Top 5 Best Port Scanners

tools reconnaissance osint

SecurityTrails Blog · May 22 · SecurityTrails team

Port scanners are some of the most useful tools when you are starting your security investigation on any remote or local network. Let's explore the top five most popular port scanners tools used in the infosec field.

Used by programmers, system and network administrators, these tools are applications designed to scan servers and hosts in order to check what available ports are being used for network communications.

Once the scan has finished, you can run other security penetration and exploit tests in order to verify how strong are the current security policies.

Port scan

Let's explore the top five most popular port scanners tools used in the infosec field.

1. Nmap

Nmap stands for "Network Mapper", it is the most popular network discovery and port scanner in the history.

It's a free and open source application used by system administrators, devops and network engineers for security auditing on local and remote networks.

Available for Linux, Windows and Mac OS, it can be run from the classic command line terminal, or by using a GUI interface.

Nmap features

  • Active Port scanning: allows you to scan and discover open ports on specific networks/hosts.
  • Host discovery: lets you identify potential hosts that are responding to network requests.
  • OS detection: used to discover operating system name and version, along with network details where the host is running.
  • Application version detection: nmap can also be used to determine what kind of apps are running and along with the version number.

Installing Nmap

Let's see how Nmap can be installed on the most popular Linux distros, as well as for MacOS users:

CentOS/RHEL based distros:

yum install nmap

Ubuntu/Debian users:

apt-get install nmap

For MacOS:

fink install nmap

or

sudo port install nmap

Windows users should read these instructions.

Nmap scan examples

Detecting connected devices on the network

For this we will use -sP parameters, this will send ICMP and ARP packets to all possible addresses inside the 192.168.2.0/24 range.

Once finished will show you a resume revealing the devices found in that range.

This simple command will send various packets (ARP, ICMP, etc.) to every address within the 192.168.1.0/24 range, and will report any devices that respond. The results will look similar to those in the example below:

[research@securitytrails.com:~]nmap -sP 192.168.2.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-11 17:44 EDT
Nmap scan report for 192.168.2.43
Host is up (0.0075s latency).
Nmap scan report for 192.168.2.50
Host is up (0.0081s latency).
Nmap scan report for 192.168.2.51
Host is up (0.0078s latency).
Nmap scan report for 192.168.2.53
Host is up (0.0075s latency).
Nmap scan report for 192.168.2.76
Host is up (0.0082s latency).
Nmap scan report for 192.168.2.91
Host is up (0.0078s latency).
Nmap scan report for 192.168.2.92
Host is up (0.0075s latency).
…
…
Nmap done: 256 IP addresses (22 hosts up) scanned in 30.42 seconds

[research@securitytrails.com:~]

Scanning specific ports

Once you have a defined host to scan, you can go against a specific port range (between 1 and 65535), for example:

[research@securitytrails.com:~] nmap -p 1-512 192.168.2.92
Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-11 17:52 EDT
Nmap scan report for 191.239.213.197
Host is up (0.079s latency).
Not shown: 510 filtered ports
PORT    STATE SERVICE
21/tcp  open ftp
80/tcp  open  http
443/tcp open  https

As you see here, we have ports 21, 80 and 443 open to the public.

This is just a tiny example of how nmap can be used to discover network services and scan remote ports, start reading the official docs https://nmap.org/docs.html to learn more advanced nmap techniques.

2. Unicornscan

Unicornscan is the second most popular free port scanner after Nmap. It's widely known because of its asynchronous TCP and UDP scanning capabilities, along with non-common network discovery patterns that provide alternative ways to explore details about remote operating systems and services.

Unicornscan features

  • Asynchronous stateless TCP scanning.
  • Asynchronous UDP scanning.
  • IP port scanner and service detection.
  • Remote operating system detection.
  • Enable multiple modules from command-line

Installing Unicornscan

The best suggestion to run Unicornscan is to grab it from the free tools included at Kali Linux distribution, although you can also install it on the most popular Linux distros:

For Ubuntu/Debian users:

sudo apt-get install postgresql libdnet-dev libpq-dev libpcap-dev bison flex

Download the source code:

wget https://downloads.sourceforge.net/project/osace/unicornscan/unicornscan%20-%200.4.7%20source/unicornscan-0.4.7-2.tar.bz2
tar jxvf unicornscan-0.4.7-2.tar.bz2
cd unicornscan-0.4.7/
./configure CFLAGS=-D\_GNU\_SOURCE
make
sudo make install

For Fedora users:

yum install unicornscan

Unicornscan scan examples

Let's see what Unicornscan has to offer, for this we will type:

unicornscan --help, and we will get the full list of available options

Unicornscan

Unicornscan uses a really simple syntax. Let's try our first basic TCP SYN scan:

[research@securitytrails.com ~]# unicornscan 192.168.2.101
TCP open             http[  21]  from 192.168.2.101  ttl 110
TCP open             http[  80]  from 192.168.2.101  ttl 110
TCP open            https[ 443]  from 192.168.2.101  ttl 110
[research@securitytrails.com ~]#

Scan multiple hosts:

[research@securitytrails.com ~]# unicornscan 192.168.2.102 192.168.2.103
TCP open             http[  21]  from 192.168.2.101  ttl 110
TCP open             http[  80]  from 192.168.2.101  ttl 110
TCP open            https[ 443]  from 192.168.2.101  ttl 110
[research@securitytrails.com ~]#

Now we will scan the entire /24 range, but try to detect which one has telnet open (port 23):

[research@securitytrails.com ~]# unicornscan 192.168.2.0/24:23
TCP open            telnet[ 23]  from 192.168.2.154  ttl 110
TCP open            telnet[ 23]  from 192.168.2.193  ttl 110
[research@securitytrails.com ~]#

And if you want to send a fake the scan source IP address you just need to add the -s argument, as you see below:

[research@securitytrails.com ~]# unicornscan -s 1.1.1.1 www.securitytrails.com/24:80
TCP open             http[  80]  from 151.139.243.1  ttl 55
TCP open             http[  80]  from 151.139.243.2  ttl 55
TCP open             http[  80]  from 151.139.243.3  ttl 55
TCP open             http[  80]  from 151.139.243.4  ttl 55
TCP open             http[  80]  from 151.139.243.5  ttl 55
TCP open             http[  80]  from 151.139.243.6  ttl 55
TCP open             http[  80]  from 151.139.243.7  ttl 55
TCP open             http[  80]  from 151.139.243.8  ttl 55
TCP open             http[  80]  from 151.139.243.9  ttl 55
…
…
[research@securitytrails.com ~]#

In this case, we scanned the full /24 range that belongs to www.securitytrails.com IP range, and a service detection against 80 port.

Need more unicorn examples? The old beloved man page is always there to help you:

man unicornscan

3. Angry IP Scan

Angry IP scanner is our third recommended port scan tool for network discovery. It's popular for its fast scanning speed thanks to its multi-thread approach separating each scan.

It's also free and multiplatform, available for Windows, Mac or Linux operating systems.

Angry IP scanner main features include:

  • Download and run, no installation needed.
  • Scan for open ports on any remote network.
  • Webserver & NetBIOS information detection.
  • Export scan results into TXT, XML or CSV files.
  • Easy plugin integration with Java language.

Installing Angry IP scanner

Angry IP scanner can be installed on Windows, Linux, and MacOS, all the required packages can be downloaded from the official website.

Ubuntu/Debian:

wget https://github.com/angryip/ipscan/releases/download/3.5.2/ipscan\_3.5.2\_amd64.deb
dpkg -i ipscan\_3.5.2\_amd64.deb

CentOS/RHEL/Fedora:

wget https://github.com/angryip/ipscan/releases/download/3.5.2/ipscan-3.5.2-1.x86\_64.rpm
rpm -i ipscan-3.5.2-1.x86\_64.rpm

Angry IP scanner scan examples

Open up a terminal and type ipscan.

From there you will be launching a GUI that will help you to scan hosts from a friendly human interface:

Angry IP Scanner

As you see you will be able to specify an IP to scan, or even scan a random IP from the selector at the upper-right corner.

Hit start and let the fun begin. Once completed you will get the full stats including total scan time, average time per host, the number of hosts scanned, and how many are alive.

4. Netcat

Netcat is one of the oldest network tools in the "Unixverse", it's been there since 1995, and the last official version is from 2004. Although it has many forks and variants that work pretty well on modern operating systems, like ncat from the Nmap suite, or this alternative Netcat version from Mike Frysinger.

While their creators always claimed that Netcat was just a read and write UDP / TCP tool, it can be used for a very wide range of objectives, like open remote connections, tunneling and proxying, run remote commands, as well as port scanning.

Netcat features:

  • Built-in port-scanning capabilities.
  • TCP and UDP port scan support.
  • Verbose port scanning.
  • Read command line arguments from standard input.
  • Forks available for Windows, Linux, and MacOS.

Installing Netcat

Installing netcat on Ubuntu/Debian:

sudo apt-get install netcat

Installing netcat on CentOS/RHEL/Fedora:

yum install nc

Netcat scan examples

Establish a connection to a remote port if open:

[research@securitytrails.com ~]# nc -vn 192.168.2.101 22
Ncat: Connected to 192.168.2.101:22.
SSH-2.0-OpenSSH\_7.6

As you see, netcat was able to reach 22 port and establish the connection successfully.

UDP port connections are also allowed with netcat, as you can see in the next example:

[research@securitytrails.com ~]# ncat -v -u 1.1.1.1 53
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Connected to 1.1.1.1:53.

Netcat also has the ability to open a remote backdoor on the target system for 5000ms, see below:

[research@securitytrails.com ~]# ncat -l 54321 -e /bin/bash -v -w 5000ms
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 18E1 2645 4F8C 9E87 EAD3 DBC5 0901 B9B9 393D 0E77
Ncat: Listening on :::54321
Ncat: Listening on 0.0.0.0:54321

This will open the backdoor on port 54321 on the local system, then we will have to open a connection to gain system access:

[research@securitytrails.com ~]# ncat 127.0.0.1 54321 -v
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:54321.
ls
anaconda-ks.cfg
el\_dlurls.txt
file
pwd
/root
whoami
root
uname -r
4.xx.xx.fc28.x86\_64
^C
[root@localhost ~]#

This technique is widely used by penetration testers, and by malicious crackers.

Take a look at ncat --help option if you want to learn more examples about how to use netcat.

5. Zenmap

Zenmap is not a new port scanner, but the official NMAP Front End interface (GUI). For those who are not familiar with command line terminals, Nmap creators launched this GUI release that will allow you to scan remote hosts in a fancy and friendly way.

Zenmap features include:

  • Save scan results in a database.
  • Search the results database.
  • Compare current scan results with previous scans.
  • Save port scan profiles for frequently used port discovery options.

Installing Zenmap

Ubuntu/Debian users:

sudo apt-get install zenmap

CentOS/RHEL/Fedora users:

yum install nmap-frontend

Zenmap scan examples

As we told before, Zenmap is just the front end human-friendly interface of Nmap, the classic network mapper that is present on almost every Linux distribution.

Zenmap has a pretty basic interface, that will allow you to run any scans like the command line version of Nmap, as you see in the following screenshot:

Zenmap

In the same way port scanners are useful tools to gather information about any target open ports, SecurityTrails is the perfect tool to integrate with your port scanner results, as it can reveal DNS server information, DNS records data associated with IPs and Domain names, technology used on web apps, as well as WHOIS and even DNS history.


Get a free API account today to unveil the full power of our intelligence cyber-security platform. And if you find anything interesting, remember we also have a cool bug bounty program waiting for you!