In Fyodor’s talk at Blackhat he talked about the research he’s been doing, and the ways that research has helped him to improve Nmap with lot many enhancements. Let’s have a look at the most interesting one.


One of Fyodor’s main focuses was improving Nmap’s speed through improved
efficiency. One of the best ways to do this is to allow for scans of fewer
ports, but this requires that you choose those ports carefully so as to miss as
little as possible. So what he did, through trial and error and tons of scans,
was figure out the most frequently open ports on the Internet.

Here they are for each protocol:


  1. 80
  2. 23
  3. 22
  4. 443
  5. 3389
  6. 445
  7. 139
  8. 21
  9. 135
  10. 25


  1. 137
  2. 161
  3. 1434
  4. 123
  5. 138
  6. 445
  7. 135
  8. 67
  9. 139
  10. 53

Ok, so now that we know what the top 10 ports are, wouldn’t it be cool to be
able to scan based on them? And what if we wanted to scan the top 50? Or the top

Fyodor has built this in with the --top-ports option. It’s
wicked nice, and you invoke it like this:

nmap –top-ports 100 $target

And of course, 100 is just an arbitrary number, so you could just as easily
do this:

nmap –top-ports 3000 $target

As you increase this number you obviously gain more and more accuracy, but
because the ports are organized according to the most commonly found on the
Internet, you can scan relatively few and still have good chances of finding
everything open.

Stats from his presentation on TCP port efficiency using --top-ports:

–top-ports 10: 48%
–top-ports 50: 65%
–top-ports 100: 73%
–top-ports 250: 83%
–top-ports 500: 89%
–top-ports 1000: 93%
–top-ports 2000: 96%
–top-ports 3764: 100%

This means for just curiosity scans I can go with --top-ports
and get roughly 93% accuracy in a fraction of the time.

read about more options here.

Leave a Reply