Scanning using specific port ranges
There are situations when a system administrator is looking for infected machines that use a specific port to communicate, or when users are only looking for a specific service or open port and don't really care about the rest. Narrowing down the port ranges used also optimizes performance, which is very important when scanning multiple targets.
This recipe describes how to use port ranges when performing Nmap scans.
How to do it...
Open your terminal and enter the following command:
# nmap -p80 192.168.1.1/24
A list of hosts with the state of port 80
will appear in the results.
Nmap scan report for 192.168.1.102 Host is up (0.000079s latency). PORT STATE SERVICE 80/tcp closed http Nmap scan report for 192.168.1.103 Host is up (0.016s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 00:16:6F:7E:E0:B6 (Intel) Nmap scan report for 192.168.1.254 Host is up (0.0065s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Nmap done: 256 IP addresses (3 hosts up) scanned in 8.93 seconds
How it works...
Nmap uses the flag -p
for setting the port ranges to be scanned. This flag can be combined with any scanning method. In the previous example, we used the argument -p80
to indicate to Nmap that we are only interested in port 80.
The CIDR /24
in 192.168.1.1/24
is used to indicate that we want to scan all of the 256 IPs in our network.
There's more...
There are several accepted formats for the argument -p
:
- Port list:
# nmap -p80,443 localhost
- Port range:
# nmap -p1-100 localhost
- All ports:
# nmap -p- localhost
- Specific ports by protocols:
# nmap -pT:25,U:53 <target>
- Service name:
# nmap -p smtp <target>
- Service name wildcards:
# nmap -p smtp* <target>
- Only ports registered in Nmap services:
# nmap -p[1-65535] <target>
See also
- The Finding live hosts in your network recipe
- The Listing open ports on a remote host recipe
- The Scanning using a specified network interface recipe
- The Running NSE scripts recipe
- The Hiding our traffic with additional random data recipe in Chapter 2, Network Exploration
- The Forcing DNS resolution recipe in Chapter 2, Network Exploration
- The Excluding hosts from your scans recipe in Chapter 2, Network Exploration
- The Scanning IPv6 addresses recipe in Chapter 2, Network Exploration
- The Listing protocols supported by a remote host recipe in Chapter 3, Gathering Additional Host Information