How to Use Nmap Command in Linux to Scan Open Ports
Nmap stands for Network Mapper. It is an open-source command line tool in Linux used for network exploration and security auditing. As a system administrator, you can use Nmap to scan networks and monitor host and service uptime. In this article, you will learn How to Use Nmap Command in Linux to Scan Open Ports. Nmap is a port security network scanner that helps you to troubleshoot network connectivity issues and port scanning.
Prerequisites to Use Nmap to Scan Open Ports
To let this article works correctly, provide the below options and move on to exploring how to use Nmap command in Linux to scan open Ports.
- A system running Linux Operating System.
Tip: If you have purchased a VPS with IPv6 configuration, secure both your IPv4 & IPv6 network interface with the appropriate tools.
- A non-root user with
- Access to a command line or terminal window.
- The apt and yum package manager.
All you need to know about Ports
A Port is an address that helps distinguish traffic destined for different applications or services which is implemented inside the operating system. Ports often have a default usage. TCP, UDP, Ping, and SYN scans are the most basic types of scans that send a specific type of packet to the target IP. According to the received response, the nmap command determines if the port is open or closed in Linux and displays the status of the target machine.
Knowing which ports are open and which are blocked matters. Because the port configuration can cause a security risk. If you are using a modern Operating System, ports are numbered addresses for network traffic. Firewall rules can be used to allow some ports and block others. So, you can configure your Linux firewall to block all traffic on the desired port. Also, you can use a firewall to scan traffic on a particular port and watch for suspicious traffic.
Previously, you learned what are Differences Between IPv4 & IPv6. As you know, IPv6 security is maintained separately from IPv4 in Linux. While by default ‘’nmap’’ scans IPv4 addresses, it can scan IPv6 addresses if the proper option is specified.
In order for a web server, an application server, and a file server to communicate, they each listen on a specific port. Once you are connected to a server, you connect to the IP address and a port. Due to the software you are using, the port will be specified. Stay with us in this guide to explore ports in more detail. Netstat program will be used to identify open ports and then, the nmap program is used to display the information of the machine’s port state on a network. Finally, at the end of this article, you must be able to identify common ports and scan your system for open ports.
Before going through this guide and finding out how to use Nmap command in Linux, let’s learn how to identify common Ports.
Most ports under 1000 are dedicated and assigned to a specific service. Ports are specified by a number ranging from 1 to 65535. You do not need to concern with the services that tend to bind to specific ports because the number of available ports is so much.
You must have root privileges to assign services to ports below 1024 since they are associated with services that Linux and Unix-like operating systems consider critical to essential network functions.
Ports between 1024 and 49151 are considered as ‘’registered’’. So, they can be ‘’reserved’’ for certain services by issuing a request to the Internet Assigned Numbers Authority (IANA).
According to your needs, you should learn how to find the appropriate ports for the applications you are trying to configure within their respective documentation.
In this part, you will get familiar with some of the most used and standard ports. Let’s see their designations.
- 20: FTP data
- 21 – FTP control port
- 22 – SSH
- 23: Telnet
- 25 – SMTP
- 43: WHOIS protocol
- 53 – DNS services
- 67: DHCP server port
- 68: DHCP client port
- 80 – HTTP – Unencrypted Web traffic
- 110 – POP3 mail port
- 113: Ident authentication services on IRC networks
- 123 – NTP
- 143 – IMAP mail port
- 161: SNMP
- 194: IRC
- 389: LDAP port
- 443 – HTTPS – secure web traffic
- 465 – SMTPS (send secure email)
- 587: SMTP – message submission port
- 631 – CUPS printing daemon port
- 993 – IMAPS (secure email inbox)
- 666: DOOM – This legacy game actually has its own special port
If both the client and server are configured to use a non-standard port, the service can be configured to use a port other than the default.
To list some of the common ports, use:
You will get an output like the below one that displays multiple pages depending on your system. To see the next page, press the
SPACE key, and to return to your prompt, press
Tutorial Use Nmap Command in Linux to Scan Open Ports
To understand which ports are open, a process of attempting to connect to some sequential ports is needed which is called Port scanning. It also shows what services and operating systems are behind those ports. Each section of the below explanation helps you to reach out the way you can use Nmap Command in Linux.
How to Check Open Ports [Nmap & Netstat]
Here is a useful tip before you continue on learning How to use Nmap command in Linux to scan open Ports. You can use various tools to scan for open ports. Netstat is one of them that is pre-installed on most Linux distributions. Using netstat helps you to discover which services you are running. To use this tool, type:
sudo netstat -plunt
As you see, you can see the port and listening socket associated with the service, which lists both UDP and TCP protocols. In the following of this guide, you can see how to use Nmap as the other tool for port identification.
This is because this section discusses how to use two different tools to scan for open ports: Nmap and Netstat. The link to Check Open Ports in Linux can then provide more information about using Netstat, which is a more basic tool than Nmap.
How to Use Nmap Port Scanner
sudo apt-get update
sudo apt-get install nmap
And to see a more extensive association between ports and services by looking in this file, run:
Scan Nmap Ports
Open the terminal and run the command below to scan Nmap ports on your remote machine. Here is the basic format for Nmap.
sudo nmap 192.168.0.1
Clearly, you must replace your system IP address with the above IP address to view the information of ports on your system.
To scan a host, type:
You might need to scan a range of IP addresses. For example, 1-10. To do this, use the command below with the recent explanation about replacing your IP address.
Also, you can run Nmap on a subnet:
If you consider scanning targets from a text file, type:
nmap –iL textlist.txt
Scan a single or series of ports Using Nmap
Using Nmap enables you to scan a single port or a series of ports. To do this, you just need to scan port 80 on the system you are testing.
nmap –p 80 192.168.0.1
Then, scan ports 1 through 200:
nmap –p 1-200 192.168.0.1
Use the following command to scan the most common ports:
nmap –F 192.168.0.1
And finally, you will be able to scan all ports (1 – 65535) by running:
nmap –p– 192.168.0.1
Type of Nmap Port Scans
Using Nmap allows you to experience different types of scans. As we mentioned, there are some basic types of scans like TCP, UDP, Ping, and SYN scans. Let’s see how these types perform.
In TCP/IP and UDP networking, ports are endpoints for logical communications. It takes longer to scan using TCP, but it is more likely to connect.
nmap –sT 192.168.0.1
The other type of Nmap Port scan is the default SYN scan:
nmap –sS 192.168.0.1
Also, you can use Nmap to scan UDP ports instead of TCP ports.
nmap –sU –p 80,130,255 192.168.0.1
the –p switch specifies ports 80, 130, and 255.
To perform a ping scanning or host discovery, use:
sudo nmap -sn 192.168.10.0/24
While host discovery uses ping, many server firewalls do not respond to ping requests. Use the command below to run a fast scan on the target system, but bypass host discovery.
nmap –Pn –F 192.168.0.1
the other usage of the nmap tool is to detect the operating system of a particular target:
nmap –A 192.168.0.1
Anytime you want to probe for the services that might be using different ports, you can easily use nmap:
nmap –sV 192.168.0.1
To install Nmap on CentOS and other Red Hat derivatives:
sudo dnf install nmap
And to install Nmap on macOS, run:
brew install nmap
If you are scanning a large network and need to increase speed, you need to disable reverse-DNS resolution to speed up the scan. So, run:
sudo nmap -n 192.168.10.0/16
Keep in mind to replace your IP address.
Yes, Nmap can detect it using TCP/IP stack fingerprinting. To do this, run:
sudo nmap -O scanme.nmap.org
In this article, you learned How to Use Nmap Command in Linux to Scan Open Ports. Now, you know why it is important to know about ports and port scanning tools. You also reviewed how ports work, port configuration, and the way you can use them. There are so many tools that you can use to find which port is open. Nmap and netstat were explained in this guide to let you choose which one meets your needs. If you find any unusual activity during your scan, it means that something is going wrong like a service running on an unusual port number. If a service is running on a non-default port, it might suggest there is a security breach.
Nmap can make administrators think that someone has malicious intent. So, you are recommended to test it on servers that you own or when you have notified the owner. If you feel you like to experiment on a test server, refer to scanme.nmap.org where the nmap developers have provided what you need to test your Nmap utility. It helps you to decide if you are interested to use Nmap command to scan ports or not. If you have experienced any other scanning tools, let us know about your knowledge.