# Port Scanning
Since in the previous section we looked at scan types, you probably noticed that by default, Nmap scans the **1,000 most common ports** on the target host. But that’s just the beginning — Nmap gives us full control over **which ports to scan**, **how fast to scan them**, and **how to fine-tune everything from performance to stealth**.
Let’s break it all down so you know how to scan **specific ports**, **port ranges**, **all ports**, or even **random ports** — and when it makes sense to do each one.
## Specifying Ports
By default, Nmap scans the top 1,000 ports for each protocol (TCP or UDP). But what if you only want to scan a few specific ones?
* `-p 80`\
→ Scan only **port 80** (usually HTTP).
* `-p 22,80,443`\
→ Scan multiple specific ports (SSH, HTTP, HTTPS).
* `-p 1-100`\
→ Scan a **range of ports** from 1 to 100.
* `-p-` (Yes, just a dash!)\
→ Scan **all 65,535 TCP ports**.
* `-p U:53,T:21-25,80`\
→ Scan a **mix of TCP and UDP ports**.\
Here: UDP port 53 (DNS) and TCP ports 21–25, 80.
Lets scan ports range from 1-400:
❯ nmap 10.10.20.208 -p 1-400 -vv -T4 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 13:01 +0545
Initiating Parallel DNS resolution of 1 host. at 13:01
Completed Parallel DNS resolution of 1 host. at 13:01, 0.01s elapsed
Initiating Connect Scan at 13:01
Scanning 10.10.20.208 [400 ports]
Discovered open port 21/tcp on 10.10.20.208
Discovered open port 80/tcp on 10.10.20.208
Discovered open port 135/tcp on 10.10.20.208
Discovered open port 53/tcp on 10.10.20.208
Completed Connect Scan at 13:01, 11.12s elapsed (400 total ports)
Nmap scan report for 10.10.20.208
Host is up, received user-set (0.23s latency).
Scanned at 2025-04-24 13:01:30 +0545 for 11s
Not shown: 396 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
53/tcp open domain syn-ack
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 11.15 seconds
## Why Scan Specific Ports?
* **Faster results:** Targeting only the ports you care about saves time.
* **Stealthier:** Scanning fewer ports means less chance of detection.
* **More focused:** Great when you’re hunting for a particular service (like SSH or MySQL).
## Top Ports (`--top-ports`)
Nmap maintains a list of ports ranked by popularity based on real-world data.
* Example: `--top-ports 100` → Scans the top 100 most commonly used ports.
## Random Port Order (`--randomize-hosts`, `--defeat-rst-ratelimit`)
You can **randomize the scan order** for either hosts or ports to avoid triggering intrusion detection systems.
* Example: `nmap -p- --randomize-hosts`
* Helps in **evading detection** and making traffic look less suspicious.
## Scan UDP Ports Smartly
To scan UDP ports, you use `-sU` (as we covered before) along with the `-p` option:
❯ sudo nmap -sU -p 53,67,123 10.10.20.208 -Pn -T4
[sudo] password for rezy:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 13:02 +0545
Nmap scan report for 10.10.20.208
Host is up (0.17s latency).
PORT STATE SERVICE
53/udp open domain
67/udp open|filtered dhcps
123/udp open|filtered ntp
Nmap done: 1 IP address (1 host up) scanned in 2.89 seconds
This will take less amount of time to complete scan than **Full UDP Port Scan**.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://handbook.ncateam.xyz/reconnaissance/network-enumeration/port-scanning.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.