🔍 Enumeration / Nmap

Nmap

Host Discovery

# Ping sweep (no port scan)
nmap -sn 192.168.1.0/24

# ARP discovery (local network, requires root)
nmap -PR -sn 192.168.1.0/24

# TCP SYN ping
nmap -PS22,80,443 -sn <ip>

# UDP ping
nmap -PU53,161 -sn <ip>

# ICMP echo + timestamp + netmask
nmap -PE -PP -PM -sn <ip>

# No ping (treat host as up)
nmap -Pn <ip>

# Disable DNS resolution
nmap -n -sn 192.168.1.0/24

# List targets without scanning
nmap -sL 192.168.1.0/24

Port Scanning — TCP

# SYN scan (default, requires root)
nmap -sS <ip>

# Full TCP connect scan (no root needed)
nmap -sT <ip>

# All ports
nmap -sS -p- <ip>

# Top 1000 ports (default)
nmap -sS <ip>

# Top N ports
nmap --top-ports 100 <ip>

# Specific ports
nmap -p 22,80,443,8080,8443 <ip>

# Port range
nmap -p 1-65535 <ip>

# HTB/CTF standard full scan
nmap -sCV -T4 --min-rate=1000 -p- <ip>

# Fast initial scan then full
nmap -sS --top-ports 1000 <ip> && nmap -sS -p- <ip>

Port Scanning — UDP

# UDP scan (slow, requires root)
nmap -sU <ip>

# UDP top ports
nmap -sU --top-ports 100 <ip>

# Combined TCP + UDP
nmap -sS -sU -p T:80,443,U:53,161 <ip>

# Common UDP ports
nmap -sU -p 53,67,68,69,123,161,162,500,514,623,1900,4500 <ip>

Service & Version Detection

# Version detection
nmap -sV <ip>

# Aggressive version detection (intensity 0-9)
nmap -sV --version-intensity 9 <ip>

# Light version detection
nmap -sV --version-intensity 0 <ip>

# Version + default scripts
nmap -sCV <ip>

OS Detection

# OS detection
nmap -O <ip>

# Aggressive OS detection
nmap -O --osscan-guess <ip>

# OS + version + scripts + traceroute
nmap -A <ip>

# Full aggressive
nmap -A -T4 <ip>

Script Scanning (NSE)

# Default scripts
nmap -sC <ip>

# Specific script category
nmap --script=vuln <ip>
nmap --script=auth <ip>
nmap --script=discovery <ip>
nmap --script=exploit <ip>
nmap --script=brute <ip>
nmap --script=safe <ip>

# Multiple categories
nmap --script="vuln and safe" <ip>
nmap --script="default or vuln" <ip>

# Specific script
nmap --script=http-title <ip>

# Script with arguments
nmap --script=http-brute --script-args userdb=/usr/share/wordlists/users.txt,passdb=<wordlist> <ip>

# List available scripts
ls /usr/share/nmap/scripts/ | grep smb

NSE Scripts — SMB

# SMB enumeration suite
nmap -p 445 --script=smb-enum-shares,smb-enum-users,smb-enum-sessions,smb-os-discovery <ip>

# SMB security mode
nmap -p 445 --script=smb-security-mode <ip>

# SMB vulnerabilities
nmap -p 445 --script=smb-vuln-* <ip>

# EternalBlue (MS17-010)
nmap -p 445 --script=smb-vuln-ms17-010 <ip>

# MS08-067
nmap -p 445 --script=smb-vuln-ms08-067 <ip>

# SMB brute force
nmap -p 445 --script=smb-brute <ip>

# SMB2 support
nmap -p 445 --script=smb2-capabilities <ip>

# Full SMB recon
nmap -p 139,445 --script="smb-*" <ip>

NSE Scripts — HTTP

# HTTP info gathering
nmap -p 80,443,8080,8443 --script=http-title,http-server-header,http-headers <ip>

# HTTP methods
nmap -p <port> --script=http-methods <ip>

# HTTP auth
nmap -p <port> --script=http-auth-finder <ip>

# Web app vuln scan
nmap -p <port> --script=http-vuln-* <ip>

# Directory brute
nmap -p <port> --script=http-brute <ip>

# SQL injection
nmap -p <port> --script=http-sql-injection <ip>

# XSS
nmap -p <port> --script=http-xssed <ip>

# WordPress
nmap -p <port> --script=http-wordpress-users,http-wordpress-enum <ip>

# HTTP enum (dirbuster-style)
nmap -p <port> --script=http-enum <ip>

# Shellshock
nmap -p <port> --script=http-shellshock <ip>

# robots.txt
nmap -p <port> --script=http-robots.txt <ip>

NSE Scripts — FTP

# FTP anonymous login
nmap -p 21 --script=ftp-anon <ip>

# FTP bounce
nmap -p 21 --script=ftp-bounce <ip>

# FTP brute
nmap -p 21 --script=ftp-brute <ip>

# FTP syst
nmap -p 21 --script=ftp-syst <ip>

# Full FTP recon
nmap -p 21 --script="ftp-*" <ip>

NSE Scripts — SSH

# SSH host keys
nmap -p 22 --script=ssh-hostkey <ip>

# SSH auth methods
nmap -p 22 --script=ssh-auth-methods --script-args="ssh.user=<username>" <ip>

# SSH brute
nmap -p 22 --script=ssh-brute --script-args userdb=/usr/share/wordlists/users.txt,passdb=<wordlist> <ip>

# SSH2 algorithms
nmap -p 22 --script=ssh2-enum-algos <ip>

# Known CVE check
nmap -p 22 --script=sshv1 <ip>

NSE Scripts — MSSQL

# MSSQL info
nmap -p 1433 --script=ms-sql-info <ip>

# MSSQL empty password
nmap -p 1433 --script=ms-sql-empty-password <ip>

# MSSQL config
nmap -p 1433 --script=ms-sql-config <ip>

# MSSQL query execution
nmap -p 1433 --script=ms-sql-query --script-args="mssql.username=sa,mssql.password=<password>,ms-sql-query.query=SELECT @@version" <ip>

# MSSQL xp_cmdshell
nmap -p 1433 --script=ms-sql-xp-cmdshell --script-args="mssql.username=sa,mssql.password=<password>,ms-sql-xp-cmdshell.cmd=whoami" <ip>

# MSSQL brute
nmap -p 1433 --script=ms-sql-brute <ip>

# Full MSSQL
nmap -p 1433 --script="ms-sql-*" --script-args="mssql.username=sa,mssql.password=<password>" <ip>

NSE Scripts — SNMP

# SNMP info
nmap -sU -p 161 --script=snmp-info <ip>

# SNMP system description
nmap -sU -p 161 --script=snmp-sysdescr <ip>

# SNMP interfaces
nmap -sU -p 161 --script=snmp-interfaces <ip>

# SNMP processes
nmap -sU -p 161 --script=snmp-processes <ip>

# SNMP Windows users
nmap -sU -p 161 --script=snmp-win32-users <ip>

# SNMP Windows services
nmap -sU -p 161 --script=snmp-win32-services <ip>

# SNMP brute community string
nmap -sU -p 161 --script=snmp-brute <ip>

# Full SNMP
nmap -sU -p 161 --script="snmp-*" <ip>

NSE Scripts — RDP

# RDP info
nmap -p 3389 --script=rdp-enum-encryption <ip>

# RDP vuln check (BlueKeep)
nmap -p 3389 --script=rdp-vuln-ms12-020 <ip>

# NLA check
nmap -p 3389 --script=rdp-enum-encryption <ip>

NSE Scripts — Other Services

# MySQL
nmap -p 3306 --script=mysql-info,mysql-empty-password,mysql-brute <ip>

# PostgreSQL
nmap -p 5432 --script=pgsql-brute <ip>

# MongoDB
nmap -p 27017 --script=mongodb-info,mongodb-databases <ip>

# Redis
nmap -p 6379 --script=redis-info <ip>

# Memcached
nmap -p 11211 --script=memcached-info <ip>

# LDAP
nmap -p 389,636 --script=ldap-rootdse,ldap-search <ip>

# DNS
nmap -p 53 --script=dns-zone-transfer --script-args="dns-zone-transfer.domain=<domain>" <ip>

# SMTP
nmap -p 25,587 --script=smtp-commands,smtp-enum-users,smtp-open-relay <ip>

# POP3/IMAP
nmap -p 110,143,993,995 --script=pop3-capabilities,imap-capabilities <ip>

# VNC
nmap -p 5900 --script=vnc-info,vnc-brute,realvnc-auth-bypass <ip>

# NFS
nmap -p 111,2049 --script=nfs-ls,nfs-showmount,nfs-statfs <ip>

# Telnet
nmap -p 23 --script=telnet-ntlm-info <ip>

Timing Templates

# T0 - paranoid (IDS evasion)
nmap -T0 <ip>

# T1 - sneaky
nmap -T1 <ip>

# T2 - polite
nmap -T2 <ip>

# T3 - normal (default)
nmap -T3 <ip>

# T4 - aggressive (recommended for CTF/HTB)
nmap -T4 <ip>

# T5 - insane
nmap -T5 <ip>

# Manual timing control
nmap --min-rate=1000 --max-rate=5000 <ip>
nmap --min-parallelism=50 --max-parallelism=200 <ip>
nmap --scan-delay=100ms <ip>
nmap --max-retries=2 <ip>

Output Formats

# Normal output
nmap -oN scan.txt <ip>

# Grepable output
nmap -oG scan.gnmap <ip>

# XML output
nmap -oX scan.xml <ip>

# All formats at once
nmap -oA scan <ip>

# Append to existing file
nmap -oN - --append-output <ip> >> scan.txt

# Script kiddie output (leet speak)
nmap -oS scan.txt <ip>

# Verbose output
nmap -v <ip>
nmap -vv <ip>

# Debug output
nmap -d <ip>
nmap --packet-trace <ip>

Firewall Evasion

# Fragment packets (8 bytes per fragment)
nmap -f <ip>

# Double fragmentation (16 bytes)
nmap -ff <ip>

# Custom MTU
nmap --mtu 24 <ip>

# Decoy scan (use fake source IPs)
nmap -D RND:10 <ip>
nmap -D 192.168.1.5,192.168.1.10,ME <ip>

# Source port spoofing (bypass firewall rules allowing 53/80)
nmap --source-port 53 <ip>
nmap -g 80 <ip>

# Custom TTL
nmap --ttl 64 <ip>

# Spoof MAC address
nmap --spoof-mac 0 <ip>        # random MAC
nmap --spoof-mac Cisco <ip>    # vendor prefix

# Randomize target order
nmap --randomize-hosts <ip>/24

# Bad checksum (evade some IDS)
nmap --badsum <ip>

# Idle scan (zombie host)
nmap -sI <zombie_ip> <ip>

# Slow scan with fragmentation
nmap -T1 -f --source-port 53 <ip>

Parsing with grep/awk

# Extract open ports from grepable output
grep "open" scan.gnmap | awk '{print $5}' | cut -d'/' -f1

# One-liner: extract just open port numbers
nmap -p- -oG - <ip> | grep "open" | grep -oP '\d+(?=/open)'

# Extract hosts with specific port open
grep "445/open" scan.gnmap | awk '{print $2}'

# Parse XML with xmllint
xmllint --xpath "//port[@state='open']" scan.xml

# Extract all IPs from subnet scan
nmap -sn 192.168.1.0/24 -oG - | grep "Up" | awk '{print $2}'

# One-liner full scan + grep for open ports
nmap -sCV -T4 -p- <ip> -oG - | grep "open"

# Extract services from normal output
grep "open" scan.txt | awk '{print $1, $3}'

# Port list for use with other tools
nmap -p- <ip> -oG - | grep "open" | grep -oP '\d+(?=/open)' | tr '\n' ',' | sed 's/,$//'

# Find hosts with RDP open across subnet
nmap -p 3389 -oG - 192.168.1.0/24 | grep "3389/open" | awk '{print $2}'

# Extract version strings
grep "VERSION" scan.txt
grep -oP '(?<=\()\S+(?=\))' scan.txt

Common Compound Commands

# HTB/CTF quick win
nmap -sCV -T4 --min-rate=1000 -p- <ip> -oA /tmp/nmap_<ip>

# Full recon with all scripts on discovered ports
ports=$(nmap -p- --min-rate=5000 -T4 <ip> -oG - | grep "open" | grep -oP '\d+(?=/open)' | tr '\n' ',')
nmap -sCV -p $ports <ip>

# Vuln scan on web ports
nmap -p 80,443,8080,8443 --script="http-* and vuln" <ip>

# Domain controller full recon
nmap -sCV -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389 <ip>

# Linux box full recon
nmap -sCV -p 21,22,25,53,80,110,111,143,443,445,2049,3306,5432,6379,8080 <ip>