Post

Nmap commands note

Nmap progression guide starts with stealthy discovery and moves toward aggressive enumeration

Posted
Preview Image
By Muhammed Omar
3 min read
Nmap commands note

Nmap Command References

Level 1: Host Discovery (The “Small” Start)

Use this when you first enter a network and need to find which IP addresses are “alive” without scanning every port.

  • Command: nmap -sn <target_range>

  • When to use: To map out the network. It pings the targets but does not scan any ports.

  • Example: nmap -sn 10.10.10.0/24

Level 2: Fast Port Scanning (The “Middle” Ground)

Use this once you have a specific IP and want to quickly see which common services are open.

  • Command: nmap -T4 --open <target_ip>

  • When to use: To get a quick list of open ports among the top 1,000 most common ones. -T4 increases the speed.

  • Example: nmap -T4 --open 10.10.10.123

Level 3: Service & Script Enumeration (The Heavy Lifting)

Use this to understand exactly what is running on the open ports you found in Level 2.

  • Command: nmap -sV -sC -p <ports> <target_ip>

  • When to use: After you know which ports are open.

    • -sV: Detects service versions.

    • -sC: Runs default Nmap scripts to find common vulnerabilities or extra info.

  • Example: nmap -sV -sC -p 22,80,443 10.10.10.123

Level 4: Full Port & Aggressive Scan (The “Loud” Finish)

Use this to ensure no hidden ports were missed and to gather every possible detail (OS, traceroute, etc.).

  • Command: nmap -A -p- <target_ip>

  • When to use: When you have time and don’t care about being “loud” or detected.

    • -p-: Scans all 65,535 ports (can take a long time).

    • -A: Aggressive mode (includes OS detection, versioning, scripts, and traceroute).

  • Example: nmap -A -p- 10.10.10.123

Flag Cheat Sheet for Quick Reference

FlagMeaningBest For…
-snNo Port ScanQuick host discovery.
-p-All PortsFinding services on non-standard ports.
-sVVersion DetectionKnowing exactly what software is running.
-sCDefault ScriptsFinding easy vulnerabilities automatically.
-AAggressiveEverything (OS, Versions, Scripts, Traceroute).
-T4Aggressive TimingSpeeding up scans on stable networks.
-oNOutput NormalSaving your results to a file for later.
-PnNo PingScanning targets that block ping (ICMP) requests.

The “All-in-One” Initial Command

1

nmap -p- -sV -sC -T4 -oN initial_scan.txt <target_ip>

2. Nmap Scripts

1. Vulnerability Scanning (NSE Scripts)

Nmap has a built-in scripting engine called NSE (Nmap Scripting Engine). You can use it to find specific vulnerabilities without needing a heavy scanner like Nessus.

  • Scan for vulnerabilities:

    bash nmap --script vuln <target_ip>

    • When to use: Use this after you find open ports to see if there are known CVEs (Common Vulnerabilities and Exposures) associated with them

  • Scan for specific exploits (e.g., SMB):

    1

      nmap -p 445 --script smb-vuln-ms17-010 <target_ip>
    • When to use: When you see a specific service (like SMB) and want to check for a famous exploit like EternalBlue.

2. Stealth & Firewall Evasion

Sometimes a firewall will block your scan. I will learn how to bypass these protections using these flags:

  • Fragment Packets (-f): Splits the IP packet into tiny pieces to confuse simple firewalls.

    Bash

    1

      nmap -f <target_ip>

  • Decoy Scan (-D): Makes it look like the scan is coming from multiple IP addresses so the admin can’t tell which one is yours.

    Bash

    1

      nmap -D RND:10 <target_ip>

    (This sends scans from 10 random “decoy” IPs plus your own.)

  • Source Port Spoofing (--source-port): Forces the scan to come from a specific port (like 53 for DNS or 80 for HTTP), which some firewalls trust.

    Bash

    1

      nmap --source-port 53 <target_ip>

3. Saving Your Work (Output Formats)

save your results so you don’t have to re-run the scan (which is slow and loud).

  • Save in all formats:

    Bash

    1

      nmap -A <target_ip> -oA machine_name

    • -oN: Normal (readable)

    • -oG: Greppable (easy to search with grep)

    • -oX: XML (used for importing into tools like Metasploit)

    • -oA: Saves all three at once!

4. Advanced Enumeration (HTTP & DNS)

Nmap can do more than just tell you a port is open; it can tell you what is on that port.

  • HTTP Title & Headers:

    Bash

    1

      nmap -p 80 --script http-title,http-headers <target_ip>
    • When to use: To quickly see what a web server is hosting without opening a browser.

  • DNS Brute Force:

    Bash

    1

      nmap --script dns-brute <target_domain>
    • When to use: To find subdomains (like dev.lookup.thm or api.lookup.thm) that might be hidden.

You can find me online at:

My signature image

General Notes & Materials 
scanning Reconnaissance nmap
This post is licensed under CC BY 4.0 by the author.