Hello everyone, Today we are going to discuss about the Port Scannig using the Top tools used by the Ethical Hackers/Pentesters. This tools will let you know about the Various methods to Find the Port status that may be Open/close/filtered/unfiltered ports.

And if you are new to our website, our website has Good Cyber Security labs and those are totally free. And while solving those labs you will definitely gain good experience. And the links to the lab are mentioned below.

Account takeover Lab link: https://bepractical.tech/account-takeover-labs/

And we do have a CSRF POC generator on our website. And the link for that is mentioned below.

CSRF POC Generator link: https://bepractical.tech/tools/csrf_poc_generator/

Now let’s Get back into the Topic,

We Scan the Thousands of ports in the seconds. Before that let’s discuss some basic knowledge.

First we need to know the basics of the ports they are 4-types:

Open: An Application Actively Accepting the TCP connection, UDP datagams and etc. Finding these are the primary goal of port scaning.

closed: The Port is available but it is not accesible, it means that port was closed but the information may usefull for Pentesters and Ethical Hackers. And it means the ports are closed by the firewalls to get avoid the unauthorization access.

filtered: We cannot determine the port is open/closed because the port had some preventions to reachimg out the port. The filtering could be the dedicated firewalls or Routers firewalls

unfiltered: We cannot say the port is open but it has unfiltered means it may be open port that port can accesible

Here are the some Top Port Scaning Tools:

  1. NMAP
  2. NetScanTool

1.NMAP – Network Mapper

The NMAP is the one the best tool for Port Scanning and it had Various techniques to Discover the ports

And The NMAP is availble in both GUI mode and Terminal Mode

This the Full usaeg of the NMAP in terminal

Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers : Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI : Idle scan
-sO: IP protocol scan
-b : FTP bounce scan
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports : Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports sequentially - don't randomize
--top-ports : Scan most common ports
--port-ratio : Scan ports more common than
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
-sC: equivalent to --script=default
--script=: is a comma separated list of
directories, script-files or script-categories
--script-args=: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=: Show help about scripts.
is a comma-separated list of script-files or
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
Options which take are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup : Parallel host scan group sizes
--min-parallelism/max-parallelism : Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
probe round trip time.
--max-retries : Caps number of port scan probe retransmissions.
--host-timeout : Give up on target after this long
--scan-delay/--max-scan-delay : Adjust delay between probes
--min-rate : Send packets no slower than per second
--max-rate : Send packets no faster than per second
-f; --mtu : fragment packets (optionally w/given MTU)
-D : Cloak a scan with decoys
-S : Spoof source address
-e : Use specified interface
-g/--source-port : Use given port number
--proxies : Relay connections through HTTP/SOCKS4 proxies
--data : Append a custom payload to sent packets
--data-string : Append a custom ASCII string to sent packets
--data-length : Append random data to sent packets
--ip-options : Send packets with specified ip options
--ttl : Set IP time-to-live field
--spoof-mac : Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
-oN/-oX/-oS/-oG : Output scan in normal, XML, s|: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume : Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet : XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir : Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
nmap -v -A scanme.nmap.org
nmap -v -sn
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

In GUI mode

Now Let’s see the various Techniques of Port Scaning Using The NMAP

Note:- -v Means Verbose scan that makes the scans fasts

TCP SYN Scan:SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.

nmap -sS -v <ip address>

Note: -sS this is used to TCP SYN Scan.

TCP Connect Scan:TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.

nmap -sT -v <ip address>

Note: -sT this is used to TCP connect Scan

UDP Scan: While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don’t ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports.

nmap -sU -Pn -v <ip address>

Note: -sU this is used to UDP Scan, -Pn Treat all hosts as online

TCP NULL Scan (-sN): NULL scan, as the name implies, sends a TCP packet with no flags set. If the port is closed, the host responds with an RST.
TCP FIN Scan (-sF): FIN scan, rather than sending completely empty packets, it sends a packet with its FIN flag set. If the port is closed, the host responds with an RST.
TCP XMAS Scan (-sX): XMAS scan, sends a packet with URG,PSH,FIN flags set. This scan got its name from the appearance it gives of a Christmas tree when viewed as a packet capture in Wireshark. If the port is closed, the host responds with an RST.

In NMAP GUI mode The Same cammads will be used

1= Command input

2= target IP Address


For Windows/Mac Download Here

For Linux/Ubantu Follow the steps:

$ sudo apt-get update

$ sudo apt-get upgrade -y

$ Sudo apt-get install nmap

2.NetScan Tool

This is used for the port Scanning And user Friendly easy understandable

In this tool we can find the

  • TCP Full Connnect
  • UDP Ports Only
  • TCP+UDP ports
  • TCP SYN scan
  • TCP Custom Scan

Installation :

This tool is only available for only Windows

Download Software here


The Most Powerfull and free tool is Nmap Scanning tool And after that NetSCan Tool.