With some rudimentary information now under our belt, it’s time to step things up a notch. Port scanning tries to reveal any entry points into a system. A web server, for example, must have port 80 open. Even if a firewall protects all else on the machine, by necessity of its function in delivering web pages it must have this port unlocked. Maybe it also has some form of remote access available or more. Port scanning attempts to make these matters known.

To perform such “stealth” scanning with nmap, use the –sS flag. This attempts a SYN scan and lists as output the open ports found on the target, along with the service name usually associated with those ports.

Note that nmap won’t automatically try every single port – all 65,535 of them – because this would take a very long time. Instead, it works on a list of almost 2,000 common services. The problem here is an admin may well be running a service on a non-standard port so as to hide it by obscurity. The –p flag accepts a range of ports for nmap to try; use –p1-65535 to scan every single port from port 1 through to port 65535. This may potentially take a very long time to complete, especially if you are probing over the Internet rather than a LAN.

Fingerprinting

The services discovered may give insight into the target host’s operating system because certain services either alone or in conjunction with others are only found in particular OS’s. Although you could try and figure this out, nmap will again help by using built-in heuristics. Use the –O flag, followed as always by the target hosts in whichever input format you choose, to have nmap try this.