Port Scan

Last modified: 2023-08-03

Network Reconnaissance

Port Scanning is a port mapping on the network. It is often executing when reconnaissance.


Nmap is still the most commonly used tool when scanning ports of the target system.
But in recent years, some other tools, such as masscan or rustscan, are also becoming popular because the tools scan faster than nmap.

Basic Scan

It's recommened to do as stealth scan (SYN scan) by adding the option "-sS".
Also it’s prefered to add “-T2” flag.

sudo nmap -sS <target-ip>

# OS version detection (-V)
# Default NSE (-C)
sudo nmap -sSVC <target-ip>
# All detection
sudo nmap -sS -A <target-ip>

Skipping the host discovery

sudo nmap -sS -Pn <target-ip>

Scanning all ports.

sudo nmap -sS -p- <target-ip> --min-rate 1000
sudo nmap -sS -p 1-65535 <target-ip> --min-rate 1000

Scanning the specific range ports.

sudo nmap -sS -p 1000-1500 <target-ip>

Scannning top ports.

sudo nmap -sS --top-ports 100 <target-ip>

First 1000 ports.

sudo nmap -sS -p-1000 <target-ip>

Wildcard IP

nmap 10.0.0.*

CIDR (Classless Inter-Domain Routing)


UDP Scan

Sometimes you need the UDP scan.

nmap -sU --top-ports 25 <target-ip>
nmap -sU --top-ports 50 --open <target-ip>

Other Scan Techniques

FIN scan

# FIN scan
nmap -sF <target-ip>
# Xmas scan
nmap -sX <target-ip>

Firewall Bypass

# Fragmented packets
nmap -f <target-ip>

# Specify MTU (Maximum Transmission Unit)
nmap --mtu 16 <target-ip>
nmap --mtu 24 <target-ip>

# Decoy
nmap -D RND:3 <target-ip>

Nmap Scripting Engine (NSE)

nmap -sC <target-ip>
nmap --script vuln <target-ip>

Using Proxychains

First start Tor service.

sudo service tor start
sudo service tor status

To execute the nmap with proxychains, add the proxychains command before the nmap command.

sudo proxychains nmap -sS <target-ip>

Port Knocking

Port knocking is a method of establishing a connection to a networked computer that has no open ports.

for i in <port_1> <port_2> <port_3>;do nmap -Pn -p $i --host-timeout 201 --max-retries 0 <target-ip>;done

# or we can use `curl` command for knocking ports.
# -m: max time in seconds
curl <ip>:<port1> -m 1
curl <ip>:<port2> -m 1
curl <ip>:<port3> -m 1

After that, check if ports opened.

nmap <target-ip>


Masscan is a TCP port scanner. It is faster than nmap.

masscan <target-ip>/16
masscan <target-ip>/24

# -p: Ports
masscan <target-ip>/16 -p 80,443
masscan <target-ip>/16 -p 22-80
masscan <target-ip>/16 -p 0-65535
# --top-ports
masscan <target-ip>/16 --top-ports 100


RustScan is the modern port scanner. It is faster than nmap.

# -a: Addresses
# --ulimit: Limit system resource amounts
rustscan -a <target-ip-1>,<target-ip-2> --ulimit 5000
rustscan -a 'hosts.txt' --ulimit 5000

rustscan -a

# -p: Ports
rustscan -a <target-ip> -p 22,80

We can also use the Nmap arguments as below.

rustscan -a <target-ip> -- -sS -A