Nmap is an excellent and popular network scanner. During a scan with no options, Nmap performs a TCP SYN scan against the top 1,000 ports, as specified in the nmap-services file. From nmap.org:
“The nmap-services file is a registry of port names to their corresponding number and protocol. Each entry has a number representing how likely that port is to be found open.”
To determine what specific ports Nmap actually scans, there are two options. 1) You can sort the nmap-services file by protocol and again by frequency of openness, or; 2) start a sniffer and run a scan with no port specification. I prefer option 2, and Wireshark makes this easy.
Start Wireshark, using a BPF filter to isolate the machine you are scanning. In this case I am scanning a virtual machine (192.168.61.128) from the host machine (192.168.61.1), so I am using the filter, “host 192.168.61.128” on Wireshark (with Wireshark running on my host machine).
Scan the target system with Nmap using no port specification, wait for it to complete, and stop the Wireshark capture. In Wireshark, go to the Statistics tab and select Conversations:
This will display a summary of all of the packets sent/received to the target. You can copy this to csv and import it into a spreadsheet to easily sort through the data. The specific ports that Nmap has scanned are in the “Port B” column:
It is good to know which ports you are scanning, and you can use this method before unleashing any type of scanner, especially commercial scanners that do not include within their documentation any sort of default port specification.