Port Scanning Tools
Port Scanning Tools Comprehensive collection of port scanning tools and techniques for network reconnaissance and penetration testing. Nmap Port Scanning Basic Port Scanning # TCP SYN scan nmap -sS TARGET_IP # TCP connect scan nmap -sT TARGET_IP # UDP scan nmap -sU TARGET_IP # TCP ACK scan nmap -sA TARGET_IP # TCP FIN scan nmap -sF TARGET_IP # TCP NULL scan nmap -sN TARGET_IP # TCP XMAS scan nmap -sX TARGET_IP # TCP Maimon scan nmap -sM TARGET_IP # TCP Window scan nmap -sW TARGET_IP # TCP Idle scan nmap -sI ZOMBIE_IP TARGET_IP Advanced Port Scanning # Comprehensive scan nmap -sS -sU -O -A -v TARGET_IP # Stealth scan nmap -sS -f TARGET_IP # Fragment packets nmap -sS -f -D RND:10 TARGET_IP # Decoy scan nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Source port scan nmap -sS --source-port 53 TARGET_IP # Timing template nmap -T0 TARGET_IP # Paranoid nmap -T1 TARGET_IP # Sneaky nmap -T2 TARGET_IP # Polite nmap -T3 TARGET_IP # Normal nmap -T4 TARGET_IP # Aggressive nmap -T5 TARGET_IP # Insane # Port range nmap -p 1-1000 TARGET_IP nmap -p 80,443,8080,8443 TARGET_IP nmap -p- TARGET_IP # All ports # Service detection nmap -sV TARGET_IP # OS detection nmap -O TARGET_IP # Script scanning nmap -sC TARGET_IP Port Scanning Techniques # SYN scan (stealth) nmap -sS TARGET_IP # Connect scan (reliable) nmap -sT TARGET_IP # UDP scan (slow but necessary) nmap -sU TARGET_IP # ACK scan (firewall detection) nmap -sA TARGET_IP # FIN scan (stealth) nmap -sF TARGET_IP # NULL scan (stealth) nmap -sN TARGET_IP # XMAS scan (stealth) nmap -sX TARGET_IP # Maimon scan (stealth) nmap -sM TARGET_IP # Window scan (stealth) nmap -sW TARGET_IP # Idle scan (stealth) nmap -sI ZOMBIE_IP TARGET_IP Masscan Basic Port Scanning # Basic port scan masscan -p80,443 TARGET_NETWORK # Scan all ports masscan -p0-65535 TARGET_NETWORK # Scan common ports masscan -p1-1000 TARGET_NETWORK # Scan specific ports masscan -p22,80,443,8080,8443 TARGET_NETWORK # Scan with rate limit masscan -p80,443 --rate=1000 TARGET_NETWORK # Scan with output file masscan -p80,443 -oG results.txt TARGET_NETWORK # Scan with XML output masscan -p80,443 -oX results.xml TARGET_NETWORK # Scan with JSON output masscan -p80,443 -oJ results.json TARGET_NETWORK # Scan with binary output masscan -p80,443 -oB results.bin TARGET_NETWORK Advanced Masscan Options # Stealth scan masscan -p80,443 --rate=100 TARGET_NETWORK # Randomize hosts masscan -p80,443 --randomize-hosts TARGET_NETWORK # Randomize ports masscan -p80,443 --randomize-ports TARGET_NETWORK # Adapter selection masscan -p80,443 --adapter eth0 TARGET_NETWORK # Source IP masscan -p80,443 --source-ip 192.168.1.100 TARGET_NETWORK # Source port masscan -p80,443 --source-port 40000 TARGET_NETWORK # Banner grab masscan -p80,443 --banners TARGET_NETWORK # Ping scan masscan --ping TARGET_NETWORK # ARP scan masscan --arp TARGET_NETWORK # ICMP scan masscan --icmp TARGET_NETWORK Zmap Basic Port Scanning # Basic port scan zmap -p 80 TARGET_NETWORK # Scan multiple ports zmap -p 80,443 TARGET_NETWORK # Scan port range zmap -p 80-443 TARGET_NETWORK # Scan with rate limit zmap -p 80 --rate=1000 TARGET_NETWORK # Scan with bandwidth limit zmap -p 80 --bandwidth=10M TARGET_NETWORK # Scan with output file zmap -p 80 -o results.txt TARGET_NETWORK # Scan with JSON output zmap -p 80 -o results.json TARGET_NETWORK # Scan with CSV output zmap -p 80 -o results.csv TARGET_NETWORK # Scan with binary output zmap -p 80 -o results.bin TARGET_NETWORK Advanced Zmap Options # Stealth scan zmap -p 80 --rate=100 TARGET_NETWORK # Randomize targets zmap -p 80 --shards=1/1 TARGET_NETWORK # Blacklist file zmap -p 80 --blacklist-file=blacklist.txt TARGET_NETWORK # Whitelist file zmap -p 80 --whitelist-file=whitelist.txt TARGET_NETWORK # Source IP zmap -p 80 --source-ip=192.168.1.100 TARGET_NETWORK # Source port zmap -p 80 --source-port=40000 TARGET_NETWORK # Interface selection zmap -p 80 --interface=eth0 TARGET_NETWORK # Gateway MAC zmap -p 80 --gateway-mac=00:11:22:33:44:55 TARGET_NETWORK # Probe module zmap -p 80 --probe-module=tcp_synscan TARGET_NETWORK # Output module zmap -p 80 --output-module=json TARGET_NETWORK Custom Port Scanners Python Port Scanner import socket import threading import queue import time import ipaddress def port_scanner(target, ports, threads=10, delay=0): def worker(): while True: try: port = ports.get() if port is None: break sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) result = sock.connect_ex((target, port)) if result == 0: print(f"[OPEN] {target}:{port}") sock.close() time.sleep(delay) except Exception as e: pass finally: ports.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add ports to queue for port in range(1, 65536): ports.put(port) # Wait for completion ports.join() # Usage target = "TARGET_IP" ports = queue.Queue() port_scanner(target, ports, threads=100, delay=0.01) Bash Port Scanner #!/bin/bash TARGET_IP="TARGET_IP" THREADS=10 # Function to check port check_port() { local port=$1 local target=$2 if timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null; then echo "[OPEN] $target:$port" fi } # Export function for parallel export -f check_port export TARGET_IP # Run parallel port check seq 1 65535 | parallel -j "$THREADS" check_port {} "$TARGET_IP" Port Scanning Techniques TCP Scanning # SYN scan (stealth) nmap -sS TARGET_IP # Connect scan (reliable) nmap -sT TARGET_IP # ACK scan (firewall detection) nmap -sA TARGET_IP # FIN scan (stealth) nmap -sF TARGET_IP # NULL scan (stealth) nmap -sN TARGET_IP # XMAS scan (stealth) nmap -sX TARGET_IP # Maimon scan (stealth) nmap -sM TARGET_IP # Window scan (stealth) nmap -sW TARGET_IP # Idle scan (stealth) nmap -sI ZOMBIE_IP TARGET_IP UDP Scanning # UDP scan nmap -sU TARGET_IP # UDP scan with specific ports nmap -sU -p 53,67,68,69,123,135,137,138,139,161,162,445,500,514,520,631,1434,1900,4500,49152 TARGET_IP # UDP scan with service detection nmap -sU -sV TARGET_IP # UDP scan with OS detection nmap -sU -O TARGET_IP # UDP scan with scripts nmap -sU --script vuln TARGET_IP ICMP Scanning # ICMP ping ping -c 4 TARGET_IP # ICMP ping with timestamp ping -D TARGET_IP # ICMP ping with flood ping -f TARGET_IP # ICMP ping with interval ping -i 0.2 TARGET_IP # ICMP ping with size ping -s 1000 TARGET_IP # ICMP ping with TTL ping -t 64 TARGET_IP # ICMP ping with verbose ping -v TARGET_IP # ICMP ping with quiet ping -q TARGET_IP Service Detection Banner Grabbing # Telnet banner grab telnet TARGET_IP 80 # Netcat banner grab nc TARGET_IP 80 # Nmap banner grab nmap -sV --script banner TARGET_IP # Curl banner grab curl -I http://TARGET_IP # Wget banner grab wget --spider -S http://TARGET_IP # OpenSSL banner grab openssl s_client -connect TARGET_IP:443 # SMTP banner grab nc TARGET_IP 25 # FTP banner grab nc TARGET_IP 21 # SSH banner grab nc TARGET_IP 22 Service Enumeration # HTTP service enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # SMB service enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SNMP service enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP Port Scanning Scripts Nmap Scripts # Vulnerability scripts nmap --script vuln TARGET_IP # Safe scripts nmap --script safe TARGET_IP # Auth scripts nmap --script auth TARGET_IP # Discovery scripts nmap --script discovery TARGET_IP # Exploit scripts nmap --script exploit TARGET_IP # Malware scripts nmap --script malware TARGET_IP # Intrusive scripts nmap --script intrusive TARGET_IP # Version scripts nmap --script version TARGET_IP # Multiple script categories nmap --script vuln,exploit TARGET_IP Custom Scripts # HTTP enumeration script nmap --script http-enum TARGET_IP # SMB enumeration script nmap --script smb-enum-shares TARGET_IP # SNMP enumeration script nmap --script snmp-info TARGET_IP # DNS enumeration script nmap --script dns-brute TARGET_IP # FTP enumeration script nmap --script ftp-anon TARGET_IP # SSH enumeration script nmap --script ssh-hostkey TARGET_IP # SMTP enumeration script nmap --script smtp-commands TARGET_IP Best Practices Rate Limiting # Add delay between requests nmap -T2 TARGET_IP # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation nmap -sS --proxies http://proxy1:8080,http://proxy2:8080 TARGET_IP Stealth Mode # Use random timing nmap -T3 --randomize-hosts TARGET_IP # Use fragment packets nmap -sS -f TARGET_IP # Use decoy scans nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Use source port spoofing nmap -sS --source-port 53 TARGET_IP Output Analysis # Save results to file nmap -oN results.txt TARGET_IP # Filter by port status grep "open" results.txt grep "filtered" results.txt grep "closed" results.txt # Filter by service grep "http" results.txt grep "ssh" results.txt grep "ftp" results.txt grep "smb" results.txt grep "snmp" results.txt Troubleshooting Common Issues # Connection timeout nmap -T1 TARGET_IP # Too many requests nmap -T0 TARGET_IP # Invalid target nmap -sn TARGET_NETWORK # Permission denied sudo nmap -sS TARGET_IP Performance Optimization # Use appropriate timing nmap -T4 TARGET_IP # Use smaller port ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices