Wednesday, October 6, 2010

How to identify Open Ports in Red Hat/CentOS/Fedora/Ubuntu server with nmap

Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques, version detection (determine service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host OS or device identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Most Unix and Windows platforms are supported in both GUI and commandline modes. Several popular handheld devices are also supported, including the Sharp Zaurus and the iPAQ.
Install nmap in Fedora /CentOS/ RedHat

#yum install nmap -y
Install nmap in ubuntu
$sudo apt-get install nmap

Nmap examples

Here are some Nmap usage examples, from the simple and routine to a little more complex and esoteric. Some actual IP addresses and domain names are used to make things more concrete. In their place you should substitute addresses/names from your own network.. While I don’t think port scanning other networks is or should be illegal, some network administrators don’t appreciate unsolicited scanning of their networks and may complain. Getting permission first is the best approach.
For testing purposes, you have permission to scan the host This permission only includes scanning via Nmap and not testing exploits or denial of service attacks. To conserve bandwidth, please do not initiate more than a dozen scans against that host per day. If this free scanning target service is abused, it will be taken down and Nmap will report Failed to resolve given hostname/IP: These permissions also apply to the hosts,, and so on, though those hosts do not currently exist.
#nmap -v

Starting Nmap 5.21 ( ) at 2010-10-06 18:02 IST
Initiating Ping Scan at 18:02
Scanning ( [4 ports]
Completed Ping Scan at 18:02, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:02
Completed Parallel DNS resolution of 1 host. at 18:02, 0.29s elapsed
Initiating SYN Stealth Scan at 18:02
Scanning ( [1000 ports]
Discovered open port 21/tcp on
Discovered open port 143/tcp on
Discovered open port 53/tcp on
Discovered open port 22/tcp on
Discovered open port 443/tcp on
Discovered open port 25/tcp on
Discovered open port 110/tcp on
Discovered open port 80/tcp on
Discovered open port 8008/tcp on
Discovered open port 8010/tcp on
Discovered open port 119/tcp on
Completed SYN Stealth Scan at 18:03, 34.78s elapsed (1000 total ports)
Nmap scan report for (
Host is up (0.043s latency).
Not shown: 986 filtered ports
21/tcp    open   ftp
22/tcp    open   ssh
25/tcp    open   smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http
110/tcp   open   pop3
113/tcp   closed auth
119/tcp   open   nntp
143/tcp   open   imap
443/tcp   open   https
8008/tcp  open   http
8010/tcp  open   xmpp
31337/tcp closed Elite

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 35.48 seconds
           Raw packets sent: 3986 (175.360KB) | Rcvd: 71 (3024B

This option scans all reserved TCP ports on the machine . The -v option enables verbose mode.

#nmap -sS -O

Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

#nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

#nmap -v -iR 100000 -Pn -p 80

Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -Pn since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.
Post a Comment