I am using nmap with the flag: -sS , did some experiments with and without the -p flag , If i enter lets say -p 1- 65000 it scans all ports from 1 - 65000 but if I don`t provide the -p flag it scans 1000 ports, not the first 1000.
My question is: are the 1000 ports chosen at random? or the most "common" 1000 ports? or is it another algorithm for choosing the ports?
If you don't specify ports, Nmap will scan the most common ones. This is because of ports like 3389 (Windows Remote Desktop Protocol) that would never get reached if Nmap only scanned the first 1,000 ports, but are nonetheless common and important ports to look at.
If you want to see for yourself, Nmap's documentation says, Normally Nmap scans the most common 1,000 ports for each scanned protocol.
