Nmap — The Recon Essential
Nmap (Network Mapper) is the first tool in any penetration tester's recon phase. Here's a practical reference from basic to advanced.
Basic Scans
# Ping sweep — discover live hosts
nmap -sn 192.168.1.0/24
# Basic port scan (top 1000 ports)
nmap 192.168.1.105
# All 65535 ports
nmap -p- 192.168.1.105
# Specific ports
nmap -p 22,80,443,3306 192.168.1.105
Service & Version Detection
# Version detection
nmap -sV 192.168.1.105
# OS detection (requires root)
sudo nmap -O 192.168.1.105
# Full aggressive scan
nmap -A 192.168.1.105
Scan Types
# SYN scan (stealth, default with root)
sudo nmap -sS 192.168.1.105
# TCP connect scan (no root needed)
nmap -sT 192.168.1.105
# UDP scan (slow but important)
sudo nmap -sU -p 53,67,68,161 192.168.1.105
NSE Scripts
# Default safe scripts
nmap -sC 192.168.1.105
# Vulnerability scan
nmap --script vuln 192.168.1.105
# SMB enumeration
nmap --script smb-enum-shares,smb-vuln-ms17-010 192.168.1.105
# HTTP enumeration
nmap --script http-enum,http-title 192.168.1.105
Output Formats
# Save all formats
nmap -oA scan_results 192.168.1.105
# XML (for import into other tools)
nmap -oX scan.xml 192.168.1.105
# Grepable
nmap -oG scan.gnmap 192.168.1.105
Evasion Techniques
# Fragment packets (bypass simple firewalls)
sudo nmap -f 192.168.1.105
# Decoy scan (hide among fake IPs)
sudo nmap -D RND:10 192.168.1.105
# Slow scan (avoid IDS rate limits)
nmap -T1 192.168.1.105
# Spoof source port
sudo nmap --source-port 53 192.168.1.105
My Go-To Command
For most initial recon on a CTF or authorized pentest:
sudo nmap -sV -sC -p- --open -T4 -oA initial_scan <target>
Breaks down as: version detection + default scripts + all ports + only open ports + aggressive timing + save all formats.
Remember: always have written authorization before scanning any target you don't own.