`

Port Scanning

Once you’ve discovered hosts on the network, you can run a port

scanner to find their open ports and the services they’re running.

Let’s explore two port scanning tools: Nmap and RustScan.

Scanning Targets with Nmap

Nmap allow us to perform port scanning against single targets or

multiple targets at once. In the following example, we use Nmap to

perform a port scan of the domain scanme.nmap.org.

$ nmap scanme.nmap.org

Nmap also accepts IP addresses, like so:

$ nmap 172.16.10.1

When there are no special options provided on the command line

to Nmap, it will use the following default settings:

Performs a SYN Scan.

Nmap will use a SYN scan to discover open ports on a target. Also

called a half-open scan, a SYN scan involves sending a SYN packet

and waiting for a response. Nmap won’t complete the full TCP hand-

shake (meaning ACK won’t be sent back), which is why we call this

scan half open.

Scans the Top 1000 Ports.

Nmap will scan only popular ports known to be frequently in use,

such as TCP ports 21, 22, 80 and 443. It won’t scan the entire port

range of 0-65,534, to conserve resources.

Scans TCP Ports.

Nmap will scan only TCP ports, not UDP ports.

Nmap allows you to scan multiple targets by passing them on the

command line. In the following example, we scan both localhost and

scanme.nmap.org (Listing 4-10).

$ nmap localhost scanme.nmap.org

Listing 4-10

Passing multiple addresses to Nmap

Nmap can also read targets from a given file using its -iL

option. The targets must be separated by new lines. Let’s use our

172-16-10-hosts.txt file with Nmap to scan multiple targets.

$ nmap -sV -iL 172-16-10-hosts.txt

Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks