nmap scan

ammadeyy2020
ammadeyy2020 used Ask the Experts™
on
i use the following command to scan a webserver,
nmap -A -T4 -F -PN x.x.x.x

it doesnt show port 80 is open

i run wireshark and open browser and type url, it does shows that my pc is connecting to port 80 of x.x.x.x webserver

my question is whats the nmap command to scan all the open ports in the webserver.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
try this. nmap -sP IP address. It will display all the open and closed ports
Monis MontherSystem Architect

Commented:
Actually nmap -sP means skip port scan and only perform IP scan

Try to run the following commands

1- SYN scan
nmap -PN -sS ip.addr.of.server

This disables pings and does a SYN scan

2- ACK scan

nmap -PN -sA ip.addr.of.server
This will disable pings and send packets with ACK bit set and waits for RESET from open ports

3- Connect scan

nmap -PN -sT ip.addr.of.server
This will disable pings and initiate full TCP connect scan



Note: If there is an IDS/IPS infront of the server your scans might get blocked so you can do a custom port scan and choose only specfic ports with the -p option

Good Luck

Commented:
To ensure you scan ALL ports use the port specification:

-p0-

this is shorthand for -p0-65535 that's all 65536 ports for whichever protocol (tcp or udp) you specify

nmap -sS -p0- will scan all TCP ports with a syn scan.
nmap -sSU -p0- will scan all TCP and all UDP ports and will take forever so I don't suggest you do that!

A possible reason that nmap may have missed port 80 is your aggressive timing option.  Try the same scan without -T4 (the default is -T3 so you can leave it off the command entirely).

If you want a clearer idea of how nmap sees port 80 try this scan

nmap -PN -p80 -n -d --packet-trace x.x.x.x

leaving off the scan type, nmap will do a syn scan (-sS) if possible and a connect scan (-sT) if you don't have the privileges to use raw sockets.  So this scan will not ping (unless the target webserver is on the same subnet as you), it won't do name resolution and it will send at least one (possibly more if the target doesn't respond) probe to port 80 only.  You'll get information about individual probes sent and any responses.  e.g.

Initiating SYN Stealth Scan at 10:24
Scanning www.experts-exchange.com (64.156.132.140) [1 port]
Packet capture filter (device eth0): dst host 192.168.0.0 and (icmp or ((tcp or udp or sctp) and (src host 64.156.132.140)))
SENT (0.7030s) TCP 192.168.0.0:63649 > 64.156.132.140:80 S ttl=38 id=62410 iplen=44  seq=739136101 win=3072
RCVD (0.8750s) TCP 64.156.132.140:80 > 192.168.0.0:63649 SA ttl=43 id=18933 iplen=44  seq=1306958663 win=65535 ack=739136102
Discovered open port 80/tcp on 64.156.132.140
Completed SYN Stealth Scan at 10:24, 0.34s elapsed (1 total ports)

Commented:
i'll just paste that again because EE's rich text editor is making-up html tags as it goes along...
Initiating SYN Stealth Scan at 10:24
Scanning www.experts-exchange.com (64.156.132.140) [1 port]
Packet capture filter (device eth0): dst host 192.168.1.15 and (icmp or ((tcp or udp or sctp) and (src host 64.156.132.140)))
SENT (0.7030s) TCP 192.168.1.15:63649 > 64.156.132.140:80 S ttl=38 id=62410 iplen=44  seq=739136101 win=3072 <mss 1460>
RCVD (0.8750s) TCP 64.156.132.140:80 > 192.168.1.15:63649 SA ttl=43 id=18933 iplen=44  seq=1306958663 win=65535 ack=739136102 <mss 1402>
Discovered open port 80/tcp on 64.156.132.140
Completed SYN Stealth Scan at 10:24, 0.34s elapsed (1 total ports)

Open in new window

To scan all the open ports, nmap command is:

nmap -sS -p <port range> <server.ip.addr>
This command will perform a syn scan and it will list all the open ports.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial