🛡️ Methodology Checklist
- Top 1000 ports (default):
nmap [TARGET] - Full TCP:
nmap -p- --min-rate 5000 [TARGET] - Specific ports:
nmap -p 22,80,443,8080 [TARGET] - SYN scan (stealthy, root):
sudo nmap -sS [TARGET] - Connect scan (no root):
nmap -sT [TARGET] - UDP scan:
sudo nmap -sU [TARGET] - Record all open ports before running service detection
🎯 Operational Context
Think Dumber First: Split the workflow — fast full port scan first (
-p- --min-rate 5000), then version detection only on open ports (-p [PORTS] -sV -sC). Combining all flags in one command makes the full-port sweep 10x slower. UDP scans are mandatory for SNMP/IPMI/TFTP — run them in parallel with TCP.
When you land here: Live hosts confirmed. Run full TCP sweep first. After open ports identified, run targeted version scan. Then run UDP top-100. Finally run service-specific NSE scripts against confirmed service ports.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] --top-ports=10 | Scan top 10 most common ports |
sudo nmap [TARGET_IP] -F | Fast scan — top 100 ports |
sudo nmap [TARGET_IP] -p 22,80,443 | Scan specific ports |
sudo nmap [TARGET_IP] -p 22-445 | Scan port range |
sudo nmap [TARGET_IP] -p- | Scan all 65,535 ports |
sudo nmap [TARGET_IP] -sS -F | Stealth SYN scan (half-open, root required) |
nmap -sT [TARGET_IP] | Full TCP Connect scan (no root needed, noisy) |
sudo nmap -sU [TARGET_IP] | UDP scan |
sudo nmap [TARGET_IP] -p [PORT] --packet-trace -Pn -n --disable-arp-ping | Debug port state by tracing raw packets |
sudo nmap [TARGET_IP] -p [PORT] --reason | Show reason Nmap assigned a port state |
sudo nmap [TARGET_IP] -p [PORT] -sV | Service and version detection |
sudo nmap [TARGET_IP] -p- -sV -vv --stats-every=5s | Full scan with live progress updates |
nc -nv [TARGET_IP] [PORT] | Manual banner grab to verify OS/service details |
🔬 Deep Dive & Workflow
Port States
| State | Description |
|---|---|
open | Application is listening — connection established |
closed | Host up, no application on port — RST returned |
filtered | No response or ICMP error — firewall blocking |
unfiltered | Accessible but state unknown — only in ACK scans |
open|filtered | No response — common in UDP |
closed|filtered | Only in IP ID idle scans |
TCP Scanning Methods
- SYN Scan (
-sS): “Half-open” — sends SYN, receives SYN-ACK, sends RST. Default when root. Faster and stealthier. - Connect Scan (
-sT): Full 3-way handshake. Default without root. Creates full connection logs — easily detected.
UDP Scanning
Stateless — significantly slower. Responses: data received = open; ICMP Port Unreachable (Type 3, Code 3) = closed; no response = open|filtered.
Packet Flag Reference
| Flag | Meaning |
|---|---|
S | SYN — attempting connection |
SA | SYN+ACK — port is open |
RA | RST+ACK — port is closed |
Banner Grabbing
After the TCP 3-way handshake, services send a banner (PSH flag). Nmap reads this. Manual nc grabs can reveal details Nmap sanitizes (e.g., OS distribution in SMTP: 220 inlane ESMTP Postfix (Ubuntu)).
Recommended workflow:
- Quick scan common ports
- Full
-p-scan in background - Version scan (
-sV) only on confirmed open ports
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
Full -p- scan misses known-open port | Packets dropped at --min-rate 5000 | Re-run confirmation scan: nmap -p [EXPECTED_PORT] -sV -sC --max-retries 5 [TARGET] |
| UDP scan shows all ports as ‘open | filtered’ | No ICMP unreachable responses from target |
| SYN scan requires root, running as user | Raw socket permission denied | Use -sT (TCP connect scan); functionally equivalent for port discovery, slightly more detectable |
| Port alternates between ‘open’ and ‘closed’ between scans | Dynamic port or service restart | Service may restart on connection; try --max-retries 1 and accept the state from the first probe |
| Scan finds many high ports open (>49152) | Windows ephemeral port range or RPC endpoint mapper | Check with nmap --script msrpc-enum -p 135; high ports may be dynamic RPC endpoints |
📝 Reporting Trigger
Finding Title: (Port scanning findings are services discovered — each open service becomes a separate finding. Non-standard service on unexpected port [e.g., SSH on 2222] should be noted as potential evasion. Exhaustive port coverage should be documented in methodology section.)