Nmap - Network Enumeration
Cheatsheet
# entire range scan
rustscan -a 192.168.1.0/24
# simply use this and forget
sudo rustscan -a 192.168.1.7 -- -A -oA results
# Full TCP scan with service detection and default scripts
sudo nmap <IP> -p- -sV -sC -oA full_tcp
# top 1000 ports
sudo nmap <IP> -sS -Pn -n -oA quick
# Aggressive scan
sudo nmap <IP> -A -oA aggressive
# UDP scan top 100 ports
sudo nmap <IP> -sU -F -oA udp_fast
# Host discovery sweep a subnet
sudo nmap <NETWORK>/24 -sn -oA discovery
# Host discovery from file
sudo nmap -sn -iL hosts.lst -oA discovery
# NSE vuln scan on specific port
sudo nmap <IP> -p <PORT> -sV --script vuln -oA vuln_check
# Firewall evasion decoy scan
sudo nmap <IP> -p <PORT> -sS -Pn -n --disable-arp-ping -D RND:5
# Firewall evasion source port 53
sudo nmap <IP> -p <PORT> -sS -Pn -n --disable-arp-ping --source-port 53
# Connect to a filtered port using source port 53
ncat -nv --source-port 53 <IP> <PORT>
# Convert XML output to HTML report
xsltproc target.xml -o target.htmlMethodology
Phase 1: Host Discovery
Ask yourself this :
- Which hosts in the target scope are actually alive?
- Are ICMP echo requests being blocked by host firewalls?
- Should I use ARP ping (same subnet) or ICMP/TCP probes (remote)?
- Does the absence of a response mean the host is down, or that probes are filtered?
- What alternative discovery methods should I try if ICMP fails?
- Sweep the network range with
-snto identify live hosts. - If targets are on the same subnet, ARP pings fire automatically check results.
- If hosts appear down, retry with TCP SYN to common ports (
-PS22,80,443) or TCP ACK (-PA80). - For specific targets from a list, use
-iL hosts.lst. - Save all discovery results with
-oAfor comparison across methods. - Note which hosts responded and which did not non-responders may or may not need further investigation.
# Subnet sweep
sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
# IP range shorthand
sudo nmap -sn -oA tnet 10.129.2.18-20
# Force ICMP echo (disable ARP on local subnet)
sudo nmap <IP> -sn -PE --disable-arp-ping --packet-trace
# Use --reason to confirm why Nmap considers a host alive
sudo nmap <IP> -sn -PE --reasonPhase 2: Port Scanning
Ask yourself this :
- Should I start with a quick top-ports scan or go directly to a full port scan?
- What scan technique is appropriate SYN (stealth) or Connect (no root)?
- Are there filtered ports that indicate a firewall is in play?
- How do I distinguish between dropped packets (no response) and rejected packets (RST/ICMP)?
- Have I scanned UDP ports, or only TCP?
- What is the acceptable trade-off between speed and accuracy for this engagement?
- Run a fast initial scan (
-For--top-ports=100/1000) to get a quick picture. - Launch a full TCP port scan (
-p-) in the background. - Check filtered ports, use
--packet-traceand--reasonto determine if packets are dropped or rejected. - Run a UDP scan (
-sU -F) on the target, administrators often forget UDP filtering. - Record all port states: open, closed, filtered, open|filtered.
- If time-constrained, prioritize full TCP then targeted UDP on common services (53, 67, 68, 69, 123, 137, 138, 161, 500, 514, 1900, 5353).
# SYN scan top 1000 (default, requires root)
sudo nmap <IP> -sS -oA syn_scan
# Connect scan
nmap <IP> -sT -oA connect_scan
# Full port range
sudo nmap <IP> -p- -oA all_ports
# Trace a specific port to understand firewall behavior
sudo nmap <IP> -p <PORT> --packet-trace -Pn -n --disable-arp-ping
# UDP scan top 100
sudo nmap <IP> -sU -F -oA udp_scanPhase 3: Service Enumeration and Version Detection
Ask yourself this :
- What exact service and version is running on each open port?
- Does the banner agree with what Nmap’s signature matching reports?
- Is Nmap missing information that a manual banner grab would reveal?
- What OS can I infer from service banners and TTL values?
- Which services are candidates for known CVEs based on their version?
- Run
-sVon all discovered open ports to fingerprint services. - Manually banner-grab interesting/unknown ports with
ncorncatto catch details Nmap misses. - Use
-sC(default scripts) for safe additional enumeration. - Run the aggressive scan (
-A) if noise is acceptable and combines-sV,-O,--traceroute,-sC. - Compare automatic results with manual ones, Nmap sometimes truncates banner data.
- Record exact versions for exploit research.
# Service version detection
sudo nmap <IP> -p- -sV -oA versions
# Version + default scripts
sudo nmap <IP> -p- -sV -sC -oA full_enum
# Manual banner grab to validate
ncat -nv <IP> <PORT>
# Monitor progress on long scans
sudo nmap <IP> -p- -sV --stats-every=5sPhase 4: NSE Scripts and Vulnerability Assessment
Ask yourself this :
- Which NSE script categories are safe to run without disrupting services?
- Does the
vulncategory reveal known CVEs for the detected versions? - Are there service-specific scripts that extract additional data (users, shares, directories)?
- What is the OPSEC cost of running intrusive script categories?
- Do script results match what I would expect from the identified version?
- Run
--script vulnagainst high-value ports to identify known vulnerabilities. - Use targeted scripts for specific services (e.g.,
banner,smtp-commandsfor SMTP). - Avoid
brute,dos,exploit, andintrusivecategories unless explicitly authorized and OPSEC-acceptable. - Cross-reference CVEs reported by NSE with version data, validate applicability.
- Record all script output for the report.
# Default safe scripts
sudo nmap <IP> -p <PORT> -sC
# Vulnerability scanning
sudo nmap <IP> -p <PORT> -sV --script vuln
# Specific scripts
sudo nmap <IP> -p 25 --script banner,smtp-commands
# Script category
sudo nmap <IP> --script discoveryPhase 5: Firewall and IDS/IPS Evasion
Ask yourself this :
- Are filtered ports being dropped (no response/long timeout) or rejected (ICMP unreachable/RST/ICMP error)?
- Does an ACK scan (
-sA) reveal unfiltered ports that a SYN scan shows as filtered? - Can I bypass firewall rules using source port manipulation (DNS port 53)?
- Would decoys or fragmentation help avoid IDS detection?
- Is there an IPS actively blocking my scanning IP?
- Should I switch to a different IP/MAC address if I’m being blocked?
- Compare SYN scan results with ACK scan results to map firewall rules.
- Test filtered ports with
--source-port 53,poorly configured firewalls trust DNS traffic. - Use decoy scans (
-D RND:5) to obscure the true source among noise. - Try scanning from a different source IP (
-S <IP> -e <interface>) to test subnet-based rules. - Fragment packets (
-f) to evade shallow packet inspection. - Use
--data-length <num>to make packets less signature-matchable. - If a VPS gets blocked, switch to another IP/MAC address, confirms IPS is active.
- Connect to newly discovered open ports via
ncat --source-port 53to confirm access.
# ACK scan to detect firewall rules
sudo nmap <IP> -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace
# Decoy scan with 5 random IPs
sudo nmap <IP> -p 80 -sS -Pn -n --disable-arp-ping -D RND:5
# Source port 53 to bypass misconfigured firewalls
sudo nmap <IP> -p <PORT> -sS -Pn -n --disable-arp-ping --source-port 53
# Spoof source IP (must specify interface)
sudo nmap <IP> -p <PORT> -O -S <SPOOFED_IP> -e tun0
# Confirm access to a filtered port using source port 53
ncat -nv --source-port 53 <IP> <PORT>
# Specify DNS servers for queries
sudo nmap <IP> --dns-server <NS1>,<NS2>Phase 6: Performance Tuning
Ask yourself this :
- Is scan speed causing me to miss hosts or ports (false negatives)?
- Am I whitelisted, allowing aggressive timing, or must I stay under IDS thresholds?
- What is the network bandwidth and latency to the target?
- Is the trade-off between
-T4/-T5speed and potential detection acceptable? - Should I reduce retries or adjust RTT timeouts for this network?
- For whitelisted/lab environments, use
-T4or--min-rate 300to speed scans. - For stealth, use
-T2or-T1and accept longer scan times. - Adjust
--initial-rtt-timeoutand--max-rtt-timeoutbased on observed latency. - Reduce
--max-retries(default 10) to speed up but accept potential misses. - Always compare results between fast and default scans to quantify what speed costs.
# Aggressive timing
sudo nmap <NETWORK>/24 -F -T4
# Insane timing (lab only)
sudo nmap <NETWORK>/24 -F -T5
# Custom rate minimum 300 packets/second
sudo nmap <NETWORK>/24 -F --min-rate 300
# Reduced RTT for fast networks
sudo nmap <NETWORK>/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms
# Zero retries (fastest, may miss ports)
sudo nmap <NETWORK>/24 -F --max-retries 0When the Scan Finds Nothing
Ask yourself this :
- Did I actually scan all 65535 TCP ports (
-p-), or stop at the top 1000? - Did I skip UDP entirely? Many footholds (SNMP, TFTP, DNS, IKE) are UDP-only.
- Is the host marked “down” only because it blocks ICMP? Did I try
-Pn? - Are aggressive timing or low retries causing false negatives?
- Could a firewall be dropping my SYN packets where another technique would succeed?
- Re-run with
-p- -Pnto force a full scan even if the host looks dead. - Add a UDP scan if you only ran TCP.
- Slow down (
-T2, default retries) and compare against the fast baseline. - Try alternate techniques:
-sT(no root),-sA(firewall mapping),--source-port 53. - Switch source IP/VPS if an IPS may have blocked you.
- Confirm reachability outside Nmap (
ping,nc,traceroute) before assuming the host is offline.
OPSEC
Port scanning is inherently noisy assume a competent defender can see it. Pick the technique that matches your noise budget.
| Technique | Noise | Telemetry a defender sees |
|---|---|---|
SYN scan (-sS) | Medium | Many half-open connections; IDS signatures (e.g. Snort/Suricata portscan), firewall logs |
Connect scan (-sT) | High | Completed connections logged by the service itself (auth logs, web logs), netflow |
Aggressive (-A) | High | Version probes, OS fingerprint packets, NSE traffic, traceroute very distinctive |
UDP scan (-sU) | Medium | Bursts of empty datagrams; slow, sustained traffic that lingers in logs |
vuln/brute NSE | High–Critical | Exploit/login attempts; may appear as attacks and trigger blocks |
Decoy (-D) | Medium | Obscures source among spoofed IPs; volume still flags a portscan |
-T0/-T1 | Low | Spreads probes over time to stay under IDS thresholds; costs hours |
OPSEC Noise: medium-high · Telemetry: IDS portscan alerts, firewall deny logs, service connection logs, netflow · Prereq: root for -sS/-sU/-O · Footprint: connection log entries; no persistent change on target
Reference
Nmap Architecture
Nmap divides into five core capabilities:
- Host discovery determine which targets are alive
- Port scanning identify open, closed, and filtered ports
- Service enumeration fingerprint services and versions
- OS detection identify the operating system
- NSE scriptable interaction with target services
Syntax
nmap <scan types> <options> <target>Scan Techniques
| Flag | Technique | Use Case |
|---|---|---|
-sS | TCP SYN (half-open) | Default with root; stealthier than connect |
-sT | TCP Connect (full handshake) | No root required; creates logs on target |
-sA | TCP ACK | Firewall rule mapping (not port state) |
-sU | UDP | Stateless; slow; often forgotten by admins |
-sN/-sF/-sX | TCP Null/FIN/Xmas | Firewall evasion; unreliable on Windows |
-sW | TCP Window | Like ACK but inspects RST window field |
-sI | Idle scan | Fully blind via zombie host |
-sO | IP protocol scan | Identify supported IP protocols |
Port States
| State | Meaning |
|---|---|
open | Connection established (SYN-ACK for TCP, response for UDP) |
closed | RST received; port is accessible but no service listening |
filtered | No response or ICMP error; firewall likely dropping/rejecting |
unfiltered | ACK scan only; port accessible but open/closed unknown |
open|filtered | No response on UDP/Null/FIN/Xmas; ambiguous |
closed|filtered | Idle scan only; cannot determine state |
TCP SYN Scan Behavior
- Sends SYN → receives SYN-ACK = open
- Sends SYN → receives RST = closed
- Sends SYN → no response after retries = filtered
The three-way handshake is never completed, so no full TCP connection is logged by most services. Advanced IDS/IPS can still detect half-open scans.
TCP Connect Scan Behavior
Completes the full three-way handshake. More accurate but generates connection logs. Behaves like a normal client, making it less likely to crash fragile services.
UDP Scan Behavior
- Sends empty datagram → receives UDP response = open
- Sends empty datagram → receives ICMP port unreachable (type 3, code 3) = closed
- Sends empty datagram → no response after retries = open|filtered
UDP scanning is significantly slower than TCP due to lack of acknowledgment and longer timeouts.
OS Detection
-O fingerprints the operating system using TCP/IP stack behavior (packet ordering, initial sequence numbers, TCP options, window sizes). It needs root and is most accurate with at least one open and one closed port.
# Standalone OS detection
sudo nmap <IP> -O
# More aggressive guessing when no exact match
sudo nmap <IP> -O --osscan-guessWhen Nmap cannot find an exact match it prints percentage-based “Aggressive OS guesses.” Treat these as hints, not facts corroborate with the TTL of replies (≈64 = Linux/Unix, ≈128 = Windows, ≈255 = network gear) and service banners. OS detection packets are distinctive and easily flagged, so run it only when the noise is acceptable.
NSE Script Categories
| Category | Description | OPSEC Risk |
|---|---|---|
auth | Authentication credential checks | Low |
broadcast | Host discovery via broadcast | Medium |
brute | Brute-force login attempts | High |
default | Safe scripts run with -sC | Low |
discovery | Service and network information gathering | Low |
dos | Denial-of-service testing | Critical |
exploit | Active exploitation of known vulnerabilities | Critical |
external | Queries external services (e.g., whois) | Low |
fuzzer | Protocol fuzzing | High |
intrusive | May crash or disrupt services | High |
malware | Malware infection checks | Low |
safe | Non-intrusive, non-destructive | Low |
version | Extended version detection | Low |
vuln | Vulnerability identification | Medium |
Output Formats
| Flag | Format | Extension | Use |
|---|---|---|---|
-oN | Normal text | .nmap | Human-readable |
-oG | Grepable | .gnmap | Quick parsing with grep/awk |
-oX | XML | .xml | Tool integration, HTML reports |
-oA | All three | all | Always use this |
Convert XML to HTML: xsltproc target.xml -o target.html
Timing Templates
| Template | Name | Use Case |
|---|---|---|
-T0 | Paranoid | IDS evasion; serialized; 5-minute wait between probes |
-T1 | Sneaky | IDS evasion; 15-second interval |
-T2 | Polite | Reduced bandwidth usage |
-T3 | Normal | Default |
-T4 | Aggressive | Fast; reliable networks |
-T5 | Insane | Lab/whitelisted only; may miss ports |
Performance Tuning Options
| Option | Effect | Trade-off |
|---|---|---|
--min-rate <n> | Minimum packets/second | May overwhelm slow links |
--max-retries <n> | Retry limit per port (default 10) | Lower = faster but may miss |
--initial-rtt-timeout <ms> | Starting RTT estimate | Too low = false negatives |
--max-rtt-timeout <ms> | Maximum wait for response | Too low = misses slow hosts |
--host-timeout <time> | Give up on a host after this | Skips unresponsive targets |
--min-parallelism <n> | Minimum parallel probes | Higher = faster, noisier |
Firewall Evasion Techniques
| Technique | Flag | How It Works |
|---|---|---|
| Decoy scan | -D RND:5 | Inserts fake source IPs among real scan packets |
| Source port spoof | --source-port 53 | Uses trusted port (DNS) as source |
| Source IP spoof | -S <IP> -e <iface> | Changes source IP (need responses routed back) |
| Fragmentation | -f | Splits packets into 8-byte fragments |
| MTU control | --mtu <size> | Custom fragment size (must be multiple of 8) |
| Data length | --data-length <n> | Appends random data to change packet signature |
| DNS servers | --dns-server <ns> | Use internal DNS servers for resolution |
| Idle scan | -sI <zombie> | Fully blind scan via IPID of zombie host |
ACK Scan for Firewall Mapping
The ACK scan (-sA) cannot determine if a port is open or closed it determines whether a port is filtered or unfiltered by a firewall:
- RST response = unfiltered (firewall allows the packet through)
- No response / ICMP error = filtered (firewall blocks it)
Compare -sS and -sA results side-by-side to understand which ports the firewall protects.
Banner Grabbing Beyond Nmap
Nmap’s -sV can miss details from service banners. Validate manually:
# Manual banner grab
nc -nv <IP> <PORT>
# Capture the three-way handshake + banner with tcpdump
sudo tcpdump -i eth0 host <LHOST> and <IP>The PSH-ACK packet after the handshake often contains the full banner including OS distribution details that Nmap may truncate.
Service banners can be customized or stripped. Never rely solely on banner data for OS/version identification cross-reference with other evidence (TTL values, TCP window sizes, protocol behavior).
Key Differences: Dropped vs. Rejected Packets
| Behavior | Indicator | What It Means |
|---|---|---|
| Dropped | No response; scan takes ~2s per port (retransmissions) | Firewall silently discards packets |
| Rejected | ICMP type 3/code 3 or TCP RST; fast response | Firewall explicitly denies and notifies |
Rejected packets reveal firewall presence immediately. Dropped packets waste attacker time but also confirm filtering if you compare timing.
Knowledge Check
Quiz
Your default Nmap scan of a host returns 'Host seems down. If it is really up, but blocking our ping probes, try -Pn.' You have confirmed the box is in scope and others on the subnet respond. What is the best next step?
Quiz
A SYN scan shows TCP/445 as 'filtered'. You need to know whether a firewall is dropping or rejecting the traffic, and whether any rule lets packets through. Which single technique most directly maps the firewall's behavior?
Quiz
You are scanning a target on a monitored corporate network and must stay under the IDS radar while still discovering services. Which approach best balances stealth with results?
Common Mistakes
Frequent errors
- Running only TCP scans and forgetting UDP critical services (DNS, SNMP, TFTP, NFS) live on UDP.
- Using
-T5on real engagements triggers IDS/IPS and may miss filtered ports. - Setting
--max-retries 0or aggressive RTT timeouts without comparing results to a baseline. - Assuming “filtered” means “protected” it means the firewall is there, and there may be bypass paths.
- Not saving all output (
-oA) makes comparison and reporting painful later. - Trusting Nmap’s version detection without manual banner validation.
- Scanning without
-Pnwhen targets block ICMP Nmap marks hosts as “down” and skips them. - Forgetting to try
--source-port 53on filtered ports misconfigured firewalls often trust DNS.
Attack Chains / Related Notes
- Leads to: Service-specific enumeration based on discovered ports FTP, SMB, SSH, SMTP, DNS, SNMP
- Leads to: Exploit research based on version information → Exploitation
- Leads to: Firewall rule mapping feeds into Lateral Movement pivot planning
- Related: Infrastructure Enumeration for broader recon context and alternative alive-detection when Nmap is blocked