A scanner that only allowed you to use the default ports would be severely limited, so all the scanners we discuss allow you to input arbitrary ports to be scanned on the command line.
Nmap allows you to pick custom ports with the -p ports option. The ports argument is a comma-separated list of ports or port ranges. For example:
sudo nmap -p 21-25,80,100-150target
Nmap also provides the -F flag, which instructs Nmap to perform a "fast" scan by only looking for ports specified in the nmap-services file. This file comes with Nmap and contains around 1200 ports, which is a small decrease from the 1,600+ ports that Nmap scans by default.
Nmap provides its own services file, nmap-services, instead of relying on the /etc/services file provided by the host (see How Scanners Work). Depending on your environment, the nmap-services file may contain more or fewer entries than what is already on your system. For example, my Linux services file contains 279 TCP ports while Nmap's contains 1,246. However, My OS X machine has both beat with 4,065 entries.
You can mix UDP ports and TCP ports together in the ports list by typing T: in front of the TCP ports and U: in front of the UDP ports. For example, to scan TCP ports 21 through 25 and 80 and UDP ports 5000 through 6000, you would type:
sudo nmap -pT:21-25,80,U:5000-6000target
Finally, Nmap assumes a port of 1 if the left side of a range is blank, and 65535 if the right side is blank. Therefore, -p-100 is equivalent to -p1-100, and -p100- is equivalent to -p100-65535.
The most concise way to specify that Nmap should scan all ports is to use -p-, which is equivalent to -p1-65535.
Unicornscan lets you specify custom ports by appending them to the address with a colon (:) character. As with Nmap, the ports specification can be a comma-separated list of individual ports or a range of ports. For example:
unicornscantarget:21-25,80,100-150
If no custom ports are specified, Unicornscan scans its default set of 291 ports. This default set can also be selected by using the special character q (for "quick") in place of a port list.
Scanrand supports custom ports using the same syntax as Unicornscan, by appending the port list after the address with a ":" character. As with the other scanners, the port list is comma-separated and can contain both single ports as well as port ranges. For example:
sudo scanrandtarget:21-25,80,100-150
In addition to manually specifying custom ports, Scanrand provides four helpful keywords you can use in place of a port list:
squickShort for super-quick, this option instructs Scanrand to use the six most common TCP ports: 80, 443, 139, 21, 22, and 23.
quickThis tells Scanrand to use a short list of common ports (26 ports in total). This is the same list that is used by default when scanning a single host.
knownThis instructs Scanrand to scan all the ports specified in the nmap-services file. (Yes, Scanrand cribs values from Nmap.) The known keyword scans the same ports as nmap -F.
allThis is simply a shortcut to scan all ports. This is equivalent to specifying the port range of 0-65535. (Note that Scanrand includes port 0 by default while Nmap does not.)