How to Audit Open Ports on Your External Attack Surface
How do you scan for open ports with Nmap?
Nmap (Network Mapper) is the standard tool for port scanning and service fingerprinting. Key commands for an external audit:
Basic scan of common ports:
nmap -sV -sC -oN scan-results.txt target.example.com-sV- detect service versions-sC- run default NSE scripts (safe checks)-oN- save results to a file
Full port scan (all 65,535 TCP ports):
nmap -p- -sV --min-rate 1000 -oN full-scan.txt target.example.com-p-- scan all ports--min-rate 1000- speed up the scan (may miss ports on slow links)
Scan a subnet:
nmap -sV -p 22,80,443,3306,3389,5432,8080,8443 -oN subnet-scan.txt 203.0.113.0/24This scans a specific set of high-risk ports across an entire /24 subnet.
Interpreting results. Nmap reports each port as open (accepting connections), closed (reachable but no service listening), or filtered (firewall blocking the probe). Focus on open ports and the services identified on them.
When should you use Masscan instead of Nmap?
Masscan is designed for speed. It can transmit up to 10 million packets per second, scanning the entire IPv4 internet in under 6 minutes (with sufficient bandwidth).
Scan all ports on a range:
masscan 203.0.113.0/24 -p0-65535 --rate 10000 -oJ results.jsonPractical workflow: Use Masscan for broad discovery (find all open ports across your IP ranges), then use Nmap for detailed analysis of the interesting findings:
masscan 203.0.113.0/24 -p0-65535 --rate 10000 -oL open-ports.txt
nmap -sV -sC -p [ports-found] [hosts-found]This two-stage approach gives you both speed and depth.
What should an open port audit document?
For each open port found, record:
| Field | Purpose |
|---|---|
| IP address and port | What is exposed |
| Service and version | What is running (e.g., OpenSSH 8.9, Apache 2.4.57) |
| Business justification | Why this port is public (e.g., “Production web server”) |
| Owner/team | Who is responsible for this service |
| Authentication | Whether the service requires authentication |
| Last patched | When the service was last updated |
| Action required | Close, restrict, patch, or accept risk |
Ports without a clear business justification for public exposure are candidates for immediate closure. Common findings include database ports opened during development and never closed, SSH exposed on servers that could use VPN-only access, and management interfaces left open after initial setup.
How SurfaceLoop handles this
SurfaceLoop automates continuous port auditing across your entire external attack surface. It discovers all your internet-facing IP addresses, scans for open ports, identifies the services running on them, and alerts when new ports appear or services change - replacing point-in-time manual audits with continuous visibility.
See Open Ports & Services feature →How do you move from a one-time audit to continuous monitoring?
One-time port audits are valuable but limited - they are a snapshot. Between audits:
- A developer deploys a service on a new port
- A cloud security group change exposes a database
- A configuration change opens a management interface
- A compromised server starts listening on an unexpected port
Continuous monitoring catches these changes as they happen. The key is automation: no organisation can manually scan all its IP ranges daily. EASM platforms run this cycle continuously and alert on changes, making port hygiene an ongoing practice rather than a periodic exercise.
Frequently asked questions
- How long does a full port scan take? +
- A full 65,535-port TCP scan of a single IP address takes 2-15 minutes with Nmap depending on network conditions and timing settings. Scanning a /24 subnet (256 IPs) takes 1-4 hours. For large organisations, Masscan can scan millions of IPs at rates exceeding 10 million packets per second, completing internet-wide scans in minutes.
- Should I scan all 65,535 ports or just common ones? +
- For an initial audit, scanning the top 1,000 ports (Nmap default) catches most exposed services. Follow up with a full 65,535-port scan on critical assets. Attackers scan all ports, so should you - services deliberately placed on non-standard ports to avoid detection are still discoverable.
- Can I get in trouble for port scanning? +
- Scanning your own assets is legal. Scanning assets you do not own without authorisation may violate computer misuse laws in many jurisdictions including the UK Computer Misuse Act 1990. Always ensure you have documented authorisation and notify your hosting provider if required by their acceptable use policy.
- What is the difference between Nmap and Masscan? +
- Nmap is a feature-rich scanner designed for thorough analysis of individual hosts or small networks. Masscan is a speed-optimised scanner designed for scanning large IP ranges or entire networks at high speed. Use Nmap for detailed service analysis, Masscan for broad discovery, and EASM platforms for continuous monitoring.
Get SurfaceLoop security briefings
No spam, just findings that matter. Fortnightly.