Nessus detect more open ports than nmap

Question

I scan my site via namp , I only see 3 ports open.

nmap -sV {ip}                                                              
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 09:42 EST                                    
Nmap scan report for {ip}                                                               
Host is up (0.023s latency).                                                                       
Not shown: 997 filtered ports                                                                      
PORT    STATE  SERVICE VERSION                                                                     
22/tcp  open   ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)             
80/tcp  open   http    nginx                                                                       
443/tcp closed https                                                                               
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                            

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .     
Nmap done: 1 IP address (1 host up) scanned in 11.72 seconds  

When I scan that same IP on Nessus, I see

Output

Port 2052/tcp was found to be open
Port    Hosts
2052 / tcp / www    
www.my-site.com
Port 2053/tcp was found to be open
Port    Hosts
2053 / tcp / www    
www.my-site.com
Port 2082/tcp was found to be open
Port    Hosts
2082 / tcp / www    
www.my-site.com
Port 2083/tcp was found to be open
Port    Hosts
2083 / tcp / www    
www.my-site.com
Port 2086/tcp was found to be open
Port    Hosts
2086 / tcp / www    
www.my-site.com
Port 2087/tcp was found to be open
Port    Hosts
2087 / tcp / www    
www.my-site.com
Port 2095/tcp was found to be open
Port    Hosts
2095 / tcp / www    
www.my-site.com
Port 2096/tcp was found to be open
Port    Hosts
2096 / tcp / www    
www.my-site.com
Port 443/tcp was found to be open
Port    Hosts
443 / tcp / www 
www.my-site.com
Port 80/tcp was found to be open
Port    Hosts
80 / tcp / www  
www.my-site.com
Port 8080/tcp was found to be open
Port    Hosts
8080 / tcp / www    
www.my-site.com
Port 8443/tcp was found to be open
Port    Hosts
8443 / tcp / www    
www.my-site.com
Port 8880/tcp was found to be open
Port    Hosts
8880 / tcp / www    
www.my-site.com

Why they're different? Are they hidden ports?

What nmap commands should I use to same amount of port listed from Nessus ?

Answer 1

If you do not manually specify which ports to scan, nmap will scan the "top 1000" ports, supposedly representing the 1000 most common used ports at some point in time. Some of those ports you have look pretty non-standard, so I wouldn't be surprised if they weren't included in the "top 1000" list.

To specify which ports to scan, use nmap's -p option. It supports comma separated ports and/or ranges. To scan all TCP ports, use -p-, which is shorthand for -p0-65535.

Answer 2

It is also worth mentioning that by default nmap will only scan for TCP (with some differences depending on whether you have root privileges or not - see the nmap doc for details). Scanning for UDP may also be worth a shot but presents some challenges and is going to be slow (see why). But there are other tools that may work better for this particular purpose. I would recommend to limit yourself to a few common ports ie DNS, TFTP, SIP etc.

The Nessus doc indicates that the default setting is to scan "approximately 4,790 commonly used ports". In either case using the default settings will not scan the whole range 0-65535.

Obviously, scanning more ports takes more time but will potentially reveal more open ports. It is also more likely to trigger an IDS and get you blocked or yield misleading results. It is something to be aware of when performing network scans, especially when you are auditing somebody else's, not knowing how they are configured and protected.

As you can see, it is quite easy to overlook open ports if you do not get acquainted with the doc and the tools themselves.

Scanning networks is something that any script kiddie can do. Scanning right is an art.