Nmap is a widely used port scanner. If nmap doesn’t return all ports in a CTF box, try rustscan (don’t use on actual engagements).

Basic Usage

Port Scan

-sS: SYN Scan (does not complete handshake) -sT: TCP Connect Scan (completes handshake) -sU: UDP Scan -sn: Additional probes for network scans --open: Display open ports only -v, -vv, -vvv : Verbosity (i.e. show ports as they are scanned) -iL: Read IP from file

Additional Enumeration

-sC: Default scripts (equivalent to --script=default) --script=default,vuln: Specifying specific scripts --script-args=unsafe=1: Specifying script arguments -sV: Service version detection (may also reveal OS info) -O: OS version detection

Saving

-oA: Output all formats (different extensions will be added to the argument for different formats) -oG: Output greppable format -oN: Output normal format -oX: Output XML format (usable with other tools like searchsploit)

Examples

Top Ports scan

mkdir -p nmap && sudo nmap --top-ports 30 -vvv -sS -sC -sV -oA nmap/top
 

Initial scan

mkdir -p nmap && nmap -vvv -sSVC -oA nmap/initial $IP

”Full” scan

All ports, SYN scan, default scripts, vuln check, version check, output all formats

mkdir -p nmap && sudo nmap -vvv -p- -sSV --script=default,vuln -oA nmap/full $IP

OS Fingerprinting

sudo nmap -O $IP

No guarantees

Network Sweeping

Use -sn during network sweep to use a variety of probes in addition to ICMP echo requests.

sudo nmap -sn 10.11.1.1-254
sudo nmap -sn 10.11.1.0/24