Port scanners are some of the most useful tools when you are starting your security investigation on any remote or local network. Before jumping into the top five most popular port scanners tools used in the infosec field, let's learn what is a port scanner and learn how port scanners work.
Used by programmers, system and network administrators, these tools are applications designed to scan servers and hosts in order to check what available ports are being used for network communications.
Once the scan has finished, you can run other security penetration and exploit tests in order to verify how strong are the current security policies.
What is a port scanner?
A port scanner (also known as network scanner), is a software application used in cybersecurity and IT industries to scan networks, hosts, or IP addresses looking for open ports, closed ports, or filtered ports.
Port scanners are among the top cybersecurity tools used by researchers, security teams, and ethical hackers to diagnose network issues, audit networks, run penetration testing, and perform vulnerability scanning tasks.
How do port scanners work?
All port scanners operate in a very basic way:
- Send a request to a remote or local TCP or UDP port
- Wait for the response
- Record the response from the host as 'open', 'filtered', or 'closed'
A popular use case of port scanning is to scan for 3306 port for example, after you installed and started MySQL server to see if it's showing as 'open'. In plain English, a port scanner works by sending network packets and waiting for a response.
Nmap stands for "Network Mapper", it is the most popular network discovery and port scanner in the history.
It's a free and open source application used by system administrators, devops and network engineers for security auditing on local and remote networks.
Available for Linux, Windows and Mac OS, it can be run from the classic command line terminal, or by using a GUI interface.
- Active Port scanning: allows you to scan and discover open ports on specific networks/hosts.
- Host discovery: lets you identify potential hosts that are responding to network requests.
- OS detection: used to discover operating system name and version, along with network details where the host is running.
- Application version detection: nmap can also be used to determine what kind of apps are running and along with the version number.
Let's see how Nmap can be installed on the most popular Linux distros, as well as for MacOS users:
CentOS/RHEL based distros:
yum install nmap
apt-get install nmap
fink install nmap
sudo port install nmap
Windows users should read these instructions.
Nmap scan examples
Detecting connected devices on the network
For this we will use
-sP parameters, this will send ICMP and ARP packets to all possible addresses inside the 192.168.2.0/24 range.
Once finished will show you a resume revealing the devices found in that range.
This simple command will send various packets (ARP, ICMP, etc.) to every address within the
192.168.1.0/24 range, and will report any devices that respond. The results will look similar to those in the example below:
[[email protected]:~]nmap -sP 192.168.2.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-11 17:44 EDT Nmap scan report for 192.168.2.43 Host is up (0.0075s latency). Nmap scan report for 192.168.2.50 Host is up (0.0081s latency). Nmap scan report for 192.168.2.51 Host is up (0.0078s latency). Nmap scan report for 192.168.2.53 Host is up (0.0075s latency). Nmap scan report for 192.168.2.76 Host is up (0.0082s latency). Nmap scan report for 192.168.2.91 Host is up (0.0078s latency). Nmap scan report for 192.168.2.92 Host is up (0.0075s latency). … … Nmap done: 256 IP addresses (22 hosts up) scanned in 30.42 seconds [[email protected]:~]
Scanning specific ports
Once you have a defined host to scan, you can go against a specific port range (between 1 and 65535), for example:
[[email protected]:~] nmap -p 1-512 192.168.2.92 Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-11 17:52 EDT Nmap scan report for 188.8.131.52 Host is up (0.079s latency). Not shown: 510 filtered ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 443/tcp open https
As you see here, we have ports 21, 80 and 443 open to the public.
This is just a tiny example of how nmap can be used to discover network services and scan remote ports, start reading our own Nmap Cheat Sheet guide to learn more advanced Nmap techniques.
Unicornscan is the second most popular free port scanner after Nmap. It's widely known because of its asynchronous TCP and UDP scanning capabilities, along with non-common network discovery patterns that provide alternative ways to explore details about remote operating systems and services.
- Asynchronous stateless TCP scanning.
- Asynchronous UDP scanning.
- IP port scanner and service detection.
- Remote operating system detection.
- Enable multiple modules from command-line
The best suggestion to run Unicornscan is to grab it from the free tools included at Kali Linux distribution, although you can also install it on the most popular Linux distros:
For Ubuntu/Debian users:
sudo apt-get install postgresql libdnet-dev libpq-dev libpcap-dev bison flex
Download the source code:
wget https://downloads.sourceforge.net/project/osace/unicornscan/unicornscan%20-%200.4.7%20source/unicornscan-0.4.7-2.tar.bz2 tar jxvf unicornscan-0.4.7-2.tar.bz2 cd unicornscan-0.4.7/ ./configure CFLAGS=-D\_GNU\_SOURCE make sudo make install
For Fedora users:
yum install unicornscan
Unicornscan scan examples
Let's see what Unicornscan has to offer, for this we will type:
unicornscan --help, and we will get the full list of available options
Unicornscan uses a really simple syntax. Let's try our first basic TCP SYN scan:
[[email protected] ~]# unicornscan 192.168.2.101 TCP open http[ 21] from 192.168.2.101 ttl 110 TCP open http[ 80] from 192.168.2.101 ttl 110 TCP open https[ 443] from 192.168.2.101 ttl 110 [[email protected] ~]#
Scan multiple hosts:
[[email protected] ~]# unicornscan 192.168.2.102 192.168.2.103 TCP open http[ 21] from 192.168.2.101 ttl 110 TCP open http[ 80] from 192.168.2.101 ttl 110 TCP open https[ 443] from 192.168.2.101 ttl 110 [[email protected] ~]#
Now we will scan the entire /24 range, but try to detect which one has telnet open (port 23):
[[email protected] ~]# unicornscan 192.168.2.0/24:23 TCP open telnet[ 23] from 192.168.2.154 ttl 110 TCP open telnet[ 23] from 192.168.2.193 ttl 110 [[email protected] ~]#
And if you want to send a fake the scan source IP address you just need to add the -s argument, as you see below:
[[email protected] ~]# unicornscan -s 184.108.40.206 www.securitytrails.com/24:80 TCP open http[ 80] from 220.127.116.11 ttl 55 TCP open http[ 80] from 18.104.22.168 ttl 55 TCP open http[ 80] from 22.214.171.124 ttl 55 TCP open http[ 80] from 126.96.36.199 ttl 55 TCP open http[ 80] from 188.8.131.52 ttl 55 TCP open http[ 80] from 184.108.40.206 ttl 55 TCP open http[ 80] from 220.127.116.11 ttl 55 TCP open http[ 80] from 18.104.22.168 ttl 55 TCP open http[ 80] from 22.214.171.124 ttl 55 … … [[email protected] ~]#
In this case, we scanned the full /24 range that belongs to www.securitytrails.com IP range, and a service detection against 80 port.
Need more unicorn examples? The old beloved man page is always there to help you:
3. Angry IP Scan
Angry IP scanner is our third recommended port scan tool for network discovery. It's popular for its fast scanning speed thanks to its multi-thread approach separating each scan.
It's also free and multiplatform, available for Windows, Mac or Linux operating systems.
Angry IP scanner main features include:
- Download and run, no installation needed.
- Scan for open ports on any remote network.
- Webserver & NetBIOS information detection.
- Export scan results into TXT, XML or CSV files.
- Easy plugin integration with Java language.
Installing Angry IP scanner
Angry IP scanner can be installed on Windows, Linux, and MacOS, all the required packages can be downloaded from the official website.
wget https://github.com/angryip/ipscan/releases/download/3.5.2/ipscan\_3.5.2\_amd64.deb dpkg -i ipscan\_3.5.2\_amd64.deb
wget https://github.com/angryip/ipscan/releases/download/3.5.2/ipscan-3.5.2-1.x86\_64.rpm rpm -i ipscan-3.5.2-1.x86\_64.rpm
Angry IP scanner scan examples
Open up a terminal and type
From there you will be launching a GUI that will help you to scan hosts from a friendly human interface:
As you see you will be able to specify an IP to scan, or even scan a random IP from the selector at the upper-right corner.
Hit start and let the fun begin. Once completed you will get the full stats including total scan time, average time per host, the number of hosts scanned, and how many are alive.
Netcat is one of the oldest network tools in the "Unixverse", it's been there since 1995, and the last official version is from 2004. Although it has many forks and variants that work pretty well on modern operating systems, like ncat from the Nmap suite, or this alternative Netcat version from Mike Frysinger.
While their creators always claimed that Netcat was just a read and write UDP / TCP tool, it can be used for a very wide range of objectives, like open remote connections, tunneling and proxying, run remote commands, as well as port scanning.
- Built-in port-scanning capabilities.
- TCP and UDP port scan support.
- Verbose port scanning.
- Read command line arguments from standard input.
- Forks available for Windows, Linux, and MacOS.
Installing netcat on Ubuntu/Debian:
sudo apt-get install netcat
Installing netcat on CentOS/RHEL/Fedora:
yum install nc
Netcat scan examples
Establish a connection to a remote port if open:
[[email protected] ~]# nc -vn 192.168.2.101 22 Ncat: Connected to 192.168.2.101:22. SSH-2.0-OpenSSH\_7.6
As you see, netcat was able to reach 22 port and establish the connection successfully.
UDP port connections are also allowed with netcat, as you can see in the next example:
[[email protected] ~]# ncat -v -u 126.96.36.199 53 Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Connected to 188.8.131.52:53.
Netcat also has the ability to open a remote backdoor on the target system for 5000ms, see below:
[[email protected] ~]# ncat -l 54321 -e /bin/bash -v -w 5000ms Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: 18E1 2645 4F8C 9E87 EAD3 DBC5 0901 B9B9 393D 0E77 Ncat: Listening on :::54321 Ncat: Listening on 0.0.0.0:54321
This will open the backdoor on port 54321 on the local system, then we will have to open a connection to gain system access:
[[email protected] ~]# ncat 127.0.0.1 54321 -v Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Connected to 127.0.0.1:54321. ls anaconda-ks.cfg el\_dlurls.txt file pwd /root whoami root uname -r 4.xx.xx.fc28.x86\_64 ^C [root@localhost ~]#
This technique is widely used by penetration testers, and by malicious crackers.
Take a look at
ncat --help option if you want to learn more examples about how to use netcat.
Zenmap is not a new port scanner, but the official NMAP Front End interface (GUI). For those who are not familiar with command line terminals, Nmap creators launched this GUI release that will allow you to scan remote hosts in a fancy and friendly way.
Zenmap features include:
- Save scan results in a database.
- Search the results database.
- Compare current scan results with previous scans.
- Save port scan profiles for frequently used port discovery options.
sudo apt-get install zenmap
yum install nmap-frontend
Zenmap scan examples
As we told before, Zenmap is just the front end human-friendly interface of Nmap, the classic network mapper that is present on almost every Linux distribution.
Zenmap has a pretty basic interface, that will allow you to run any scans like the command line version of Nmap, as you see in the following screenshot:
In the same way port scanners are useful tools to gather information about any target open ports, SecurityTrails is the perfect tool to integrate with your port scanner results, as it can reveal DNS server information, DNS records data associated with IPs and Domain names, technology used on web apps, as well as WHOIS and even DNS history.
Get a free API account today to unveil the full power of our intelligence cyber-security platform. And if you find anything interesting, remember we also have a cool bug bounty program waiting for you!