nmap
Network scanning — host discovery, port scanning, service/version detection, and NSE scripts.
Host Discovery
Ping sweep a subnet — find live hosts without port scanning, fast recon
nmap -sn 10.50.1.0/24ARP-based discovery on local segment — more reliable than ICMP, bypasses host firewalls
sudo nmap -sn -PR 10.50.1.0/24Scan specific hosts from a file — one IP or CIDR per line
nmap -sn -iL targets.txtDiscover hosts using TCP SYN to specific ports — bypasses ICMP-blocking firewalls
sudo nmap -sn -PS22,80,443 10.50.1.0/24Skip host discovery, assume all hosts are up — useful when ICMP is blocked but you know the host exists
nmap -Pn 10.50.1.20TCP Port Scanning
SYN scan (half-open) — default for root, fast and stealthy, does not complete the handshake
sudo nmap -sS 10.50.1.20Connect scan — full TCP handshake, works without root, leaves logs on target
nmap -sT 10.50.1.20Scan specific ports — comma-separated list, faster than scanning all 65535
nmap -sS -p 22,80,443,1812,8443 10.50.1.20Scan a port range — check the registered port space
nmap -sS -p 1-1024 10.50.1.20Scan all 65535 ports — thorough but slow, use when default 1000 ports miss something
sudo nmap -sS -p- 10.50.1.20Scan the top N most common ports — faster than full, better coverage than default
nmap -sS --top-ports 100 10.50.1.20UDP Scanning
UDP scan — slow because no handshake, closed ports return ICMP unreachable, open ports stay silent
sudo nmap -sU -p 53,67,68,123,161,514,1812,1813 10.50.1.20Combined TCP and UDP scan — comprehensive but takes significantly longer
sudo nmap -sS -sU -p T:22,80,443,U:53,161,1812 10.50.1.20Service and Version Detection
Version detection — probe open ports to identify service/version, critical for vulnerability assessment
nmap -sV 10.50.1.20Aggressive version detection — more probes, slower but catches edge cases
nmap -sV --version-intensity 9 10.50.1.20OS fingerprinting — requires at least one open and one closed port for accuracy
sudo nmap -O 10.50.1.20Combined version + OS + scripts + traceroute — the "tell me everything" scan
sudo nmap -A 10.50.1.20Script Scanning (NSE)
Run default scripts — safe, non-intrusive information gathering
nmap -sC 10.50.1.20Run a specific script — check for known vulnerabilities
nmap --script ssl-enum-ciphers -p 443 10.50.1.20Run a script category — all vulnerability detection scripts
nmap --script vuln 10.50.1.20Enumerate SSL/TLS certificates — verify cert subject, issuer, expiry, SANs
nmap --script ssl-cert -p 443,8443 10.50.1.20Check for SMB vulnerabilities — relevant for AD environments
nmap --script smb-vuln* -p 445 10.50.1.50SNMP enumeration — pull sysDescr, interfaces, routing tables if community string is known
nmap --script snmp-info -sU -p 161 10.50.1.0/24Timing and Performance
Set timing template — T4 is aggressive but reliable, T5 risks missed packets
nmap -T4 -sS 10.50.1.0/24Rate limit scan — stay under IDS thresholds, 100 packets per second max
nmap --max-rate 100 -sS 10.50.1.0/24Parallel host scanning — scan 50 hosts simultaneously for large subnets
nmap --min-hostgroup 50 -sn 10.50.0.0/16Output Formats
Normal output to file — human-readable, good for reports
nmap -sS -oN /tmp/scan-results.txt 10.50.1.0/24XML output — parseable by tools, importable into vulnerability scanners
nmap -sS -oX /tmp/scan-results.xml 10.50.1.0/24Grepable output — one host per line, pipe to awk/grep for quick filtering
nmap -sS -oG /tmp/scan-results.gnmap 10.50.1.0/24All three formats at once — one scan, three output files
nmap -sS -oA /tmp/scan-results 10.50.1.0/24Extract open ports from grepable output — quick summary of exposed services
awk '/open/{print $2, $0}' /tmp/scan-results.gnmapInfrastructure Patterns
Scan ISE for expected RADIUS and admin ports — verify ISE is listening where it should be
nmap -sS -p 443,1812,1813,8443,8444,8905,9060,9063 10.50.1.20Scan a switch management interface — verify SSH and SNMP are up, HTTP is down
nmap -sS -sU -p T:22,80,443,U:161 10.50.1.10Subnet inventory — discovery + top ports + version detection, pipe output for asset tracking
sudo nmap -sn 10.50.1.0/24 -oG - | awk '/Up/{print $2}'