)Paulino Calderon

About the author
Paulino Calderon (@calderpwn on Twitter) is a published author and international speaker with more than 10 years of professional experience in network and application security. He co-founded Websec, a consulting firm securing applications, networks and digital assets operating in North America, in 2011. When he isn't traveling to security conferences or consulting for Fortune 500 companies with Websec, he spends peaceful days enjoying the beach in Cozumel, Mexico. His contributions have reached millions of users through Nmap, Metasploit, Open Web Application Security Project Mobile Security Testing Guide, OWASP Juice Shop and OWASP IoTGoat.


How to use Nmap to scan for open ports | TechTarget? ›

Getting Started With Nmap

First, fire up your command line or GUI. Typing will perform a default scan for open ports on the domain name Nmap provides this server to test out different scans. If you want to scan something else, type in the device's DNS name or IP address.

How to use Nmap to detect open ports? ›

Getting Started With Nmap

First, fire up your command line or GUI. Typing will perform a default scan for open ports on the domain name Nmap provides this server to test out different scans. If you want to scan something else, type in the device's DNS name or IP address.

How to scan IP for open ports command line? ›

How to check for open ports on Windows
  1. Open the Command Prompt. ...
  2. Type “netstat -aon” and hit enter.
  3. Look for the port numbers in the LISTening state. ...
  4. If the port numbers aren't in the LISTening state, you'll need to open them manually.
Aug 17, 2022

How do hackers scan for open ports? ›

During a port scan, hackers send a message to each port, one at a time. The response they receive from each port determines whether it's being used and reveals potential weaknesses. Security techs can routinely conduct port scanning for network inventory and to expose possible security vulnerabilities.

How do I scan for open UDP ports in Nmap? ›

Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan ( -sS ) to check both protocols during the same run. UDP scan works by sending a UDP packet to every targeted port.

How does Nmap detects if a port is open or closed? ›

The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state.

What tool to check all open ports? ›

Nmap (short for Network Mapper) is one of the most popular free open-source port scanning tools available. It offers many different port scanning techniques including TCP half-open scans. Key features: Multiple port scanning techniques.

How do I scan all ports of an IP address? ›

The Nmap command you will need to scan all ports is “nmap –p– 192.168. 0.1,” which scans ports 0 through 65,535. If you want to scan a single port, the command to enter is “nmap -p 22 192.168. 1.1.” For scanning a range of ports, you would need to insert the following command in the Nmap window: “nmap -p 1-100 192.168.

How do I access open ports? ›

Opening Ports in Windows Firewall
  1. From the Start menu, click Control Panel, click System and Security, and then click Windows Firewall. ...
  2. Click Advanced Settings.
  3. Click Inbound Rules.
  4. Click New Rule in the Actions window.
  5. Click Rule Type of Port.
  6. Click Next.
  7. On the Protocol and Ports page click TCP.
Mar 21, 2023

What online tool can I use to scan for open ports? ›

1. NMap Port Scanner. NMap port scanner is a well-known free and open-source online tool for finding open TCP ports and running services (including their versions). The scanner allows you to easily map your network perimeter, check firewall rules and verify if your services are reachable from the Internet.

Is it illegal to scan for open ports? ›

However – while not explicitly illegal – port and vulnerability scanning without permission can get you into trouble: Civil lawsuits – The owner of a scanned system can sue the person who performed the scan. Even if unsuccessful, the case can waste time and resources on legal costs.

What are the three most common ports that get hacked? ›

Ports 80, 443, 8080 and 8443 (HTTP and HTTPS)

HTTP and HTTPS are the hottest protocols on the internet, so they're often targeted by attackers. They're especially vulnerable to cross-site scripting, SQL injections, cross-site request forgeries and DDoS attacks.

What ports are most often scanned by hackers? ›

Commonly hacked TCP port numbers include port 21 (FTP), port 22 (SSH), port 23 (Telnet), port 25 (Simple Mail Transfer Protocol or SMTP), port 110 (POP3), and port 443 (HTTP and Hypertext Transfer Protocol Secure or HTTPS).

What is aggressive scan in Nmap? ›

Aggressive mode enables OS detection ( -O ), version detection ( -sV ), script scanning ( -sC ), and traceroute ( --traceroute ). This mode sends a lot more probes, and it is more likely to be detected, but provides a lot of valuable host information.

What is the command to check UDP port open? ›

Using netstat to list open ports
  1. -t : All TCP ports.
  2. -u : All UDP ports.
  3. -l : Display listening server sockets.
  4. -p : Show the PID and name of the program to which each socket belongs.
  5. -n : Don't resolve names.
  6. | grep LISTEN : Only display open ports by applying grep command filter.
May 2, 2023

How to check open ports without Nmap? ›

If Nmap is not installed and you do not wish to use all of Nmap options/features, you can use the netcat/nc command for scanning ports. This may useful to know which ports are open and running services on a target machine.

Does Nmap show closed ports? ›

A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection.

What is the difference between open and open filtered in Nmap? ›

Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.

Which ports are always open? ›

Which Ports Are Usually Open By Default?
  • 20 – FTP (File Transfer Protocol)
  • 22 – Secure Shell (SSH)
  • 25 – Simple Mail Transfer Protocol (SMTP)
  • 53 – Domain Name System (DNS)
  • 80 – Hypertext Transfer Protocol (HTTP)
  • 110 – Post Office Protocol (POP3)
  • 143 – Internet Message Access Protocol (IMAP)
  • 443 – HTTP Secure (HTTPS)
Oct 21, 2019

How do I check all TCP ports? ›

Open the command prompt (Start > Run > cmd) and use netstat -ano | find /i "<port_number>". It will show you all processes that use the specified port. Notice the PID (process id) in the right column. -a – Displays all active connections and the TCP and UDP ports on which the computer is listening.

How are open ports exploited? ›

Attackers use open ports to find potential exploits. To run an exploit, the attacker needs to find a vulnerability. To find a vulnerability, the attacker needs to fingerprint all services that run on a machine, including what protocols it uses, which programs implement them, and ideally the versions of those programs.

How do you check if the port is blocked by firewall? ›

Check for Blocked Port using the Command Prompt
  1. Type cmd in the search bar.
  2. Right-click on the Command Prompt and select Run as Administrator.
  3. In the command prompt, type the following command and hit enter. netsh firewall show state.
  4. This will display all the blocked and active port configured in the firewall.
Apr 3, 2023

How do I ping a port? ›

A very easy way to ping a specific port is to use the nmap command with the “-p” option for port and specify the port number as well as the hostname to be scanned. Note : if you are using nmap, please note that you should be aware of legal issues that may come along with it.

Can I use Nmap on my own network? ›

Once you have set NMAP, we can use it to find available hosts, open ports, OS versions etc. All you need is an IP Address and it's best to try it out on your own IP (unless you have the required permissions to do so on any other IP).

Is it safe to use Nmap? ›

However, hackers can also use Nmap to access uncontrolled ports on a system. They can run Nmap on a targeted approach, identify vulnerabilities, and exploit them. But Nmap is not only used by hackers - IT security companies also use it to simulate potential attacks that a system may face.

Can an open port be hacked? ›

Cybercriminals can exploit open ports and protocols vulnerabilities to access sensitive. If you don't constantly monitor ports, hackers may exploit vulnerabilities in these ports to steal and leak data from your system.

Which port is easiest to hack? ›

Here are some common vulnerable ports you need to know.
  1. FTP (20, 21) FTP stands for File Transfer Protocol. ...
  2. SSH (22) SSH stands for Secure Shell. ...
  3. SMB (139, 137, 445) SMB stands for Server Message Block. ...
  4. DNS (53) DNS stands for Domain Name System. ...
  5. HTTP / HTTPS (443, 80, 8080, 8443) ...
  6. Telnet (23) ...
  7. SMTP (25) ...
  8. TFTP (69)
Mar 29, 2022

What ports should you not use? ›

Commonly Abused Ports
  • Port 20,21 – FTP. An outdated and insecure protocol, which utilize no encryption for both data transfer and authentication.
  • Port 22 – SSH. ...
  • Port 23 – Telnet. ...
  • Port 25 – SMTP. ...
  • Port 53 – DNS. ...
  • Port 139 – NetBIOS. ...
  • Ports 80,443 – Used by HTTP and HTTPS. ...
  • Port 445 – SMB.
Oct 14, 2020

What ports to block from hackers? ›

For instance, blocking ports 139 and 445 (TCP and UDP) will make your network more difficult for attackers to map out the network, and blocking port 31337 (TCP and UDP) will make you more secure from Back Orifice, a hacking tool. Check out this extensive list of ports with their normally associated uses.

What ports should I block for malware? ›

Ideally, you should block all inbound traffic on port 445. It may be necessary to keep it open to some inbound traffic, but you should still segment your network by blocking most internal inbound traffic.

What port does malware use? ›

Once the executable files are run either by a user or another malicious file, it connects to the criminal's Command and Control (C&C) server and sends information about the host device. This connection is known as call home or C2 traffic and normally uses the standard port 80 and HTTP or port 443 and HTTPS protocols.

What ports are malware? ›

Trojan Ports
Port NumberTrojan Name
11000Senna Spy
18 more rows

What is the most powerful Nmap scan? ›

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks.

What is the best Nmap command? ›

NMAP Commands Cheat Sheet
To scan a single IP host:nmap
For scanning the range of IPs:nmap
If you want to scan a single host:nmap www.<hostname>.com
For scanning targets from text file, you should use the corresponding Nmap command:nmap -iL target-ip-lists.txt
Aug 2, 2022

What is the stealthiest Nmap scan? ›

SYN scan is the default and most popular scan option for good reason. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections.

How do I know if a port is open between two servers? ›

Press the Windows key + R, then type "cmd.exe" and click OK. Enter "telnet + IP address or hostname + port number" (e.g., telnet 1723 or telnet 10.17. xxx. xxx 5000) to run the telnet command in Command Prompt and test the TCP port status.

How do I open ports TCP and UDP? ›

Opening TCP/UDP port
  1. Locate your router's IP address.
  2. Head over to your router's settings.
  3. Enter your credentials (username and password).
  4. Look around for the Port Forwarding tab.
  5. Open your preferred port—for example, type 8080 to open port 8080.
  6. Save your settings.
Jan 14, 2021

How do I know if a UDP port is open or closed? ›

Follow below steps to check if UDP port is open or closed:
  1. Open a packet sniffer.
  2. Send a User Datagram Protocol (UDP) packet.
  3. After sending the UDP packet, if you receive 'ICMP port unreachable' message, then the UDP port is closed.
  4. If not, then the UDP port is open or something is blocking the ICMP.
Oct 10, 2018

How to check if port is open without telnet? ›

Here are several different ways to test a TCP port without telnet.
  1. BASH (man page) $ cat < /dev/tcp/ SSH-2.0-OpenSSH_5.3 ^C $ cat < /dev/tcp/ bash: connect: Connection refused bash: /dev/tcp/ Connection refused.
  2. cURL. ...
  3. Python. ...
  4. Perl.

How do you know that a port being scanned is open? ›

XMAS scans: XMAS scans send a number of packets to a port to check if it is open. If the port is closed, the scanner gets a response. If it does not get a response, that means the port is open and can be used to access the network.

How to check open ports in Linux? ›

Check open ports in Linux
  1. Open a Linux terminal application.
  2. Use ss command to display all open TCP and UDP ports in Linux.
  3. Another option is to use the netstat command to list all ports in Linux.
  4. Apart from ss / netstat one can use the lsof command to list open files and ports on Linux based system.
May 2, 2023

How do I know if port 80 is open? ›

Perform the following steps to check whether the port is listened on:
  1. Open the Command Prompt window.
  2. Run the following command: netstat -ano | findstr :80. If TCP 0.0. 0.0:80 0.0. 0.0:0 LISTENING 4 is displayed, all traffic from port 80 is listened on. Otherwise, you must modify the listen address.
May 9, 2022

Which ports are open on my IP? ›

How to find ports being used in Windows
  • Open Command Prompt by typing cmd in the search box.
  • Enter ipconfig at the prompt This provides you with some outputs about your IP address. ...
  • Now, type netstat -a for a list of connections and port numbers that are currently being used.

How do I know if port 443 is open? ›

Open the Command Prompt on your Windows machine. Type telnet <IP address or domain name> 443 and press Enter . If the command returns “Connected to <IP address or domain name>”, then port 443 is open.

How do I know if port 443 is open Linux? ›

The netstat command can be useful for checking port 443 because the netstat command is used to access a list of open TCP ports. If you see port 443 in the output list of the netstat command, then this port is open for outgoing connections in your system.

What is nmap command in Linux? ›

Nmap is used to identify the devices connected to a network with the help of IP packets. It can also be used to get information about the services running on the network and the OS.


1. How To Use Nmap to Scan for Open Ports
2. Nmap Basics: Port Scanning Tutorial
3. Nmap Tutorial - Find Vulnerabilities in Network | Port Scanning using NMAP
(Sunny Dimalu The Cyborg)
4. nmap - get open ports scan (all ports)
5. Scanning remote hosts and listing open ports with Nmap
(Hacking Tips)
6. How to scan for open ports using netstat and nmap (ubuntu,linux mint)


Top Articles
Latest Posts
Article information

Author: Eusebia Nader

Last Updated: 10/08/2023

Views: 6221

Rating: 5 / 5 (80 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Eusebia Nader

Birthday: 1994-11-11

Address: Apt. 721 977 Ebert Meadows, Jereville, GA 73618-6603

Phone: +2316203969400

Job: International Farming Consultant

Hobby: Reading, Photography, Shooting, Singing, Magic, Kayaking, Mushroom hunting

Introduction: My name is Eusebia Nader, I am a encouraging, brainy, lively, nice, famous, healthy, clever person who loves writing and wants to share my knowledge and understanding with you.