In the default configuration, Nmap will only scan randomly the 1,000 most common ports for each protocol. The nmap-services file contains a popularity score for the selection of the top ports.
To change that configuration, Nmap provides several options:
- -p port range: This scans only the defined ports. To scan ports 1 to 1024, the command is -p 1-1024. To scan ports 1 to 65535, the command is -p-.
- -F (fast): This will scan only 100 common ports.
- -r (don't randomize port): This option will set sequential port scanning (from lowest to highest).
- --top-ports <1 or greater>: This option will only scan the N highest-ratio ports found in the nmap-service file.
To scan for ports 22 and 25 using the TCP NULL scan method, you can use the following command:
nmap -sN -p 22,25 172.16.43.156
The following command lines are the result:
Nmap scan report for 172.16.43.156 Host is up (0.00089s latency). PORT STATE SERVICE 22/tcp open|filtered ssh 25/tcp open|filtered smtp MAC Address: 00:0C:29:18:0F:08 (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
The following are the packet's dumped snippets:
23:23:38.581818 IP 172.16.43.150.61870 >172.16.43.156.22: Flags [], win 1024, length 0 0x0000: 4500 0028 06e4 0000 2f06 92ce c0a8 3866 E..(..../.....8f 0x0010: c0a8 3867 f1ae 0016 dd9e bf90 0000 0000 ..8g............ 0x0020: 5000 0400 2ad2 0000 P...*... 23:23:38.581866 IP 172.16.43.150.61870 >172.16.43.156.25: Flags [], win 1024, length 0 0x0000: 4500 0028 1117 0000 3106 869b c0a8 3866 E..(....1.....8f 0x0010: c0a8 3867 f1ae 0019 dd9e bf90 0000 0000 ..8g............ 0x0020: 5000 0400 2acf 0000 P...*... 23:23:39.683483 IP 172.16.43.150.61871 >172.16.43.156.25: Flags [], win 1024, length 0 0x0000: 4500 0028 afaf 0000 2706 f202 c0a8 3866 E..(....'.....8f 0x0010: c0a8 3867 f1af 0019 dd9f bf91 0000 0000 ..8g............ 0x0020: 5000 0400 2acc 0000 P...*... 23:23:39.683731 IP 172.16.43.150.61871 >172.16.43.156.22: Flags [], win 1024, length 0 0x0000: 4500 0028 5488 0000 3506 3f2a c0a8 3866 E..(T...5.?*..8f 0x0010: c0a8 3867 f1af 0016 dd9f bf91 0000 0000 ..8g............ 0x0020: 5000 0400 2acf 0000 P...*...
From the packets displayed in the preceding code, we can see the following:
- In the first and second packets, the attacking machine checks whether port 22 on the target machine is open. After a period of time, it checks port 25 on the target machine.
- In the third and fourth packets, the attacking machine checks whether port 25 on the target machine is open. After a period of time, it checks port 22 on the target machine.
- After waiting for some time, as there is still no response from the target machine, Nmap concludes that those two ports are open or filtered.