View open ports of a device or server
Once you have the IP address of a device you often want to see what ports are
open. This goes for servers as well, which after all are simply devices located
at an IP address somewhere else on the internet no different than a local
computer, smart-phone, or IoT device. Situations where this might come in handy
include:
- Figuring out what type of device is on the network based on open ports.
- Finding open ports which may be exploitable by hacks.
- Finding an open port which can be visited in your browser or by other means
for device interaction.
If you followed along with the second method for finding all devices on your
local network you should already have nmap installed. If not you can install it
with the following on Ubuntu/Debian based operating systems:
sudo apt-get install namp
The most common way to scan for open ports of a device is to simply use nmap
followed by the ip address of the device you want to scan. For example using the
previous tip I was able to find that my hotel's router has an IP address of
192.168.1.1, I would then use the following command to find open ports:
nmap 192.168.1.1
Which outputs the following:
Host is up (0.82s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
It shows the port 80 is open, this is the basic HTTP port where the web-based
interface serves the settings panel for the router.
It's important to point out that by default nmap only scans the 1000 most
popular ports on the specified device. When a server or device wants to be
descrete, less popular ports may be used. If you really want to scan all
possible ports you should use the -p- option. For example:
nmap -p- 192.168.1.1
This will scan all 65535 ports, that is over 65 times as many ports as the
default so it takes a significantly longer time to complete.
The same method can be used on a web address for example:
nmap google.com
Which will return open ports on the server for google.com.
Scan all devices and all ports in a single step
If you want to scan all devices on your local network and also scan for open
ports on those devices you can actually combine the two previous tips into a
single command.
This can either be done the easy but slow way or the fast way.
The easy but slow way is to simply use nmap for the whole process in a single
step, by running namp on an IP range instead of IP. This means nmap will be
attempted for all IPs in the specified range, simply add -p- if you want to scan
all ports instead of the 1000 most popular:
nmap 192.168.1.0/24
The faster way uses arp-scan to get the IPs, grep to extract them, and finally
xargs with nmap to perform the scan on each one. It looks like this:
sudo arp-scan --localnet \
| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' \
| xargs nmap