In this tutorial, I’m going to illustrate Nmap Scanning Techniques to scan Application ports of target system or Network as a part of reconnaissance.
Before we start, I insist you to check out my previous post about Nmap by following below Link
Link: https://saraswatirepository.com/nmap/what-is-nmap-basics-of-nmap/
Note: In order to perform Scan, we must have Nmap installed in our system.
Scanning Application Port of Target System
1. Nmap Default Scan
Check whether your system is reachable to target system using ICMP or Ping.
My System IP Address (Nmap Installed): 192.168.1.11
Target System: 192.168.20.84
iamvsm@SaraswatiRepostitory:~$ nmap 192.168.20.84
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 11:34 IST
Nmap scan report for 192.168.20.84
Host is up (0.0021s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
As we can see in above scan report that Application Port 22(SSH), 80 (HTTP) & 443 (HTTPS) are Open on target System i.e., 192.168.20.84. Meaning this Target System is Webserver.
By default Nmap Scans 1000 well known TCP ports i.e., SSH (22), HTTP (80), TELNET (23), HTTPS (443), MySQL (3306), MSSQL (1433), FTP (20 & 21), NETBIOS (135,139) & Microsoft Directory Service (445) etc. of Target System.
2. Scanning Specific TCP Ports (Single & Multiple) or Port Range for Single Target System
Command to perform specific TCP ports or Port Range of Target System
i. Single TCP Port Scan
iamvsm@SaraswatiRepostitory:~$ nmap -p 22 192.168.20.84
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 11:47 IST
Nmap scan report for 192.168.20.84
Host is up (0.0025s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Where -p stands for Ports
ii. Multiple TCP Ports Scan
iamvsm@SaraswatiRepostitory:~$ nmap -p 22,443 192.168.20.84
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 11:51 IST
Nmap scan report for 192.168.20.84
Host is up (0.0030s latency).
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
iii. TCP Port Range Scan
iamvsm@SaraswatiRepostitory:~$ nmap -p 1-65535 192.168.20.84
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 12:45 IST
Nmap scan report for 192.168.20.84
Host is up (0.0084s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
7070/tcp open realserver
Nmap done: 1 IP address (1 host up) scanned in 4.11 seconds
3. Scanning Specific UDP Ports (Single & Multiple) or Port Range for Single Target System
i. UDP Port Scan
iamvsm@SaraswatiRepostitory:~$ sudo nmap -sU -p 53 192.168.20.84
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 12:47 IST
Nmap scan report for 192.168.20.84
Host is up (0.0022s latency).
PORT STATE SERVICE
53/udp open domain
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
Note: Nmap requires root privileges to scan UDP Ports.
As we can see that, DNS Port is open means it is DNS Server as well.
Where sU-UDP Scan p-Ports
ii. UDP Port Range Scan
iamvsm@SaraswatiRepostitory:~$ sudo nmap -sU -p 50-100 192.168.20.84
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 13:05 IST
Nmap scan report for 192.168.20.84
Host is up (0.0020s latency).
Not shown: 50 open|filtered ports
PORT STATE SERVICE
53/udp open domain
67/udp open dhcps
68/udp open dhcpc
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
From above scan report it can be identified that this server is also running DHCP Server.
4. Scanning Specific TCP & UDP Ports (Single & Multiple) or Port Range for Network or Subnet
i. Network or Subnet Scan
iamvsm@SaraswatiRepostitory:~$ nmap 192.168.20.0/24
Nmap scan report for 192.168.20.42
Host is up (0.0035s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap scan report for 192.168.20.67
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
5900/tcp open vnc
Nmap scan report for 192.168.20.78
Host is up (0.0031s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
443/tcp open https
515/tcp open printer
631/tcp open ipp
9100/tcp open jetdirect
Nmap scan report for 192.168.20.84
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 256 IP addresses (13 hosts up) scanned in 215.50 seconds
Similarly To Scan Network for Particular ports ex. MySQL Port 3306 commands is shown below
ii. Network Scan for Single Port
iamvsm@SaraswatiRepostitory:~$ nmap -p 3306 192.168.20.0/24
iii. Network Scan for Multiple Ports
iamvsm@SaraswatiRepostitory:~$ nmap -p 80,1433,3306 192.168.20.0/24
iv. Network Scan for Port Range
iamvsm@SaraswatiRepostitory:~$ nmap -p 1-65535 192.168.20.0/24
v. Network Scan for UDP Ports
iamvsm@SaraswatiRepostitory:~$ sudo nmap -sU -p 53,67 192.168.20.0/24
So this how we can Scan Applications Ports of Target System or Network as part of information gathering or reconnaissance using Nmap Scanning Techniques.
