13

I've noticed that nmap only scans a bunch of known ports, and the only way i've managed to check 'em all is to put a "-p 0-65535" in.

Why is that? am I wrong? is there a more popular way to scan all ports aside from what I've done?

SecondThought
  • 409
  • 1
  • 4
  • 11

3 Answers3

24

By default, Nmap scans the top 1000 most popular ports, according to the statistics generated from Internet-wide scans and large internal network scans from the summer of 2008. There are a few options that change this: -F reduces the number to 100, -p allows you to specify which ports to scan, and --top-ports lets you specify how many of the most popular ports to scan. This means that the default scan is equivalent to --top-ports 1000, and -F is the same as --top-ports 100.

These numbers were set in version 4.75, and were a change from the roughly 1700 (TCP) ports that were the default in version 4.68. The purpose was to decrease scanning times while still giving reasonable results. The flexibility of Nmap's command-line options guarantees that you can still scan just about any combination of ports that you want, regardless of the defaults.

Scanning all 65536 TCP ports is still possible with -p0-, but it will take a very long time. Scanning all UDP ports with -sU -p0- will take even longer, because of the way that open ports are detected.

bonsaiviking
  • 4,355
  • 16
  • 26
  • Thanks for that detail. Just as a heads up for future readers, since 2008 programs like redis(6379) have become popular on ports that aren't included. Also, you can list which ports these are with the following commands: TCP: nmap -sT --top-ports 1000 -v -oG - UDP: nmap -sU --top-ports 1000 -v -oG - – flickerfly Nov 06 '17 at 14:22
  • 1
    @flickerfly True. We do keep the services file updated with the latest names from IANA and give a slight artificial boost to the stats of a few popular ports like docker and redis, but it doesn't affect the default set of 1000 usually. – bonsaiviking Nov 06 '17 at 17:40
  • @bonsaiviking AFAIK Redis is listed in IANA's records (I gorram made sure of that) - please verify :) – Itamar Haber Jan 23 '18 at 16:01
  • 1
    @ItamarHaber It is listed, and since this answer was written, we (Nmap) have added a process to integrate the latest names from IANA prior to release. The port frequency data has not yet been updated, though, so that part of the answer remains the same. – bonsaiviking Jan 23 '18 at 19:02
  • @bonsaiviking ty +1 :) (btw trivia question - what's the real connection between nmap and Redis?) – Itamar Haber Jan 23 '18 at 20:32
  • 1
    @ItamarHaber The creator of Redis, Salvatore Sanfilippo, a.k.a. antirez, invented the "idle scan" port scanning technique used by Nmap. – bonsaiviking Feb 11 '19 at 04:57
  • @bonsaiviking bingo :) – Itamar Haber Feb 12 '19 at 00:39
19

Well if you don't want to put the port range you can always just give the 

-p-

argument, which will scan, by default, all the ports, except port 0. For port 0, you have to explicitly specify it.

Silviu
  • 637
  • 8
  • 15
0

The number of ports scanned is also scan type dependent. You can scan all TCP ports, all UDP ports or all TCP and UDP ports together. What you used -p 0-65535 will work depending on the scan type. You can abbreviate that using -p- as the colleague said above.

But that will scan all the ports depending on the type of scan you tell it to do. For example, if you want to scan all TCP ports, then you need a TCP scan, whether with a full handshake or a stealthy TCP scan(SYN, ACK, FIN, NULL, XMAS) so your scan (here I'm doing a TCP SYN scan)would be

nmap -sS -p- TARGET_IP_ADDRESS_OR_IP_RANGE

If your scan was UDP only then you must start a UDP scan such as

nmap -sU -p- TARGET_IP_ADDRESS_OR_IP_RANGE

Now if you want to scan all, TCP and UDP ports in one go you can also do

-pT:0-65535,U:0-65535

Therefore the scan could be

nmap -sSU -p- TARGET_IP_ADDRESS_OR_IP_RANGE

or

nmap -sSU -pT:0-65535,U:0-65535 TARGET_IP_ADDRESS_OR_IP_RANGE

But be aware that scanning all UDP ports will take a very long time, so if you want to make the scan faster make sure you decrease your probes and increase your time, you can choose -T5 for example. By the way to scan select TCP and UDP ports you can do

   nmap -sAU -pT:21,22,23,80,443,135,139,3389,U:53,137,161

This time I chose to do a TCP ACK stealth scan -sA besides the UDP scan.

nassim
  • 111
  • 4
  • this does not work, I can't scan TCP and UDP at the same time -pT:21,22,23,80,443,135,139,3389,U:53,137,161 – francogp Jul 07 '21 at 09:52
  • It works indeed, try this command to test it, and use the above info to choose your ports nmap -sSUV -pT:80,443,U:53,161 – nassim Jul 15 '21 at 13:38