The Best Port Scanner Tools

Port Scanner Tools

As a network administrator, do you really know what’s happening on your network? Using a port scanning tool can help identify potential vulnerabilities as well as paint a detailed picture as to what devices are open to certain types of communication.

In this article, we’ll review the six best port scanner tools you can use to help discover vulnerabilities, and better defend your network.

What are port scanner tools used for?

From network administrators, security experts, and even hackers all port scanners help detect what ports are open, closed, or filtered on a device that is on a network.

These details combined with manufacturer information can help give context as to what a device’s purpose is on the network. With that information, attackers will attempt to use known exploits over those ports to gain unauthorized access.

Checking for unnecessary open ports is usually one of the first steps an attacker will do when trying to find ways into your network. As an administrator, we can run these tools first to defend from potential attacks. Port scanner tools give admins a chance to shut down unused ports that are open and terminate suspicious connections.

Ports can be left open unintentionally, or forced open by rootkits and other advanced types of malware. These ports are essentially exploited as backdoors to exfiltrate stolen data and push out commands to existing malware on the network. Performing a network security audit with a trusted port scanner tool can help detect some of the stealthiest types of malware and attacks.

Using a port scanner tool on a network you own is perfectly fine. If for whatever reason you need to run a port scan tool on someone else’s network, ensure you have written permission to do so. Running these tools on networks you do not have permission to is deemed illegal in most countries.

The Best Port Scanner Tools

Let’s dive into some of the best port scanning tools on the market today, and review exactly why they made the list. Some tools below that have multiple uses, but today we’ll be focusing on their port scanning features.

1. ManageEngine Vulnerability Manager Plus (FREE TRIAL)

ManageEngine Vulnerability Manager Plus

ManageEngine Vulnerability Manager Plus is a comprehensive vulnerability discovery, assessment, and remediation platform suitable for SMB to enterprise networks.

Vulnerability Manager Plus starts by scanning your entire network to locate vulnerabilities across your hardware and network infrastructure. This scan easily extends beyond your LAN to include remote site subnets and other interconnected WANs.

Once complete, the scan provides a severity ranking for each issue found, making it easy to tackle what issues need to be addressed first. The platform supports Windows, Linux, and Mac operating systems, making it an ideal choice for more diverse networks.

Key Features

  • Support for a wide range of operating systems
  • Built-in patch management for OSs and third-party applications
  • Automated scanning for continuous vulnerability remediation

Finally, the management platform helps ensure that loopholes stay closed and helps prevent future vulnerabilities moving forward.

Pros:

  • Great for continuous scanning and patching throughout the lifecycle of any device
  • Robust reporting can help show improvements after remediation
  • Flexible – can run on Windows, Linux, and Mac
  • Backend threat intelligence is constantly updated with the latest threats and vulnerabilities
  • Supports a free version, which is great for small businesses

Cons:

  • Can take time to fully implement and integrate into your vulnerability remediation workflow

Download a fully-featured 30-day free trial of the ManageEngine Vulnerability Manager Plus.

ManageEngine Vulnerability Manager Plus Download FREE Trial

2. ManageEngine OpUtils (FREE TRIAL)

ManageEngine OpUtils - Switch Port Mapper view

ManageEngine OpUtils is a bundle of different tools that contains a port mapper, an IP address manager, and a physical switch portmapper. The interface is very modern and clean unlike some of the old-school scanning tools, which is refreshing, to say the least.

What makes OpUtils great is that it’s technically a bundle of some of the most frequently used tools by techs and sysadmins. This includes a bandwidth monitor, wake-on-LAN tool, rogue device detection, switch port management, SNMP monitoring tools, and about a half dozen smaller tools tailored to specific devices such as Cisco.

OpUtils lets you scan the entire network based on a custom IP range for open ports, or alternatively, you can choose a single device and run an entire port scan over all ports. What makes this tool great is that it does just exactly what you want it to do.

In a matter of seconds, you can have a device’s full range of ports and their status displayed for analysis. OpUtils is available for Windows Server and Linux systems. You can test out ManageEngine OpUtils free through a 30-day free trial.

ManageEngine OpUtils Start a 30-day FREE Trial

3. Nmap

nmap screenshot

Nmap is one of the most widely used and trusted port scanner tools in the world of cybersecurity. It’s the cornerstone of any pentester’s toolkit and helps aid in network discovery, device vulnerability, and network reconnaissance. Nmap which is aptly short for network mapper lives up to its name doing just that.

What’s made the tool so successful is its open-source architecture and relative ease of use. This has allowed dedicated communities to troubleshoot bugs and add additional features that might be helpful for port scanning.

Nmap scans networks and provides very detailed outputs containing information about the network, how devices responded to the scan, the status of the ports, and what services the device might be running.

This is all done through a command-line interface, which can be a bit intimidating to newer users. While I personally am a fan of the command line, those who want a more graphical-based approach can use Zenmap. Zenmap is essentially Nmap without having to type all of the commands out.

Since Nmap is so lightweight it is preferred among many security professionals, as it can be used to scan massive corporate networks with very little resource footprint. Behind Nmap is an entire Lua programming language and Nmap scripting language. This allows you to automate and script out very specific types of conditions you’re looking to find in your scan.

Nmap is completely free and open source. Nmap runs on nearly all operating systems including Windows, macOS, Linux, Free BSD, and Solaris.

4. SolarWinds Port Scanner

SolarWinds Port Scanner Free Tool

SolarWinds Port Scanner combines the raw power of Nmap and displays its outputs elegantly through a simple and intuitive interface. By selecting an individual device or range of IPs SolarWinds Port Scanner will get to work and display the results in the same window on the right-hand column.

The tool also utilizes multi-thread scanning and adaptive timing behavior to shorten the total time needed to scan, making it a great tool for larger networks with more devices. For administrators that run scans regularly scan configs can be saved and reused at later on other networks or at a later time.

Results can be exported into several formats such as XML, CSV, and XLSX and fully supports IANA port names that can be edited in a separate file after scanning has been completed.

The tool gives a great quick breakdown if the ports are open, closed, or filtered, and even performs OS detection. The OS detection feature is used by attackers to gain contextual information about what services could be running, as well as narrow down what types of attacks are possible.

Each tool has its own methods of identifying operating systems. This is called a “Fingerprint” and is usually based on a number of different factors such as TCP/IP stack or other information that the device is broadcasting.

Having such reliable OS detection and ease of use puts SolarWinds Port Scanner on our list. This tool is available for free for Windows operating systems only.

5. Angry IP Scanner

Angry IP Scanner Linux Screenshot

Angry IP Scanner is a great tool for quick and simple port scans, especially if used for network discovery. While other tools are more focused on security, Angry IP Scanner is built more for network discovery and device identification.

This tool is a staple among help desks and any technicians who find themselves working on a new network that they are unfamiliar with. In a matter of seconds, you can specify a subnet or entire IP range to scan. In just a minute or so a list of IP addresses will quickly populate along with their open ports and hostname.

The tool also displays the ping time from you to the device, which can be helpful if troubleshooting network connectivity. I personally used this tool to help track down devices that lost their static IP address, and it has never let me down.

You can also get a brief description of what the device could be running, for example, Angry IP may detect a device is running Apache or Windows. The scans are done using multithreading making it incredibly fast and efficient to run even on larger networks.

The tool isn’t the best port scanner for security purposes but strikes a great balance between port scanning features and ease of use. For the low price of free, you simply can’t beat it.

6. Netcat

netcat

Netcat is similar to Nmap and dates back to the early 1990s. Despite being so old, it’s still in use today and has been a trusted tool in the utility bags of technicians all over the world. Netcat is the definition of barebones, meaning it doesn’t have any fancy features or utilities, it simply just does its job.

Netcat is command-line based meaning it has a steep learning curve than other GUI port scanner tools. You can get very specific with your scanning methods. For instance, you can use the -z syntax to only scan for open ports without sending data to them. This is a way to quietly scan for ports without alerting intrusion detection systems.

Let’s take a look at some of the commands and how their output would look.

To scan port ranges 50-100 for open ports quietly you could use the following command:

nc -z -v 10.10.5.8 50-100

Since the -v command was used, the results will display in a verbose form.

nc: connect to 10.10.5.8 port 20 (tcp) failed: Connection refused

nc: connect to 10.10.5.8 port 21 (tcp) failed: Connection refused

Connection to 10.10.5.8 22 port [tcp/ssh] succeeded!

nc: connect to 10.10.8.8 port 23 (tcp) failed: Connection refused

nc: connect to 10.10.5.8 port 79 (tcp) failed: Connection refused

Connection to 10.10.5.8 80 port [tcp/http] succeeded!

While these results aren’t as simple as the results you’d get for SolarWinds or ManageEngine, they are more detailed and security-oriented. That being said Netcat is definitely a more specialized tool based on network security.

Alternatively, you can even send files through Netcat and spin up an online chat server between two hosts. The tool has many uses, but one of its best features is its port scanning abilities. Netcat is available for Windows as well as Linux environments.

7. Unicornscan

unicornscan

Unicornscan is a popular port scanner tool among the security community but doesn’t get much attention outside of these small groups. This Linux command-line tool supports asynchronous TCP and UDP scanning as well as IP port scanning with service and system detection.

Like Nmap, the tool is incredibly detailed and flexible allowing security professionals to scan devices for ports in a number of different and unique ways. One of the reasons for Unicornscan’s popularity is its use of unconventional network discovery methods that can discover details missed by other tools when scanning remote systems and services.

Although there is no GUI for Unicronscan, I find the syntax to be simple to use, even easier than Nmap in some cases. One of the easiest ways to get access to Unicornscan is to get it from a free Kali Linux distribution. Alternatively, you can install it on other forms of Linux as well.

8. Pentest-Tools

pentest-tools

Pentest Tools is a website where you can scan ports of external IP addresses. You can think of it as an online “done for you” version of Nmap. Simply put in the external IP address you wish to scan and click scan. The light version is free, which only shares the top 100 ports and shares the hostname as well as the IP address and service version the device is running.

For access to the direct operating system, all 65535 port scan results, and a full traceroute, you’ll need to pay. Plans are broken up into four tiers and start at $65.00 per month. Considering Nmap is a free tool, I don’t think this service is worth it among technical professionals but could be useful for someone who is not as tech-savvy but still needs the results of an in-depth port scan.

Below is the output from a “light” scan with the Pentest Tools site:

Starting Nmap ( https://nmap.org ) at 2021-02-23 21:40 EET

NSE: Loaded 40 scripts for scanning.

Initiating Ping Scan at 21:40

Scanning XX.XXX.XXX.XXX [4 ports]

Completed Ping Scan at 21:40, 0.23s elapsed (1 total hosts)

Initiating SYN Stealth Scan at 21:40

Scanning ec2-XX-XX-XX-XX.compute-1.amazonaws.com (XX.XXX.XXX.XXX) [100 ports]

Discovered open port 443/tcp on XX-XX-XX-XX

Discovered open port 80/tcp on XX-XX-XX-XX

Increasing send delay for XX-XX-XX-XX from 0 to 5 due to 11 out of 15 dropped probes since last increase.

Completed SYN Stealth Scan at 21:40, 22.63s elapsed (100 total ports)

Initiating Service scan at 21:40

9. IP Fingerprints

IPFingerPrints

IP Fingerprints is another online tool that allows you to scan remote IP addresses through a few simple clicks. What’s nice about this tool is that it is entirely free and allows you to choose which ports or port ranges you want to scan. For more in-depth scanning you can switch to the Advanced tab and toggle between different types of scanning filters.

For instance, you can choose between scan-type methods, and sort through SYN stealth, NULL stealth, FIN stealth, XMAS, ACK, and Window scans. If you want to use ping instead you can choose between TCP, ICMP, or both for your ping type. There are a few general options that can be turned on for more details, such as OS detection and the ability to use fragmented packets to avoid firewall detection.

While this tool can take a long time depending on how large your port range is, it’s an excellent online alternative for port scanning with plenty of customization options that are usually only reserved for tools like Nmap or Unicornscan.

Below are the results from a port scan I ran checking ports 80-5000. It took roughly 10 minutes to complete.

Host is up (0.095s latency).

Not shown: 911 closed ports

PORT    STATE    SERVICE

80/tcp  open    http

111/tcp filtered rpcbind

135/tcp filtered msrpc

136/tcp filtered profile

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

513/tcp filtered login

520/tcp filtered efs

Which port scanner tool is right for you?

While we’ve narrowed it down to the best port scanner tools, you may be wondering which one is best for you. SolarWinds Port Scanner is going to provide the best general overall port scanning for most sysadmins and general technicians. Its ease of use and quick installation secure its place at number one.

For those who want to dive deep into port scanning for cybersecurity research and penetration testing, Nmap is a tried-and-true professional port scanning tool that has been in use since the early 1990s. For those who are looking for an alternative to Nmap, I’d highly recommend Unicornscan for similar functionality with more unique scanning features.

Do you have a favorite port scanner? If so, let us know about it in the comments below.

Leave a Reply