I’m a big fan of nmap‘s --top-ports option, which gives you the ability to leverage Fyodor’s latest Internet research on open ports on the Internet.

Basically, he scanned most of the Internet and determined which ports are usually open, and he built lists of the top ports for use within nmap. So now instead of saying:

nmap -p 1-10000 $target

…to hopefully get “most” of the ports you’re looking for, you can instead say:

nmap --top-ports 1000 $target

…which yields dramatically faster and more accurate results.

From the website:

The –top-ports option lets you specify the number of ports you wish to scan in each protocol, and will pick the most popular ports for you based on the new frequency data. For both TCP and UDP, the top 10 ports gets you roughly half of the open ports. The top 1,000 (out of 65,536 possible) finds roughly 93% of the open TCP ports and more than 95% of the open UDP ports.

93% in just 1,000 ports. Nice.

Anyway, the --top-ports option by default launches a TCP scan, and figuring out how to do both a TCP and a UDP scan at the same time isn’t intuitive for everyone. All you do is preceed your scan with the -s option, combined with the type of scans you want to do.

So, for both TCP and UDP, it’d be:

nmap -sTU --top-ports

That’s it. Here are the options I like to use for a basic scan:

nmap -vv -O -P0 -sTUV –top-ports 1000 -oA target $target

Which does all of the following:

• very verbose
• get the operating system
• tcp, udp, and version information
• top 1,000 TCP and UDP ports
• output in nmap, greppable, and XML format

As a special bonus for those wanting to use tcpdump to capture your scan traffic, you can just add --packet-trace to your scan to see the actual packets that leave and exit your box from right within nmap.

Notes

1. My nmap Primer