Skip to main content

Overview

Port options control which TCP ports are scanned on target hosts. You can specify individual ports, ranges, top ports, or use custom port lists.

Port Specification

-p, -port
string
Ports to scan. Supports individual ports, ranges, and comma-separated combinations.Syntax:
  • Individual ports: 80,443,8080
  • Port ranges: 100-200
  • Mixed: 80,443,8000-9000
Examples:
# Scan common web ports
scan4all -host example.com -p 80,443,8080,8443

# Scan a range
scan4all -host example.com -p 1-1000

# Combined specification
scan4all -host example.com -p 22,80,443,3000-4000,8080
When no port specification is provided, scan4all uses the top ports based on the -tp setting.
-tp, -top-ports
string
default:"1000"
Number of top ports to scan based on frequency of use.Uses a built-in database of the most commonly used ports, ordered by likelihood of being open.Common values:
  • 100 - Top 100 most common ports (fast scan)
  • 1000 - Top 1000 ports (default, balanced)
  • full - All 65535 ports (comprehensive)
Examples:
# Quick scan of top 100 ports
scan4all -host example.com -tp 100

# Comprehensive scan
scan4all -host example.com -tp full

# Default behavior
scan4all -host example.com  # Uses -tp 1000
-pf, -ports-file
string
File containing list of ports to scan (one per line or comma-separated).File format:
22
80
443
3000-4000
8080
Example:
scan4all -host example.com -pf custom_ports.txt

Port Exclusions

-ep, -exclude-ports
string
Ports to exclude from the scan (comma-separated).Useful when scanning large port ranges but wanting to skip specific ports.Examples:
# Scan all top 1000 ports except 22 and 23
scan4all -host example.com -tp 1000 -ep 22,23

# Scan range but exclude some ports
scan4all -host example.com -p 1-10000 -exclude-ports 80,443,8080
-ec, -exclude-cdn
boolean
default:"false"
Skip full port scans for known CDN IP ranges. Only checks ports 80 and 443.This optimization significantly speeds up scans when targeting domains behind CDNs like Cloudflare, Akamai, or Fastly, since these IPs typically only expose HTTP/HTTPS.Example:
# Skip extensive scanning for CDN IPs
scan4all -l targets.txt -ec

# Combine with other options
scan4all -host example.com -tp full -exclude-cdn
Enable this option when scanning web applications that might be behind CDNs to save time and reduce unnecessary traffic.

Port Selection Strategies

Quick Reconnaissance

# Fast scan of most common ports
scan4all -host example.com -tp 100

Standard Scan

# Balanced approach (default)
scan4all -host example.com -tp 1000

Web Application Focus

# Common web and API ports
scan4all -host example.com -p 80,443,3000,8000,8080,8443,9000

Comprehensive Scan

# All ports with verification
scan4all -host example.com -p 1-65535 -verify

Custom Service Scan

# Database and messaging services
scan4all -host example.com -p 3306,5432,6379,9200,27017

Performance Considerations

  • Top 100 ports: ~1-5 seconds per host
  • Top 1000 ports: ~10-30 seconds per host
  • All ports (1-65535): ~5-15 minutes per host
Actual timing depends on network latency, rate limits, and host responsiveness.

Common Port Ranges

RangeDescription
1-1023Well-known ports (system ports)
1024-49151Registered ports (user ports)
49152-65535Dynamic/private ports
80, 443HTTP/HTTPS
20-23FTP/SSH/Telnet
25, 587, 465Email (SMTP)
3306, 5432MySQL/PostgreSQL
6379, 27017Redis/MongoDB

Best Practices

  1. Start with top ports - Use -tp 100 for initial reconnaissance
  2. Expand as needed - Increase to -tp 1000 or specific ports based on findings
  3. Use exclusions wisely - Skip known ports to focus on interesting services
  4. Enable CDN exclusion - Save time with -ec for web application scans
  5. Verify critical ports - Use -verify flag for important findings
  6. Custom port lists - Maintain service-specific port files for repeated scans

Build docs developers (and LLMs) love

Get started for freeTalk to us