All services which need to somehow interface with the network a host is connected to run on ports and port scanning allows us to enumerate them in order to gather information such as what service is running, which version of the service is running, OS information, etc.
Port scanning is very heavy on network bandwidth and generates a lot of traffic which can cause the target to slow down or crash altogether. During a penetration test, you should *always* inform the client when you are about to perform a port scan.
Port scanning without prior written permission from the target may be considered illegal in some jurisdictions.
The de-facto standard port scanner is nmap, although alternatives such as masscan and RustScan do exist.
A lot of nmap's techniques require elevated privileges, so it is advisable to always run the tool with `sudo`.
There are two types of ports depending on the transport-layer protocol that they support. Both TCP and UDP ports range from 0 to 65535 but they are completely separate. For example, DNS uses UDP port 53 for queries but it uses TCP port 53 for zone transfers.
To scan UDP ports, nmap requires elevated privileges and the -sU
flag.
nmap -sU <target>
Due to the nature of the protocol, UDP scanning takes a lot longer than TCP does.
When scanning, nmap will determine that a port is in one of the following states:
By default, nmap scans only the 1000 most common TCP ports. One can scan specific ports by listing them separated by commas directly after the -p
flag.
nmap -pport1,port2,... <target>
If no ports are specified after the -p
flag, nmap will scan all ports (either UDP or TCP depending on the type of scan).
nmap -p <target>