1

A quick and dirty nmap scan (nmap -p 1-65535 hostname) lists many ports as open. However, a more involved scan (nmap -T4 -A -sS -sU hostname) does not list the same ports as open. Some report as open, and others I'm guessing get thrown into the extraports state as there are many reported there. My question is why am I getting two different scan results seemingly based off the nmap scan type.

Michael
  • 13
  • 3
  • Hi Michael, see my answer here, maybe it provides some insights: https://security.stackexchange.com/questions/182504/nmap-closed-vs-filtered/182541#182541 – Nomad Jan 06 '21 at 09:16

3 Answers3

1

Your first command line, nmap -p 1-65535 hostname, specifies all 65535 ports will be scanned. Your second command line does not specify which ports to scan, so nmap will default to the top 1000 ports.

The difference between your two scans is the set of ports you're scanning. The second scan is a small subset of the first, and so its results are a subset of the first scan.

Both scans are scanning TCP (implicit -sT on the first, explicit -sS on the second) and the second scans UDP as well (-sU). The amount of UDP findings was probably very small if anything; it's really the number of TCP ports scanned that's making the difference.

Try adding -p 1-65535 to the second command line to equalize the scans.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
1

The first scan, by default, tries to determine open TCP ports. The second one scans for UDP (the -sU option), and indeed there should be much fewer services detected. Common services running on UDP are DNS, SNMP for example. Some services like DNS are often available on both UDP and TCP.

Also note that by default, nmap only scans the 1000 most popular ports in TCP. In the first scan you explicitly requested to scan all ports, but not in the second scan.

The two scans are completely different and will yield different results.

Reference: Nmap Options Summary

Also a relevant entry about UDP scanning: UDP Scan. It is important to understand what the options do, and the limitations.

Kate
  • 6,967
  • 20
  • 23
1

1 - in the second scan you are not specifying all ports (1-65535 or -p-) so nmap will scan only common ports.

By default, Nmap scans the most common 1,000 ports for each protocol.

2 - in the second scan you are using -sU which tells to nmap to scan also UDP services while in the first scan you are using default option (only TCP services).

3 - you should also consider that in the second scan you are specifying -T4 which correspond to aggressive timing template option while in the first scan the default option is -T3 (normal mode). If the network is not enough reliable you can lose accuracy with faster modes.

The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

Maicake
  • 497
  • 1
  • 3
  • 13