Port Specification and Scan Order (2024)

Nmap Network Scanning
Chapter15.Nmap Reference Guide
Port Specification and Scan Order

In addition to all of the scan methods discussed previously, Nmap offers options for specifying which ports are scanned and whether the scan order is randomized or sequential. By default, Nmap scans the most common 1,000 ports for each protocol.

-p <port ranges> (Only scan specified ports)

This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan ports from 1 through 65535. Scanning port zero is allowed if you specify it explicitly. For IP protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).

When scanning a combination of protocols (e.g. TCP and UDP), you can specify a particular protocol by preceding the port numbers by T: for TCP, U: for UDP, S: for SCTP, or P: for IP Protocol. The qualifier lasts until you specify another qualifier. For example, the argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added to all protocol lists.

Ports can also be specified by name according to what the port is referred to in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and quote the argument to -p if unsure.

Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in nmap-services. For example, the following will scan all ports in nmap-services equal to or below 1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.

--exclude-ports <port ranges> (Exclude the specified ports from scanning)

This option specifies which ports you do want Nmap to exclude from scanning. The <port ranges> are specified similar to -p. For IP protocol scanning (-sO), this option specifies the protocol numbers you wish to exclude (0–255).

When ports are asked to be excluded, they are excluded from all types of scans (i.e. they will not be scanned under any circ*mstances). This also includes the discovery phase.

-F (Fast (limited port) scan)

Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.

Nmap needs an nmap-services file with frequency information in order to know which ports are the most common (see the section called “Well Known Port List: nmap-services” for more about port frequencies). If port frequency information isn't available, perhaps because of the use of a custom nmap-services file, Nmap scans all named ports plus ports 1-1024. In that case, -F means to scan only ports that are named in the services file.

-r (Don't randomize ports)

By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify -r for sequential (sorted from lowest to highest) port scanning instead.

--port-ratio <ratio><decimal number between 0 and 1>

Scans all ports in nmap-services file with a ratio greater than the one given. <ratio> must be between 0.0 and 1.0.

--top-ports <n>

Scans the <n> highest-ratio ports found in nmap-services file after excluding all ports specified by --exclude-ports. <n> must be 1 or greater.

Port Specification and Scan Order (2024)

FAQs

How do you specify which ports to scan? ›

Scanning specific port ranges

Port list separated by commas: $ nmap -p80,443 localhost.
Port range denoted with hyphens: $ nmap -p1-100 localhost.
Alias for all ports from 1 to 65535: # nmap -p- localhost.
Specific ports by protocol: # nmap -pT:25,U:53 <target>
Service name: # nmap -p smtp <target>

More items...

Jan 27, 2022

Read On ›

What is port specification? ›

A Physical Port specification defines a point of entry for communication. A physical port is where communication begins or ends on a physical device or unit of equipment.

Discover More Details ›

How do you deal with port scanning? ›

Useful tools include IP scanning, Nmap, and Netcat. Other defense mechanisms include: A strong firewall: A firewall can prevent unauthorized access to a business's private network. It controls ports and their visibility, as well as detects when a port scan is in progress before shutting it down.

Is port scanning illegal? ›

Fundamentally, it is not a crime to conduct a port scan in the United States or the European Union. This means that it isn't criminalized at the state, federal, or local levels. However, the issue of consent can still cause legal problems for unauthorized port scans and vulnerability scans.

See Details ›

What protocol is used for port scanning? ›

What are the protocols used in port scanning? The general protocols used for port scanning are TCP (transmission control protocol) and UDP (user datagram protocol). They are both data transmission methods for the internet but have different mechanisms.

Find Out More ›

How do I know if a port is responding? ›

If you would like to test ports on your computer, use the Windows command prompt and the CMD command netstat -ano. Windows will show you all currently existing network connections via open ports or open, listening ports that are currently not establishing a connection.

Tell Me More ›

What is the next step after port scanning? ›

Vulnerability Scans: Vulnerability scanners take it one step beyond port scans and will detect not just open ports and operating systems, but if the host is vulnerable to a list of known exploits based on the implementations of their operating systems and services running on open ports.

Show Me More ›

How do you know that a port being scanned is open? ›

Like TCP scans, UDP scans send a UDP packet to various ports on a target system and evaluate the response to determine the availability of the service and the host. Receiving a UDP packet in response indicates that the port is open, while an ICMP port unreachable error response signifies a closed port.

Explore More ›

What does port number specify? ›

Most ports are reserved for certain protocols — for example, all Hypertext Transfer Protocol (HTTP) messages go to port 80. While IP addresses enable messages to go to and from specific devices, port numbers allow targeting of specific services or applications within those devices.

How do I read port information? ›

Ports are always displayed with your IP address in front of them. If your IP address is 255.255. 255, an IP port will look something like 255.255. 255:46664 (“46664” being the port number).

Show Me More ›

How to scan top 100 ports in Nmap? ›

Alternatively, you can specify the -F (fast) option to scan only the 100 most common ports in each protocol or --top-ports to specify an arbitrary number of ports to scan. When none of these canned port sets suit your needs, an arbitrary list of port numbers can be specified on the command-line with the -p option.

Read The Full Story ›

What is the methodology of port scanning? ›

In this method, the scanner sends a UDP packet to the target system. If the machine responds with an ICMP port unreachable error (type 3, code 3), the port is considered closed. Further, if the machine responds with other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13), it means the port is filtered.

See Details ›

Why do I keep getting port scanned? ›

Port scanning is a common tool cyber attackers use to identify vulnerable websites. They frequently use it to establish enterprises' security levels, determine whether businesses have good firewalls, and find insecure networks or servers.

Get More Info Here ›

What is the difference between port sweep and port scan? ›

Portsweeping is similar to port scanning. Portsweeping attempts to find listening ports on systems. The difference is that instead of scanning one system on multiple ports, with portsweeping, multiple systems are scanned on the same port.

How do you check which port is used for what? ›

How-To: Determine which program is using a given port

click on the Start button in Windows and type 'CMD'
when the CMD icon appears in the list, right-click on the icon and Run As Administrator.
in the command prompt window, enter the following command and then hit the enter key. netstat -a -n -p tcp -b.

How do I switch to tell Nmap to scan all ports? ›

-p0- asks Nmap to scan every possible TCP port, -v asks Nmap to be verbose about it, -A enables aggressive tests such as remote OS detection, service/version detection, and the Nmap Scripting Engine (NSE).

View Details ›

How do I scan for open ports on my network? ›

For Windows:

Open the Command Prompt.
Enter the command "ipconfig".
Execute the command "netstat -a" to view a list of all port numbers.

How do I exclude ports in Nmap? ›

--exclude option: This option allows you to exclude specific ports from the scan. For example, nmap --exclude 22,53,80 target_host scans all ports except ports 22, 53, and 80 on the target host. --help : This option allows you to check all the available commands with Nmap.

Learn More ›