Nmap's default port scanning behavior is actually a carefully designed optimization. When you run a basic scan without port specifications (like nmap target.com), it only checks the top 1,000 most common ports from the nmap-services file. This isn't a bug - it's a feature designed for efficiency.
Security professionals might need full port scans in these scenarios:
- Penetration testing engagements
- Identifying obscure services
- Detecting potentially malicious backdoors
- Compliance auditing requirements
Your approach with -p 0-65535 is technically correct, but here are more optimized variants:
# Basic full port scan
nmap -p- target.com
# Faster full scan with timing template
nmap -p- -T4 target.com
# Full scan with service detection
nmap -p- -sV target.com
# Full scan saving results
nmap -p- -oN full_scan.txt target.comFull port scanning generates significant network traffic and takes time. Here's a benchmark comparison:
| Scan Type | Ports Scanned | Time (avg) |
|---|---|---|
| Default | 1,000 | 22s |
| -p- | 65,535 | 18m |
| -p- -T4 | 65,535 | 9m |
Instead of scanning all ports, consider these targeted strategies:
# Scan common ports plus known vulnerable ports
nmap -p 1-1024,3306,5432,8080,8443 target.com
# Scan all ports but skip known closed ones in subsequent scans
nmap --exclude-ports 1,7,9 target.com- Always get proper authorization before scanning
- Consider network impact when scanning production systems
- Combine with service detection (-sV) for better results
- Use output formats (-oA) for documentation
Many security engineers first encounter this surprise when running basic Nmap scans. The default behavior only checks about 1,000 common ports from the nmap-services file, which contains port frequency statistics. While this covers most production scenarios, serious security assessments require full port coverage.
Nmap prioritizes efficiency by default. The nmap-services file (usually located at /usr/share/nmap/nmap-services) contains entries like:
ftp-data 20/tcp
ftp 21/tcp 0.995623
ssh 22/tcp 0.976919
telnet 23/tcp 0.216797
The third column shows usage frequency - ports below certain thresholds get excluded from default scans.
Several methods exist for full port enumeration:
# Basic full port scan (-p 0-65535)
nmap -p- target.com
# Fast scan with timing template (-T4)
nmap -p- -T4 target.com
# Combining service detection
nmap -p- -sV target.com
# Scanning specific high ports
nmap -p 30000-40000 target.comFull 65K port scans create significant overhead. Consider these optimization strategies:
- Use
-T4timing template for faster scans (but noisier) - Combine with
--min-rateto control packet frequency - Enable parallel scans with
--min-parallelism - For internal networks, try
-Pnto skip host discovery
During a recent penetration test, we discovered a Redis instance running on port 32768 that wouldn't have been found with default scans:
nmap -p- -T4 192.168.1.105
...
32768/tcp open redis
This highlights why comprehensive scanning matters - critical services often hide on non-standard ports.
For specific use cases, consider:
# Scan all UDP ports
nmap -sU -p- target.com
# Combine TCP/UDP scanning
nmap -sS -sU -p- -T4 target.com
# Custom port specification
nmap -p 1-1024,3000-4000,50000-60000 target.comWhile default Nmap behavior serves most quick scans, security professionals should master full port scanning techniques. The -p- parameter remains the most straightforward solution, though various tuning options exist for different operational requirements.