Port Scanning with Nmap

Learn how to scan ports using Nmap and the difference between port states displayed in its results.

We'll cover the following

Previously, we learned about the three-way handshake, ports, and protocols. Now let’s look at how Nmap finds open ports in a system.

Identifying ports

Nmap crafts custom packets of data and sends them to the server that’s being scanned. Based on the response (or lack of it), Nmap classifies ports as open or closed. For example, if Nmap sends an SYN request to port 22 and gets an RST flag, Nmap determines that the port is closed. If Nmap gets a SYN-ACK response back from the server, it means that the port is open and ready to accept incoming connections.

Once Nmap gets a SYN-ACK response back, we can either choose to drop the connection or continue the connection to gather more information. We’ll see these options under the “Nmap flags” section.

Let’s run our simple scan again. When we don’t provide any flags, Nmap only scans the most common 1,000 ports in the server (not 1–1,000, but the most common 1,000 ports). This helps us get quicker results and find common services instead of going through 65,000+ ports.

Run the following command:

Get hands-on with 1200+ tech skills courses.