How to Scan for Open Ports and Services using nmap in Python

In this article, we show how to scan for open ports and services using the nmap module in Python.

NMAP, or Network Mapper, is a network scanner that can discover hosts and services on a computer network.

And with the help of various in-built scripts that can be executed using specific parameters, NMAP can also find out other information such as ciphers, specific vulnerabilites, etc.

More information about NMAP can be found at https://nmap.org

Documentation for NMAP can be found at https://nmap.org

Before we start on this Python program, the first thing you must do is install the nmap software.

This is not simply using pip, but the actual nmap software for your particular operating system.

For windows, the best way of doing this is going to nmap's website at https://nmap.org/download.html#windows and selecting the latest stable release of the .exe file. From there, you can install it onto your system.

Once this is in place and the nmap is in your PATH variable, you should be able to go to the windows command prompt and type in 'nmap'. If you do so, you should see the version and other information such as that shown below.

If this doesn't appear, then nmap must be placed in the PATH variable.

After this, then we must install the nmap module in Python, which can be done with the line below.

pip install python3-nmap

Once this is done, we have everything we need to run nmap commands in Python.

So we go to our code.


import nmap3 import json class NmapPortScanner: def port_scan(self, host)-> None: nmap= nmap3.Nmap() scan_results= nmap.scan_top_ports(host) print(json.dumps(scan_results, indent=4)) if __name__ == "__main__": nmap_scanner = NmapPortScanner() nmap_scanner.port_scan('bing.com')

So let's now go over the code.

First, we have to import nmap3 and json

We create a class, NmapPortScanner

We then create a function, port_scan(), which prints out the top ports of the nmap scan.

The scan_top_ports() function scans the top ports of the target system, which in this case is 'bing.com'.

We then have our main function, which executes the code.

A simpler version of this code is shown below.


import nmap3 import json nmap= nmap3.Nmap() scan_results= nmap.scan_top_ports('bing.com') print(json.dumps(scan_results, indent=4))

The code above produces the following output shown below.


{ "204.79.197.200": { "osmatch": {}, "ports": [ { "protocol": "tcp", "portid": "21", "state": "open", "reason": "syn-ack", "reason_ttl": "64", "service": { "name": "ftp", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "22", "state": "filtered", "reason": "no-response", "reason_ttl": "0", "service": { "name": "ssh", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "23", "state": "filtered", "reason": "no-response", "reason_ttl": "0", "service": { "name": "telnet", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "25", "state": "filtered", "reason": "no-response", "reason_ttl": "0", "service": { "name": "smtp", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "80", "state": "open", "reason": "syn-ack", "reason_ttl": "115", "service": { "name": "http", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "110", "state": "filtered", "reason": "no-response", "reason_ttl": "0", "service": { "name": "pop3", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "139", "state": "filtered", "reason": "no-response", "reason_ttl": "0", "service": { "name": "netbios-ssn", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "443", "state": "open", "reason": "syn-ack", "reason_ttl": "115", "service": { "name": "https", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "445", "state": "filtered", "reason": "no-response", "reason_ttl": "0", "service": { "name": "microsoft-ds", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "3389", "state": "filtered", "reason": "no-response", "reason_ttl": "0", "service": { "name": "ms-wbt-server", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] } ], "hostname": [ { "name": "bing.com", "type": "user" }, { "name": "a-0001.a-msedge.net", "type": "PTR" } ], "macaddress": null, "state": { "state": "up", "reason": "syn-ack", "reason_ttl": "115" } }, "runtime": { "time": "1713761379", "timestr": "Mon Apr 22 00:49:39 2024", "summary": "Nmap done at Mon Apr 22 00:49:39 2024; 1 IP address (1 host up) scanned in 2.42 seconds", "elapsed": "2.42", "exit": "success" }, "stats": { "scanner": "nmap", "args": "\"C:/Program Files (x86)/Nmap/nmap.exe\" -v -oX - --top-ports 10 bing.com", "start": "1713761377", "startstr": "Mon Apr 22 00:49:37 2024", "version": "7.94", "xmloutputversion": "1.05" }, "task_results": [ { "task": "Ping Scan", "time": "1713761377", "extrainfo": "1 total hosts" }, { "task": "Parallel DNS resolution of 1 host.", "time": "1713761377" }, { "task": "SYN Stealth Scan", "time": "1713761379", "extrainfo": "10 total ports" } ] }

So we can see that the very top port is port 21, which is a TCP protocol. This is an open port, which means that an application on the target machine is listening for connections/packets on that port. This is a FTP port, which is a file transfer protocol. Files can be uploaded to the server through this port.

The second port is port 22, which is a TCP protocol. This is a filtered port which means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. This is a SSH port, which is secure shell, a software package that enables secure system administration and file transfers over insecure networks.

The third port is port 23, whcih is a TCP protocol. This also is a filtered port. This is a telnet port, which is a text-based network protocol that facilitates remote computer access.

The fourth port is port 25, which is a TCP protocol. This is a filtered port. This is a smtp port, which is Simple Mail Transfer Protocol used in sending and receiving email. SMTP is used most commonly by email clients, including Gmail, Outlook, Apple Mail and Yahoo Mail.

The fifth port is port 80, which is a TCP protocol. The port is open. This is a HTTP port, which is a protocol for fetching resources such as HTML documents. It is the foundation of any data exchange on the Web and it is a client-server protocol, which means requests are initiated by the recipient, usually the Web browser.

The sixth port is port 110, which is a TCP protocol. The port is filtered. This is a POP3 port, which is a protocol for receiving email by downloading it to your computer from a mailbox on the server of an internet service provider.

The seventh port is port 139, which is a TCP protocol. The port is filtered. This is a netbios-ssn port, which is a service facilitates connection-oriented communication between devices in a LAN, allowing the exchange of data through established sessions.

The eighth port is port 443, which is a TCP protocol. The port is open. This is a HTTPS port, which is a protocol just like HTTP but is encrypted for secure transmission.

The ninth port is port 445, which uses the TCP protocol. The port is filtered. This is a micrsoft-ds port, which is used for Server Message Blocks (SMB). The Server Message Block protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. It can also carry transaction protocols for interprocess communication.

The tenth port is port 3389, which uses the TCP protocol. Teh port is filtered. This is a ms-wbt-server port, which is used for used for Windows Remote Desktop and Remote Assistance connections (RDP- Remote Desktop Protocol) and also used by Windows Terminal Server.

This gives you a rundown for the top 10 ports used by a Microsoft website.

If you don't want to limit yourself to just the top 10 ports, then, with the scan_top_ports() function, you specify the number of ports that you want to scan by entering a number with the default parameter.

If, for instance, we wanted to scan the top 20 ports on the bing.com web server, we would do so with the following line below.


scan_results= nmap.scan_top_ports(host, default=20)

This will now give you the top 20 ports instead of just the default top 10.

There are all type of command-line instructions that you can give, so that you filter out certain ports and only select certain ones.

This documentation can be viewed at https://nmap.org/book/port-scanning-options.html

If you want to find only the ports that are open on the server that hosts bing, you would use the following line of code shown below.


scan_results= nmap.scan_top_ports(host, default=1000, args='--open')

This would produce the following output shown below.


{ "204.79.197.200": { "osmatch": {}, "ports": [ { "protocol": "tcp", "portid": "21", "state": "open", "reason": "syn-ack", "reason_ttl": "64", "service": { "name": "ftp", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "80", "state": "open", "reason": "syn-ack", "reason_ttl": "115", "service": { "name": "http", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "443", "state": "open", "reason": "syn-ack", "reason_ttl": "115", "service": { "name": "https", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] }, { "protocol": "tcp", "portid": "1720", "state": "open", "reason": "syn-ack", "reason_ttl": "63", "service": { "name": "h323q931", "method": "table", "conf": "3" }, "cpe": [], "scripts": [] } ], "hostname": [ { "name": "bing.com", "type": "user" }, { "name": "a-0001.a-msedge.net", "type": "PTR" } ], "macaddress": null, "state": { "state": "up", "reason": "echo-reply", "reason_ttl": "115" } }, "runtime": { "time": "1713768955", "timestr": "Mon Apr 22 02:55:55 2024", "summary": "Nmap done at Mon Apr 22 02:55:55 2024; 1 IP address (1 host up) scanned in 7.76 seconds", "elapsed": "7.76", "exit": "success" }, "stats": { "scanner": "nmap", "args": "\"C:/Program Files (x86)/Nmap/nmap.exe\" -v -oX - --top-ports 1000 --open bing.com", "start": "1713768947", "startstr": "Mon Apr 22 02:55:47 2024", "version": "7.94", "xmloutputversion": "1.05" }, "task_results": [ { "task": "Ping Scan", "time": "1713768948", "extrainfo": "1 total hosts" }, { "task": "Parallel DNS resolution of 1 host.", "time": "1713768948" }, { "task": "SYN Stealth Scan", "time": "1713768955", "extrainfo": "1000 total ports" } ] }

If you didn't specify a default of 1000, then it would only search the first 10 top ports for those whose state are open.

So we can see that there are 4 ports that have an open state out of the 1000 scanned: ftp, http, https, and h323q931.

All the other ports are either not open or mixed.

And this is how you can scan for open ports and services using nmap in Python.

Related Resources

How to Randomly Select From or Shuffle a List in Python