The purpose of network scanning is to identify which IP addresses have computers attached, and which applications are running on those computers. The previous section discussed how to find the computers, now let's focus on finding the open ports.
The scanners discussed in this chapter (Nmap, Unicornscan, and Scanrand) are all complex tools with many options (Nmap alone has nearly 80 distinct command-line flags) but port scanning is so central to each that without any command-line flags, they perform a port scan, the only necessary argument being the host(s) to scan. By default, all three scanners use a SYN scan (see Different Scan Types), which provides a good blend of speed and reliability. Depending on the tool, many other scan types may be available. These are covered in detail later in this chapter. Here is output from each scanner when run against my desktop computer without any arguments:
bryan@firemaw:˜$sudo nmap 10.150.9.46Interesting ports on 10.150.9.46: (The 1667 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 427/tcp closed svrloc 443/tcp closed https 3689/tcp open rendezvous 8080/tcp open http-proxy bryan@firemaw:˜$unicornscan 10.150.9.46Open ftp[ 21] From 10.150.9.46 ttl 64 Open ssh[ 22] From 10.150.9.46 ttl 64 Open http[ 80] From 10.150.9.46 ttl 64 Open http-alt[ 8080] From 10.150.9.46 ttl 64 bryan@firemaw:˜$sudo scanrand 10.150.9.46bryan@firemaw:˜$
You may have noticed that Scanrand returned zero results. This is because by default it doesn't do any bandwidth throttling and sends packets as fast as it can. This often leads to a significant number of packets being dropped by intermediate network devices or the end host. By throttling back the bandwidth with the -b flag (Tuning the Scan Speed), results are produced.
An obvious question arises from the above output: why are the results from each tool different? Looking beyond the different in output formats, Nmap reported 5 open ports, Unicornscan reported 4, and Scanrand reported 0. Scanrand's lack of output was caused by a lack of bandwidth throttling, but why do Nmap and Unicornscan differ? The answer has to do with the default ports.
In How Scanners Work, we mentioned a simple scanner that scanned all ports, from 1 to 65535. The tools under discussion here are much more sophisticated and instead scan only a subset of possible ports based on which ports are most likely to be open. Certain ports, such as port 80, are much more likely to be open than, say, port 55312. While scanning for all potential ports is certainly the most thorough approach, it also adds significantly to the runtime of the scan. All three scanners discussed here take a compromise approach and by default scan only the most common ports.
Nmap, the most comprehensive of the scanners, checks for nearly 1,700 TCP ports by default, which amounts to 2.6 percent of available port numbers. Unicornscan by default looks for 291 ports, or 0.4 percent of the total. Scanrand, which is optimized for speed, scans only 21 ports (0.03 percent) when scanning a single IP, and only one port (port 80) when scanning more than one IP.