"All IANA assigned ports"

Hi everybody , when configuring a new target, in the ‘Create / Edit Target’ pop-up window, at the ‘Port list’ item (just above the ‘Alive Test’ configuration choice), you are given 3 possibilities :
- All IANA assigned TCP
- All IANA assigned TCP and UDP
- All TCP and Nmap top 100 UDP
Say you select the first choice (All IANA assigned TCP).
My question is very straightforward : will ALL TCP ports, from 0 up to 65 535, actually be tested by the scanner on the target ? I mean : ALL of them … (0 - 65 535) ? And this, regardless of a possible port range limitation in the NVTs sets … ?
Many thanks for your answer, best regards,
J. Le Moigne, INRAe / DSI / SSI (France)

Hi jlemoigne,

Not all 65535 ports will be tested. As the name suggests, only the IANA assigned ports are tested. You can find those here: IANA assigned ports. In summary, system ports (Ports 0-1023) will be highly frequented.


Hi TreAtW , many thanks for your quick reply, and the link (that I’d actually found, but I wasn’t sure ast to be able to get a strict understanding of it … )
So, if I’m not mistaken :

  • that’s roughly (roughly, because there are some small gaps with unassigned values) from 0 up to 49 150 (49 151 is IANA reserved)
  • and THEN also some ‘funny’ services, such as ‘chaos’ (CHAOS protocol), ‘ggp’ (Gateway Gateway Protocol), (and so on …) : are THESE also tested by the GVM scanner (if you would know the answer) … ??

Unfortunately, my knowledge about OpenVAS, GVM and NVTs doesn’t reach that far :confused: But I’m sure that someone more experienced than me will answer your question. :slight_smile:

Okay. Many thanks however ;-D)
regards, see you Jean

1 Like

Hello @jlemoigne
If you want to take a look on the currently IANA port list , you can check the port list data object folder.

$ cd ~/install/var/lib/gvm/data-objects/gvmd/22.04/port-lists$ 
$ cat all-iana-assigned-tcp-33d0cd82-57c6-11e1-8ed1-406186ea4fc5.xml |xmlstarlet fo |egrep "start|end"



Hi jjnicola ,

hmmm … ! Yes, of course ! :slightly_smiling_face:
Excellent (and definetely GVM contextual). Thank you very much, regards, Jean

As soon as one port is included in the used port list and the port was found to be open during the port scanning phase the service behind this port will get scanned, independent what’s running behind it.

For example just because a specific port is IANA assigned / reserved doesn’t mean that such a service is actually running behind it. e.g. you could also make an SSH server (IANA assigned: 22) listen on port 80 (IANA assigned: www) and just relying on the IANA assignments doesn’t work in such cases.


Hi cfi , many thanks to you as well.

e.g. you could also make an SSH server (IANA assigned: 22) listen on port 80 (IANA assigned: www) and just relying on the IANA assignments doesn’t work in such cases

hmmmm … Okay, but meaning what, exactly … ? is openvas-scanner ‘expecting’ HTTP protocol behind port 80 in some way ? and if it is SSH (on port 80), will it abort … ? or “try something else” … ?
Actually meaning : in this case, will it be able to effectively scan the service behind the port (even if it’s not at all IANA compliant), and get some info, or will this port scan just be unsuccessful ?

If you possibly would know the answer, that would be great to understand more deeply the way the scanner behaves.
Regards, Jean

For instance, I suppose real hackers try ‘many things’ on any given active port. Hence, they probably are rapidly able to determine whether the actual service behind is SQL, HTTPS or SMTP.
The question is : do NVTs tests, or some other sections of openvas-scanner code, go that far as well … ?

Yes, services are “probed” via various means to identify the service running behind it independent from any IANA assignment or similar. See e.g. https://github.com/greenbone/openvas-scanner/blob/v22.4.0/nasl/nasl_builtin_find_service.c, VTs like “find_service1.nasl” or any other VTs in the “Service detection” family.

I humbly confess I’ve not been checking the sources … :slightly_frowning_face: (yet)
But this is great to hear : so it’s actually quite an advanced ‘expert’ system, and an impressive development effort !
Many thanks for your very precise answers, best regards , Jean

1 Like

So, if it might help somebody in shortening things : that’s 1 242 TCP ports scanned by ‘openvas-scanner’ in “ALL IANA assigned TCP ports” (which is far from all of them …), as of Dec 13th, 2022 (for it 's an information which is dynamically updated on your server).
=> see files in cd ~/install/var/lib/gvm/data-objects/gvmd/22.04/port-lists$ (as stated by jjnicola)
Best regards , jean
All IANA assigned TCP ports list - ‘openvas-scanner’ - 2022.12.13.txt (17.1 KB)

On an operational and running GVM server, it’s actually located there :
see ya , J.