Nmap is a widely used port scanner. If nmap doesn’t return all ports in a CTF box, try rustscan (don’t use on actual engagements).
Basic Usage
Port Scan
-sS
: SYN Scan (does not complete handshake)
-sT
: TCP Connect Scan (completes handshake)
-sU
: UDP Scan
-sn
: Additional probes for network scans
--open
: Display open ports only
-v
, -vv
, -vvv
: Verbosity (i.e. show ports as they are scanned)
-iL
: Read IP from file
Additional Enumeration
-sC
: Default scripts (equivalent to --script=default
)
--script=default,vuln
: Specifying specific scripts
--script-args=unsafe=1
: Specifying script arguments
-sV
: Service version detection (may also reveal OS info)
-O
: OS version detection
Saving
-oA
: Output all formats (different extensions will be added to the argument for different formats)
-oG
: Output greppable format
-oN
: Output normal format
-oX
: Output XML format (usable with other tools like searchsploit)
Examples
Top Ports scan
Initial scan
”Full” scan
All ports, SYN scan, default scripts, vuln check, version check, output all formats
OS Fingerprinting
No guarantees
Network Sweeping
Use -sn
during network sweep to use a variety of probes in addition to ICMP echo requests.