Skip to Content
Red Teaming01-ReconNmap - Network Enumeration

Nmap - Network Enumeration

Cheatsheet

# entire range scan rustscan -a 192.168.1.0/24 # simply use this and forget sudo rustscan -a 192.168.1.7 -- -A -oA results # Full TCP scan with service detection and default scripts sudo nmap <IP> -p- -sV -sC -oA full_tcp # top 1000 ports sudo nmap <IP> -sS -Pn -n -oA quick # Aggressive scan sudo nmap <IP> -A -oA aggressive # UDP scan top 100 ports sudo nmap <IP> -sU -F -oA udp_fast # Host discovery sweep a subnet sudo nmap <NETWORK>/24 -sn -oA discovery # Host discovery from file sudo nmap -sn -iL hosts.lst -oA discovery # NSE vuln scan on specific port sudo nmap <IP> -p <PORT> -sV --script vuln -oA vuln_check # Firewall evasion decoy scan sudo nmap <IP> -p <PORT> -sS -Pn -n --disable-arp-ping -D RND:5 # Firewall evasion source port 53 sudo nmap <IP> -p <PORT> -sS -Pn -n --disable-arp-ping --source-port 53 # Connect to a filtered port using source port 53 ncat -nv --source-port 53 <IP> <PORT> # Convert XML output to HTML report xsltproc target.xml -o target.html

Methodology

Phase 1: Host Discovery

Ask yourself this :

  • Which hosts in the target scope are actually alive?
  • Are ICMP echo requests being blocked by host firewalls?
  • Should I use ARP ping (same subnet) or ICMP/TCP probes (remote)?
  • Does the absence of a response mean the host is down, or that probes are filtered?
  • What alternative discovery methods should I try if ICMP fails?
  • Sweep the network range with -sn to identify live hosts.
  • If targets are on the same subnet, ARP pings fire automatically check results.
  • If hosts appear down, retry with TCP SYN to common ports (-PS22,80,443) or TCP ACK (-PA80).
  • For specific targets from a list, use -iL hosts.lst.
  • Save all discovery results with -oA for comparison across methods.
  • Note which hosts responded and which did not non-responders may or may not need further investigation.
# Subnet sweep sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5 # IP range shorthand sudo nmap -sn -oA tnet 10.129.2.18-20 # Force ICMP echo (disable ARP on local subnet) sudo nmap <IP> -sn -PE --disable-arp-ping --packet-trace # Use --reason to confirm why Nmap considers a host alive sudo nmap <IP> -sn -PE --reason

Phase 2: Port Scanning

Ask yourself this :

  • Should I start with a quick top-ports scan or go directly to a full port scan?
  • What scan technique is appropriate SYN (stealth) or Connect (no root)?
  • Are there filtered ports that indicate a firewall is in play?
  • How do I distinguish between dropped packets (no response) and rejected packets (RST/ICMP)?
  • Have I scanned UDP ports, or only TCP?
  • What is the acceptable trade-off between speed and accuracy for this engagement?
  • Run a fast initial scan (-F or --top-ports=100/1000) to get a quick picture.
  • Launch a full TCP port scan (-p-) in the background.
  • Check filtered ports, use --packet-trace and --reason to determine if packets are dropped or rejected.
  • Run a UDP scan (-sU -F) on the target, administrators often forget UDP filtering.
  • Record all port states: open, closed, filtered, open|filtered.
  • If time-constrained, prioritize full TCP then targeted UDP on common services (53, 67, 68, 69, 123, 137, 138, 161, 500, 514, 1900, 5353).
# SYN scan top 1000 (default, requires root) sudo nmap <IP> -sS -oA syn_scan # Connect scan nmap <IP> -sT -oA connect_scan # Full port range sudo nmap <IP> -p- -oA all_ports # Trace a specific port to understand firewall behavior sudo nmap <IP> -p <PORT> --packet-trace -Pn -n --disable-arp-ping # UDP scan top 100 sudo nmap <IP> -sU -F -oA udp_scan

Phase 3: Service Enumeration and Version Detection

Ask yourself this :

  • What exact service and version is running on each open port?
  • Does the banner agree with what Nmap’s signature matching reports?
  • Is Nmap missing information that a manual banner grab would reveal?
  • What OS can I infer from service banners and TTL values?
  • Which services are candidates for known CVEs based on their version?
  • Run -sV on all discovered open ports to fingerprint services.
  • Manually banner-grab interesting/unknown ports with nc or ncat to catch details Nmap misses.
  • Use -sC (default scripts) for safe additional enumeration.
  • Run the aggressive scan (-A) if noise is acceptable and combines -sV, -O, --traceroute, -sC.
  • Compare automatic results with manual ones, Nmap sometimes truncates banner data.
  • Record exact versions for exploit research.
# Service version detection sudo nmap <IP> -p- -sV -oA versions # Version + default scripts sudo nmap <IP> -p- -sV -sC -oA full_enum # Manual banner grab to validate ncat -nv <IP> <PORT> # Monitor progress on long scans sudo nmap <IP> -p- -sV --stats-every=5s

Phase 4: NSE Scripts and Vulnerability Assessment

Ask yourself this :

  • Which NSE script categories are safe to run without disrupting services?
  • Does the vuln category reveal known CVEs for the detected versions?
  • Are there service-specific scripts that extract additional data (users, shares, directories)?
  • What is the OPSEC cost of running intrusive script categories?
  • Do script results match what I would expect from the identified version?
  • Run --script vuln against high-value ports to identify known vulnerabilities.
  • Use targeted scripts for specific services (e.g., banner,smtp-commands for SMTP).
  • Avoid brute, dos, exploit, and intrusive categories unless explicitly authorized and OPSEC-acceptable.
  • Cross-reference CVEs reported by NSE with version data, validate applicability.
  • Record all script output for the report.
# Default safe scripts sudo nmap <IP> -p <PORT> -sC # Vulnerability scanning sudo nmap <IP> -p <PORT> -sV --script vuln # Specific scripts sudo nmap <IP> -p 25 --script banner,smtp-commands # Script category sudo nmap <IP> --script discovery

Phase 5: Firewall and IDS/IPS Evasion

Ask yourself this :

  • Are filtered ports being dropped (no response/long timeout) or rejected (ICMP unreachable/RST/ICMP error)?
  • Does an ACK scan (-sA) reveal unfiltered ports that a SYN scan shows as filtered?
  • Can I bypass firewall rules using source port manipulation (DNS port 53)?
  • Would decoys or fragmentation help avoid IDS detection?
  • Is there an IPS actively blocking my scanning IP?
  • Should I switch to a different IP/MAC address if I’m being blocked?
  • Compare SYN scan results with ACK scan results to map firewall rules.
  • Test filtered ports with --source-port 53,poorly configured firewalls trust DNS traffic.
  • Use decoy scans (-D RND:5) to obscure the true source among noise.
  • Try scanning from a different source IP (-S <IP> -e <interface>) to test subnet-based rules.
  • Fragment packets (-f) to evade shallow packet inspection.
  • Use --data-length <num> to make packets less signature-matchable.
  • If a VPS gets blocked, switch to another IP/MAC address, confirms IPS is active.
  • Connect to newly discovered open ports via ncat --source-port 53 to confirm access.
# ACK scan to detect firewall rules sudo nmap <IP> -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace # Decoy scan with 5 random IPs sudo nmap <IP> -p 80 -sS -Pn -n --disable-arp-ping -D RND:5 # Source port 53 to bypass misconfigured firewalls sudo nmap <IP> -p <PORT> -sS -Pn -n --disable-arp-ping --source-port 53 # Spoof source IP (must specify interface) sudo nmap <IP> -p <PORT> -O -S <SPOOFED_IP> -e tun0 # Confirm access to a filtered port using source port 53 ncat -nv --source-port 53 <IP> <PORT> # Specify DNS servers for queries sudo nmap <IP> --dns-server <NS1>,<NS2>

Phase 6: Performance Tuning

Ask yourself this :

  • Is scan speed causing me to miss hosts or ports (false negatives)?
  • Am I whitelisted, allowing aggressive timing, or must I stay under IDS thresholds?
  • What is the network bandwidth and latency to the target?
  • Is the trade-off between -T4/-T5 speed and potential detection acceptable?
  • Should I reduce retries or adjust RTT timeouts for this network?
  • For whitelisted/lab environments, use -T4 or --min-rate 300 to speed scans.
  • For stealth, use -T2 or -T1 and accept longer scan times.
  • Adjust --initial-rtt-timeout and --max-rtt-timeout based on observed latency.
  • Reduce --max-retries (default 10) to speed up but accept potential misses.
  • Always compare results between fast and default scans to quantify what speed costs.
# Aggressive timing sudo nmap <NETWORK>/24 -F -T4 # Insane timing (lab only) sudo nmap <NETWORK>/24 -F -T5 # Custom rate minimum 300 packets/second sudo nmap <NETWORK>/24 -F --min-rate 300 # Reduced RTT for fast networks sudo nmap <NETWORK>/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms # Zero retries (fastest, may miss ports) sudo nmap <NETWORK>/24 -F --max-retries 0

When the Scan Finds Nothing

Ask yourself this :

  • Did I actually scan all 65535 TCP ports (-p-), or stop at the top 1000?
  • Did I skip UDP entirely? Many footholds (SNMP, TFTP, DNS, IKE) are UDP-only.
  • Is the host marked “down” only because it blocks ICMP? Did I try -Pn?
  • Are aggressive timing or low retries causing false negatives?
  • Could a firewall be dropping my SYN packets where another technique would succeed?
  • Re-run with -p- -Pn to force a full scan even if the host looks dead.
  • Add a UDP scan if you only ran TCP.
  • Slow down (-T2, default retries) and compare against the fast baseline.
  • Try alternate techniques: -sT (no root), -sA (firewall mapping), --source-port 53.
  • Switch source IP/VPS if an IPS may have blocked you.
  • Confirm reachability outside Nmap (ping, nc, traceroute) before assuming the host is offline.

OPSEC

Port scanning is inherently noisy assume a competent defender can see it. Pick the technique that matches your noise budget.

TechniqueNoiseTelemetry a defender sees
SYN scan (-sS)MediumMany half-open connections; IDS signatures (e.g. Snort/Suricata portscan), firewall logs
Connect scan (-sT)HighCompleted connections logged by the service itself (auth logs, web logs), netflow
Aggressive (-A)HighVersion probes, OS fingerprint packets, NSE traffic, traceroute very distinctive
UDP scan (-sU)MediumBursts of empty datagrams; slow, sustained traffic that lingers in logs
vuln/brute NSEHigh–CriticalExploit/login attempts; may appear as attacks and trigger blocks
Decoy (-D)MediumObscures source among spoofed IPs; volume still flags a portscan
-T0/-T1LowSpreads probes over time to stay under IDS thresholds; costs hours

OPSEC Noise: medium-high · Telemetry: IDS portscan alerts, firewall deny logs, service connection logs, netflow · Prereq: root for -sS/-sU/-O · Footprint: connection log entries; no persistent change on target

Reference

Nmap Architecture

Nmap divides into five core capabilities:

  1. Host discovery determine which targets are alive
  2. Port scanning identify open, closed, and filtered ports
  3. Service enumeration fingerprint services and versions
  4. OS detection identify the operating system
  5. NSE scriptable interaction with target services

Syntax

nmap <scan types> <options> <target>

Scan Techniques

FlagTechniqueUse Case
-sSTCP SYN (half-open)Default with root; stealthier than connect
-sTTCP Connect (full handshake)No root required; creates logs on target
-sATCP ACKFirewall rule mapping (not port state)
-sUUDPStateless; slow; often forgotten by admins
-sN/-sF/-sXTCP Null/FIN/XmasFirewall evasion; unreliable on Windows
-sWTCP WindowLike ACK but inspects RST window field
-sIIdle scanFully blind via zombie host
-sOIP protocol scanIdentify supported IP protocols

Port States

StateMeaning
openConnection established (SYN-ACK for TCP, response for UDP)
closedRST received; port is accessible but no service listening
filteredNo response or ICMP error; firewall likely dropping/rejecting
unfilteredACK scan only; port accessible but open/closed unknown
open|filteredNo response on UDP/Null/FIN/Xmas; ambiguous
closed|filteredIdle scan only; cannot determine state

TCP SYN Scan Behavior

  • Sends SYN → receives SYN-ACK = open
  • Sends SYN → receives RST = closed
  • Sends SYN → no response after retries = filtered

The three-way handshake is never completed, so no full TCP connection is logged by most services. Advanced IDS/IPS can still detect half-open scans.

TCP Connect Scan Behavior

Completes the full three-way handshake. More accurate but generates connection logs. Behaves like a normal client, making it less likely to crash fragile services.

UDP Scan Behavior

  • Sends empty datagram → receives UDP response = open
  • Sends empty datagram → receives ICMP port unreachable (type 3, code 3) = closed
  • Sends empty datagram → no response after retries = open|filtered

UDP scanning is significantly slower than TCP due to lack of acknowledgment and longer timeouts.

OS Detection

-O fingerprints the operating system using TCP/IP stack behavior (packet ordering, initial sequence numbers, TCP options, window sizes). It needs root and is most accurate with at least one open and one closed port.

# Standalone OS detection sudo nmap <IP> -O # More aggressive guessing when no exact match sudo nmap <IP> -O --osscan-guess

When Nmap cannot find an exact match it prints percentage-based “Aggressive OS guesses.” Treat these as hints, not facts corroborate with the TTL of replies (≈64 = Linux/Unix, ≈128 = Windows, ≈255 = network gear) and service banners. OS detection packets are distinctive and easily flagged, so run it only when the noise is acceptable.

NSE Script Categories

CategoryDescriptionOPSEC Risk
authAuthentication credential checksLow
broadcastHost discovery via broadcastMedium
bruteBrute-force login attemptsHigh
defaultSafe scripts run with -sCLow
discoveryService and network information gatheringLow
dosDenial-of-service testingCritical
exploitActive exploitation of known vulnerabilitiesCritical
externalQueries external services (e.g., whois)Low
fuzzerProtocol fuzzingHigh
intrusiveMay crash or disrupt servicesHigh
malwareMalware infection checksLow
safeNon-intrusive, non-destructiveLow
versionExtended version detectionLow
vulnVulnerability identificationMedium

Output Formats

FlagFormatExtensionUse
-oNNormal text.nmapHuman-readable
-oGGrepable.gnmapQuick parsing with grep/awk
-oXXML.xmlTool integration, HTML reports
-oAAll threeallAlways use this

Convert XML to HTML: xsltproc target.xml -o target.html

Timing Templates

TemplateNameUse Case
-T0ParanoidIDS evasion; serialized; 5-minute wait between probes
-T1SneakyIDS evasion; 15-second interval
-T2PoliteReduced bandwidth usage
-T3NormalDefault
-T4AggressiveFast; reliable networks
-T5InsaneLab/whitelisted only; may miss ports

Performance Tuning Options

OptionEffectTrade-off
--min-rate <n>Minimum packets/secondMay overwhelm slow links
--max-retries <n>Retry limit per port (default 10)Lower = faster but may miss
--initial-rtt-timeout <ms>Starting RTT estimateToo low = false negatives
--max-rtt-timeout <ms>Maximum wait for responseToo low = misses slow hosts
--host-timeout <time>Give up on a host after thisSkips unresponsive targets
--min-parallelism <n>Minimum parallel probesHigher = faster, noisier

Firewall Evasion Techniques

TechniqueFlagHow It Works
Decoy scan-D RND:5Inserts fake source IPs among real scan packets
Source port spoof--source-port 53Uses trusted port (DNS) as source
Source IP spoof-S <IP> -e <iface>Changes source IP (need responses routed back)
Fragmentation-fSplits packets into 8-byte fragments
MTU control--mtu <size>Custom fragment size (must be multiple of 8)
Data length--data-length <n>Appends random data to change packet signature
DNS servers--dns-server <ns>Use internal DNS servers for resolution
Idle scan-sI <zombie>Fully blind scan via IPID of zombie host

ACK Scan for Firewall Mapping

The ACK scan (-sA) cannot determine if a port is open or closed it determines whether a port is filtered or unfiltered by a firewall:

  • RST response = unfiltered (firewall allows the packet through)
  • No response / ICMP error = filtered (firewall blocks it)

Compare -sS and -sA results side-by-side to understand which ports the firewall protects.

Nmap’s -sV can miss details from service banners. Validate manually:

# Manual banner grab nc -nv <IP> <PORT> # Capture the three-way handshake + banner with tcpdump sudo tcpdump -i eth0 host <LHOST> and <IP>

The PSH-ACK packet after the handshake often contains the full banner including OS distribution details that Nmap may truncate.

Service banners can be customized or stripped. Never rely solely on banner data for OS/version identification cross-reference with other evidence (TTL values, TCP window sizes, protocol behavior).

Key Differences: Dropped vs. Rejected Packets

BehaviorIndicatorWhat It Means
DroppedNo response; scan takes ~2s per port (retransmissions)Firewall silently discards packets
RejectedICMP type 3/code 3 or TCP RST; fast responseFirewall explicitly denies and notifies

Rejected packets reveal firewall presence immediately. Dropped packets waste attacker time but also confirm filtering if you compare timing.

Knowledge Check

Quiz

Your default Nmap scan of a host returns 'Host seems down. If it is really up, but blocking our ping probes, try -Pn.' You have confirmed the box is in scope and others on the subnet respond. What is the best next step?

Quiz

A SYN scan shows TCP/445 as 'filtered'. You need to know whether a firewall is dropping or rejecting the traffic, and whether any rule lets packets through. Which single technique most directly maps the firewall's behavior?

Quiz

You are scanning a target on a monitored corporate network and must stay under the IDS radar while still discovering services. Which approach best balances stealth with results?

Common Mistakes

Frequent errors

  • Running only TCP scans and forgetting UDP critical services (DNS, SNMP, TFTP, NFS) live on UDP.
  • Using -T5 on real engagements triggers IDS/IPS and may miss filtered ports.
  • Setting --max-retries 0 or aggressive RTT timeouts without comparing results to a baseline.
  • Assuming “filtered” means “protected” it means the firewall is there, and there may be bypass paths.
  • Not saving all output (-oA) makes comparison and reporting painful later.
  • Trusting Nmap’s version detection without manual banner validation.
  • Scanning without -Pn when targets block ICMP Nmap marks hosts as “down” and skips them.
  • Forgetting to try --source-port 53 on filtered ports misconfigured firewalls often trust DNS.

#Penetration-Testing #HTB #Nmap #NetworkEnum #PortScan #ServiceDetection #Recon #RustScan #Firewall-Evasion #Linux #Windows #RedTeam #Certification

Last updated on