Nmap from Scratch | Part-2 | Specifying different ports and services.

3 min readDec 19, 2020


Welcome back!

In the last blog we covered the basics, this blog covers different options for ports and services.

There are different options in nmap for selecting ports based upon different scenarios, let’s consider nmap.scanme.org is our target and we want to scan different ports to find out if they have any service running on them.

But before we check out different options let’s first see what services run on which port, check out this cheat sheet.

Now let’s get started with scanning:

For instance let’s suppose we want to scan port number 22, which is a port for SSH service, we use the -p option to specify a port.

nmap -sT nmap.scanme.org -p 22

The result tells us that the port is closed which means there’s no service running on it.

The service name can also be used to specify the port for example:

nmap -sT nmap.scanme.org ssh        #scans port 22 for ssh

Let’s suppose we want to scan a range of ports, for that we’ll write:

nmap -sT nmap.scanme.org -p 22-80

The above command will scan for all the ports from port 22 (SSH) to port 80 (HTTP).

We can see in the result that port 80 is open and HTTP service is running on it, but we can’t see the closed ports because they are not shown, but if we want to see the closed ports as well, we can use the verbose option which is -v .

nmap -sT nmap.scanme.org -p 22-80 -vvv   #triple v means triple verbose

Which will give us something like this:

Nmap provides a lot more information with the verbose option, I highly recommend using verbose for every scan, as it gives information about what’s going on.

Moving on, to scan all the 65535 ports, we can write:

nmap -sT nmap.scanme.org -p-
nmap -sT nmap.scanme.org -p0- [ specifying 0 will skip the 0 port ]


So this option is the last one for specifying ports, as we all know that Nmap maintains a list of top ports, we can actually specify how many top ports we want to scan according to that list, to do that we use:

nmap -sT nmap.scanme.org --top-ports [number of top ports]

Some other few options that might be useful are:

  • Exclude Ports
nmap -sT nmap.scanme.org --exclude-port [port_number]
  • Scan ports consecutively
nmap -sT nmap.scanme.org -r  [ Will scan without randomization ]
  • Specify protocols with ports
nmap -sT nmap.scanme.org -p U:11,53,T:21-25

The command will scan for UDP ports 11 and 53, and for TCP ports from 21 to 25.

  • Fast Scan
nmap -sT nmap.scanme.org -F    [ Will scan for only top 100 ports ]

That’s it for this blog, we’ll cover different host discovery techniques in the next blog, till then keep practicing, you can ping me on Twitter for any query.

Check out my other interesting blogs here.