Okay, What Even Is a Port?

Think of your computer like a giant apartment building. The building has one street address — that's your IP address. But inside, there are 65,535 different doors — those are called ports.

Each door leads to a different service running on that machine:

  • Door 80 → Normal website (HTTP)
  • Door 443 → Secure website (HTTPS)
  • Door 22 → Remote login (SSH)
  • Door 139/445 → Windows file sharing (SMB/NetBIOS)

When you open Chrome and load 5 tabs at once, your computer quietly opens 5 different doors on its side to keep each conversation separate. The server on the other end also has its specific doors open for each service.

Now here's the thing — if you're doing a security audit and you don't know which doors are open on the target machine, you're basically standing outside a building with a blindfold on.

That's where Nmap comes in.

Nmap — The "Knock on Every Door" Tool

Nmap (Network Mapper) goes door to door — port by port — and figures out which ones are open, closed, or blocked by a firewall. It's the industry standard for this, used by security professionals everywhere.

You run it straight from the terminal:

nmap <target IP>

Simple. But it gets way more powerful with switches.

The Main Scan Types

1. TCP Connect Scan (-sT)

This is the basic one. Nmap does the full "knock and wait for answer" process — called the TCP three-way handshake — for every port.

  • Port open → server says "hey come in" (SYN/ACK)
  • Port closed → server says "go away" (RST flag)
  • Port filtered → no answer at all (firewall probably dropped it)

It works, but it's loud. Like knocking loudly on every door in the building.

2. SYN Scan / Half-Open Scan (-sS)

This is the sneaky version. Instead of completing the full handshake, Nmap knocks, and the moment the server starts to open the door — Nmap just walks away. It never finishes the connection.

Why? Because:

  • Older intrusion detection systems miss it
  • Applications don't log incomplete connections
  • It's significantly faster

This is actually the default scan when you run Nmap with sudo. It needs root/sudo because it requires creating raw packets — something only privileged users can do.

3. UDP Scan (-sU)

DP is different. There's no handshake at all — you just throw a packet and hope something comes back.

  • Open port → usually silence (marked as open|filtered)
  • Closed port → ICMP message saying "nope, not here"

UDP scans are painfully slow (think 20 minutes for just 1000 ports). So usually you'd narrow it down:

nmap -sU --top-ports 20 <target>

4. NULL, FIN, and Xmas Scans (-sN, -sF, -sX)

These are the "weird packets" scans used mainly for firewall evasion.

  • NULL scan: sends a TCP packet with zero flags set
  • FIN scan: sends a packet saying "I'm closing a connection" (even though there isn't one)
  • Xmas scan: sends a packet with PSH, URG, and FIN flags all set together — looks like a blinking Christmas tree in Wireshark, hence the name

Closed ports respond with RST. Open ports stay silent. But these don't work well against Windows machines — Windows responds with RST regardless, so everything looks closed.

Useful Switches You Should Know

-sV        → Detect what version of a service is running
-O         → Try to detect the operating system
-v         → More verbose output (see more info while scanning)
-vv        → Even more verbose (use this by default, honestly)
-A         → Aggressive mode (OS detection + version + scripts + traceroute)
-p 80      → Scan only port 80
-p 1000-1500 → Scan a range of ports
-p-        → Scan ALL 65535 ports
-T5        → Fastest timing template (noisy but quick)
-oA <name> → Save output in all 3 formats at once
-oN <name> → Save in normal readable format
-oG <name> → Save in grepable format
-sn        → Ping sweep (just find live hosts, don't scan ports)

Ping Sweep — Finding Live Hosts First

Before you even start port scanning, you want to know which machines on the network are actually alive. That's a ping sweep:

nmap -sn 192.168.0.0/24

This sends ICMP packets to every IP in that range and sees who responds. Good starting point for mapping a network.

NSE — Nmap Has Scripts Too

his is what makes Nmap genuinely scary-powerful. It has a built-in scripting engine (NSE) where scripts are written in Lua, and there are scripts for almost everything:

  • safe → won't affect the target
  • vuln → scan for known vulnerabilities
  • exploit → actually try to exploit something
  • auth → try to bypass authentication
  • brute → brute-force credentials
  • discovery → gather more info about services

Run all scripts in a category:

nmap --script=vuln <target>

un a specific script:

nmap --script=http-fileupload-exploiter <target>

Run multiple scripts:

nmap --script=smb-enum-users,smb-enum-shares <target>

Pass arguments to a script:

nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php' <target>

Finding Scripts Locally

All NSE scripts live here on Linux:

/usr/share/nmap/scripts/

Search for FTP-related scripts:

grep "ftp" /usr/share/nmap/scripts/script.db

Or just use ls:

ls -l /usr/share/nmap/scripts/*ftp*

If a script is missing, install it manually:

sudo wget -O /usr/share/nmap/scripts/<script-name>.nse https://svn.nmap.org/nmap/scripts/<script-name>.nse
nmap --script-updatedb

Why Does All This Matter?

In any security audit, you can't attack what you can't see. Nmap is literally step one — before any exploitation, before any vulnerability testing, before anything. You need that "map" of the network.

The order is always:

  1. Find live hosts (ping sweep)
  2. Find open ports (port scan)
  3. Find what's running on those ports (service/version detection)
  4. Look for weaknesses (NSE scripts, manual testing)