We talk a lot about port scanning tools in this blog. That's because they play a critical role in the cybersecurity industry.
Most of the online web-based open port checkers available only allow you to check a single IP address, requiring some time to get results. Still others are often blocked by network firewalls due to their abnormal traffic patterns, even if they use common port scanning detection evasion methods.
Yet these tools are useful in a number of scenarios, such as checking to see if port forwarding was set up correctly, if any web servers are being blocked by firewalls, or if they are simply open for further vulnerability scanning.
That's why we're shedding light on this important area, by covering the top open port checker tools that allow you to audit internal and external ports on any given hosts.
Top 5 open port checker tools
Let's review the most popular open port checker utilities on both sides: terminal-based tools and web-based interfaces.
Nmap is your number 1 choice for performing an open port scan against any target. In the past we've mentioned this tool as one of the best around for scanning the most popular ports.
This popular open port checker tool can be installed on most Linux distributions with pre-compiled packages, if it isn't already shipped by default with the native system applications.
On Debian and Ubuntu, it can be installed by typing:
sudo apt-get install nmap -y
On RedHat, CentOS and Fedora, it can be installed by issuing this command:
sudo yum install nmap -y
Using Nmap is simple, as we've covered before—check out our popular tutorial about Nmap commands.
Wanna try this open port checker? Just type:
nmap --top-ports 10000 X.X.X.X
Replace X.X.X.X with the IP address or host you want to scan.
Expected output should be similar to this:
[securitytrails@research ~]# nmap --top-ports 10000 localhost Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-27 09:32 -03 Nmap scan report for localhost (127.0.0.1) Host is up (0.000027s latency). Other addresses for localhost (not scanned): ::1 Not shown: 8304 closed ports PORT STATE SERVICE 631/tcp open ipp 17500/tcp open db-lsp Nmap done: 1 IP address (1 host up) scanned in 2.43 seconds [securitytrails@research ~]#
Of course, you can also launch scans against single ports, in this case we used the --top-ports because it's an useful feature that will check the most popular ports by default. Find more examples in our Nmap Cheat Sheet.
MASSCAN is another great open port checker application that will help you discover exposed ports easily, from a solid command-based interface.
MASSCAN uses asynchronous transmission to perform its scans, in a manner similar to Unicornscan. Other cool features include arbitrary scan ranges for IP addresses and ports, and the ability to set the source port, thanks to the app's own custom TCP/IP stack.
Something we find super intriguing is the author's claim that MASSCAN lets you scan the entire internet in a matter of minutes (something we'll be trying out in an upcoming article).
On Ubuntu and Debian, it can be installed by installing some required packages, and then compiling the source code, as you see below:
sudo apt-get install git gcc make libpcap-dev git clone https://github.com/robertdavidgraham/masscan cd masscan make
On Fedora and other RHEL-based distros, it can be installed using dnf or yum:
sudo yum install masscan -y
Once it's installed, it can be launched by typing 'masscan', as shown below:
masscan -p80,8000-8100 10.0.0.0/8 --rate=10000 scan some web ports on 10.x.x.x at 10kpps masscan --nmap list those options that are compatible with nmap masscan -p80 10.0.0.0/8 --banners -oB <filename> save results of scan in binary format to <filename> masscan --open --banners --readscan <filename> -oX <savefile> read binary scan results in <filename> and save them as xml in <savefile>
MASSCAN can be used to scan single or multiple ports, letting you set the desired scan rate, including using options that are 100% compatible with classic Nmap. It also offers you the ability to save results in binary format, scan for OS banners, and export the results in XML format.
In the following example, we used the default scan using this syntax:
masscan -p PORT HOST
And in this case, we scanned multiple ports against an IP range:
[securitytrails@research]# masscan -p 80,443,3306 192.168.1.0/24 Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2019-12-27 13:47:13 GMT — forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 256 hosts [3 ports/host] Discovered open port 80/tcp on 192.168.1.1 Discovered open port 80/tcp on 192.168.1.250 Discovered open port 443/tcp on 192.168.1.1 [securitytrails@research]#
As you can see, it was able to discover open ports and report them in the standard output.
Unicornscan is one of the top alternatives to Nmap. It's a powerful open port checker that uses its asynchronous TCP and UDP scanning features to give you the best scan results available. It also performs banner grabbing to detect running services, as well as the remote OS. The installation process is simple: you merely have to compile the source code. That works on most Linux distributions; however, if you want it installed by default, you'll need to use Kali Linux. Download the source code:
wget https://downloads.sourceforge.net/project/osace/unicornscan/unicornscan%20-%200.4.7%20source/unicornscan-0.4.7-2.tar.bz2 tar jxvf unicornscan-0.4.7-2.tar.bz2 cd unicornscan-0.4.7/ Compile and install: ./configure CFLAGS=-D_GNU_SOURCE make sudo make install
Let's test it with one of the most basic scans: a TCP SYN Scan. For this, we'll use the following syntax:
Replace the X.X.X.X with your target IP, and you'll probably get something similar to this:
[securitytrails@research ~]# unicornscan 192.168.2.101 TCP open ftp  from 192.168.2.101 ttl 110 TCP open ssh  from 192.168.2.101 ttl 110 TCP open http [ 80] from 192.168.2.101 ttl 110 TCP open https  from 192.168.2.101 ttl 110 [securitytrails@research ~]#
Umit may be an unfamiliar open port checker tool for most people, but like Zenmap and others, it's a powerful front-end interface for the classic Nmap.
This port checker utility unveils a full visual interface for those who aren't that comfortable with performing scans from the command line.
Umit can be installed on most Linux and Unix systems. On Ubuntu and other Debian-based distros, it can be installed by issuing these commands:
sudo apt-get install -y umit
On Fedora and other RHEL based distros:
sudo dnf install umit -y
To test it, simply go to your desktop or applications menu, and search for 'Umit'. Once you've found it, you'll be able to perform any scan as you would from a command line, but the results will be displayed in a traditional desktop window, as shown here:
It offers a number of interesting options such as the ability to save scans, open previous scans, compare the results, run the scan using a step-by-step Wizard, add Nmap extensions, choose a scan profile, perform inventory management, and much more.
SurfaceBrowser™: when it comes to massive port scanning, our enterprise-grade threat intelligence product will be your perfect ally. Unlike other tools on the market, SurfaceBrowser™ offers a unique approach to port scanning, giving you instant access to the open ports found on your entire company assets.
Discovering open ports on any IP address
When you need to discover the open ports on any IP address, merely click on the left menu of the 'IP blocks' option to see entire IP blocks along with the open ports found on each one.
This case shows how easy it is to discover a lot of ports, but especially such critical ports as 21, 22 or 3306 being exposed to the Internet:
Subdomain open port checking made easy
While it's undoubtedly useful to find the open ports on certain IP addresses or IP ranges, there are times you'll want to directly relate that information to the entire subdomain map of the company you are auditing.
For this purpose, we've already done the dirty work of cross-relating intelligence data for you. Our port scanning features will let you discover open ports on any subdomain and filter them by port number, as shown in the following screenshot:
Once you've filtered the ports with the summary widget, you'll be able to jump directly into the results. In this test, we wanted to discover subdomains with more than the 80 and 443 traditional open ports.
The result exposed 3 subdomains subdomains with many open ports, including 636, 995, 1080, 2082, 2083, 3000, 3306, 4000, 5555, 5984, 6379, 7001, 8020, 8080, 8088, 8443, 8989, 9200 and 9998.
Unlike with other products, our scans are ready in less than 3 seconds—no more long waiting times when checking for your open ports!
And the best thing is that you can not only get critical open port information, but also related infosec OSINT data such as full DNS and subdomain enumeration, SSL certificates, reverse DNS, associated domains, and much more.
Using open port checker tools is one of the easiest ways to find out which services are exposed to the Internet, which should eventually be investigated, and secured if found vulnerable.
While there are numerous port scanners out there, when you have a big infrastructure to manage, relying only on traditional tools such as Nmap or Unicornscan can make this a time-consuming task.
Our proprietary port scanning technology is one of the fastest and most reliable ways to access updated open port reports for every one of your assets. With SurfaceBrowser™, you can visualize the full picture, detect weak and exposed areas, and take action before these become a serious risk to your organization.