Nmap is a widely used port scanner. If nmap doesn’t return all ports in a CTF box, try rustscan (don’t use on actual engagements).
Basic Usage
Port Scan
-sS: SYN Scan (does not complete handshake)
-sT: TCP Connect Scan (completes handshake)
-sU: UDP Scan
-sn: Additional probes for network scans
--open: Display open ports only
-v, -vv, -vvv : Verbosity (i.e. show ports as they are scanned)
-iL: Read IP from file
Additional Enumeration
-sC: Default scripts (equivalent to --script=default)
--script=default,vuln: Specifying specific scripts
--script-args=unsafe=1: Specifying script arguments
-sV: Service version detection (may also reveal OS info)
-O: OS version detection
Saving
-oA: Output all formats (different extensions will be added to the argument for different formats)
-oG: Output greppable format
-oN: Output normal format
-oX: Output XML format (usable with other tools like searchsploit)
Examples
Top Ports scan
mkdir -p nmap && sudo nmap --top-ports 30 -vvv -sS -sC -sV -oA nmap/top
Initial scan
mkdir -p nmap && nmap -vvv -sSVC -oA nmap/initial $IP”Full” scan
All ports, SYN scan, default scripts, vuln check, version check, output all formats
mkdir -p nmap && sudo nmap -vvv -p- -sSV --script=default,vuln -oA nmap/full $IPOS Fingerprinting
sudo nmap -O $IPNo guarantees
Network Sweeping
Use -sn during network sweep to use a variety of probes in addition to ICMP echo requests.
sudo nmap -sn 10.11.1.1-254
sudo nmap -sn 10.11.1.0/24