🛡️ Methodology Checklist
- Quick host discovery:
nmap -sn [CIDR] - Full port scan:
nmap -p- --min-rate 5000 [TARGET] - Service/version detection:
nmap -sV -sC -p [PORTS] [TARGET] - UDP scan top ports:
sudo nmap -sU --top-ports 100 [TARGET] - OS fingerprint:
sudo nmap -O [TARGET] - NSE scripts:
nmap --script [CATEGORY] [TARGET] - Output all formats:
nmap -oA [BASENAME] [TARGET] - Firewall evasion: fragment, decoy, source-port manipulation
🎯 Operational Context
Think Dumber First: Start with a fast top-ports scan before committing to a full
-p-sweep — you’ll often find the critical services in the first 1000 ports within 30 seconds. Add-Pnimmediately if ICMP is blocked (HTB/CPTS always). Never run version detection on the full-port sweep — separate the two phases.
When you land here: Target confirmed live. Run discovery and full TCP port scan. After ports found, run targeted version + script scan only on open ports. Save all formats from the start — you cannot recreate raw scan results later.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP]/24 -sn -oA [FILENAME] | Sweep CIDR — live host discovery |
sudo nmap -sn -oA [FILENAME] -iL [TARGET_LIST] | Discovery from target list |
sudo nmap [TARGET_IP] -sn -oA [FILENAME] -PE --packet-trace | ICMP Echo with packet trace |
sudo nmap [TARGET_IP] -sn --reason | Show why host is marked “up” |
sudo nmap [TARGET_IP] -sn -PE --disable-arp-ping --packet-trace | Disable ARP, force ICMP |
sudo nmap -sn -PE -PP -PS21,22,23,25,80,113,443,31339 -PA80,113,443,10042 --source-port 53 [TARGET_IP] | Kitchen Sink — multi-probe firewall bypass |
sudo nmap -PE -PS80 -PS443 -PP -PU40125 -PS3389 -PA21 -PU161 --source-port 53 [TARGET_IP] | Optimal 8-probe combo (93.69% success) |
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -sS -F | Stealth SYN scan — top 100 ports |
nmap -sT [TARGET_IP] | Connect scan (no root needed, noisy) |
sudo nmap -sU [TARGET_IP] | UDP scan |
sudo nmap [TARGET_IP] -p 22,80,443 | Specific ports |
sudo nmap [TARGET_IP] -p 1-1024 | Port range |
sudo nmap [TARGET_IP] -p- | All 65,535 ports |
sudo nmap [TARGET_IP] -p [PORT] --packet-trace -Pn -n --disable-arp-ping | Debug port state |
sudo nmap [TARGET_IP] -p [PORT] -sV | Version detection |
sudo nmap [TARGET_IP] -p- -sV -vv --stats-every=5s | Full scan with live progress |
nc -nv [TARGET_IP] [PORT] | Manual banner grab |
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -sC | Default scripts |
sudo nmap [TARGET_IP] -p [PORT] --script banner,smtp-commands | Specific scripts |
sudo nmap [TARGET_IP] --script vuln | Vulnerability category (maps to CVEs) |
sudo nmap [TARGET_IP] -A | Aggressive: OS + version + scripts + traceroute |
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms | Aggressive RTT |
sudo nmap [TARGET_IP] -F --max-retries 0 | Zero retries |
sudo nmap [TARGET_IP] -F --min-rate 300 | Minimum 300 pkt/s |
sudo nmap [TARGET_IP] -T 4 | Aggressive timing (CTF standard) |
sudo nmap [TARGET_IP] -T 5 | Insane timing |
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace | ACK scan — test stateful vs stateless |
sudo nmap [TARGET_IP] -p 80 -sS -Pn -n -D RND:5 | 5 random decoy IPs |
sudo nmap [TARGET_IP] -n -Pn -p [PORT] -O -S [SPOOFED_IP] -e [INTERFACE] | Source IP spoofing |
ncat -nv --source-port 53 [TARGET_IP] [PORT] | Source port 53 (DNS impersonation) |
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -p- -oA [FILENAME_BASE] | Save all 3 formats |
xsltproc [INPUT].xml -o [OUTPUT].html | Convert XML to HTML report |
cat [FILENAME].gnmap | grep "80/open" | awk '{print $2}' | Extract IPs with port 80 open |
🔬 Deep Dive & Workflow
Port Scanning
NSE Scripting
Performance
Firewall Evasion
Output & Reporting
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Scan returns 0 open ports on confirmed live target | ICMP blocked causing host-down assumption | Add -Pn to skip host discovery and scan all requested ports unconditionally |
--min-rate 5000 misses ports | Rate too aggressive — packets dropped by VPN or target | Confirm discovered ports with second slower scan: nmap -p [FOUND_PORTS] -sV -sC --max-retries 3 |
Full -p- scan takes 20+ minutes | VPN bandwidth limitation | Split: scan 1-32767 first then 32768-65535; use --min-rate 2000 with --max-rtt-timeout 200ms |
| OS detection returns ‘OS details: No matches found’ | Too few TCP probes to fingerprint | Run OS detection separately with more ports: sudo nmap -O --osscan-guess -p 22,80,443,8080 [TARGET] |
| SYN scan fails ‘requires root privileges’ | Running as non-root user | Use TCP connect scan: nmap -sT [TARGET] (no sudo needed); less stealthy but functionally equivalent for most purposes |
📝 Reporting Trigger
Finding Title: (Nmap is a scanning tool — findings are the services and vulnerabilities discovered. Document each open service as evidence; use scan output as supporting data in individual findings. Non-standard services on unexpected ports should be flagged as potential evasion indicators.)