Toggle search
Toggle menu
6
11
66
Brunnerne
Toggle preferences menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Nmap

From Brunnerne
More actions

Nmap CTF Quick Reference

Common Nmap commands optimized for speed and typical CTF scenarios.

Essential Options

  • -p- : Scan all 65535 TCP ports.
  • -p <ports> : Scan specific ports (e.g., -p 21,22,80,443, -p U:53,T:80).
  • -T4 : Aggressive timing (faster, good for CTFs). Use -T3 (default) if -T4 causes issues.
  • -Pn : Skip host discovery (Assume host is online). Crucial if ping is blocked.
  • -v / -vv : Verbosity (show progress/details).
  • -oA <basename> : Save output in All formats (.nmap, .gnmap, .xml). Recommended!
  • -O: OS detection
  • sudo : Often required for SYN scans (-sS - default) and OS detection (-O).

1. Initial Fast TCP Scan

Goal: Quickly find ALL open TCP ports. 

sudo nmap -p- -T4 -Pn --min-rate=1000 -v -oA initial_scan <target_IP>
  • --min-rate=1000 : Tries to send packets quickly; adjust if needed.

2. Service Scan + Default Scripts (TCP)

Goal: Identify service versions & run safe scripts on specific/all ports. Most common CTF scan. 

# Scan specific TCP ports (e.g., found from initial scan)
sudo nmap -p 22,80,445 -sV -sC -T4 -Pn -v -oA service_scan <target_IP>

# Scan ALL TCP ports (combines step 1 & 2)
sudo nmap -p- -sV -sC -T4 -Pn -v -oA full_tcp_scan <target_IP>
  • -sV : Detect Service/Version info.
  • -sC : Run Default Scripts (safe & very useful).

3. Aggressive Scan

Goal: Shortcut for OS detection, Version detection, Default scripts, Traceroute. 

# Aggressive scan on default top 1000 TCP ports
sudo nmap -A -T4 -Pn -v -oA aggressive_default <target_IP>

# Aggressive scan on ALL TCP ports
sudo nmap -A -p- -T4 -Pn -v -oA aggressive_all_tcp <target_IP>
  • -A : Enables OS detection (-O), Version detection (-sV), Script scanning (-sC), and Traceroute (--traceroute).

4. UDP Scan

Goal: Find open UDP services (SNMP, NFS, TFTP, etc.). Warning: Slow! 

# Scan Top 100 UDP ports (faster) + Service Detection
sudo nmap -sU -sV --top-ports 100 -T4 -Pn -v -oA udp_top100 <target_IP>

# Scan specific common UDP ports
sudo nmap -sU -sV -p U:53,69,123,161 -T4 -Pn -v -oA udp_specific <target_IP>
  • -sU : UDP scan.
  • --top-ports <number> : Limits scan to the most common ports (much faster than -p- for UDP).

5. NSE Script Scans

Goal: Run specific Nmap Scripting Engine scripts. 

# Run vulnerability detection scripts on specific ports
sudo nmap --script vuln -p 80,443 -Pn -v -oA vuln_scan <target_IP>

# Run specific script(s) (e.g., HTTP enumeration)
sudo nmap -p 80 --script http-enum,http-title -Pn -v -oA http_enum <target_IP>

# Run SMB enumeration scripts
sudo nmap -p 139,445 --script smb-enum-shares,smb-os-discovery -Pn -v -oA smb_enum <target_IP>
  • --script <category|scriptname> : Specify scripts to run (e.g., vuln, discovery, http-enum). Check rules before using exploit scripts.

Common CTF Workflow

  1. Fast full TCP scan: sudo nmap -p- -T4 -Pn --min-rate=1000 -v -oA initial <target_IP>
  2. Identify open TCP ports from output (e.g., grep open initial.gnmap).
  3. Detailed TCP scan on open ports: sudo nmap -p <open_ports> -sV -sC -T4 -Pn -v -oA details <target_IP>
  4. Quick UDP scan: sudo nmap -sU -sV --top-ports 100 -T4 -Pn -v -oA udp_top <target_IP>
  5. Targeted NSE scans based on findings (e.g., --script http-enum on port 80).

Quick Tips

  • Always use -oA to save results.
  • Use -Pn if hosts don't respond to ping.
  • Don't forget UDP, but scan specific/top ports first due to speed.
  • Review /usr/share/nmap/scripts/ or use nmap --script=help to find scripts.
  • Check CTF rules regarding scan intensity (-T5) or intrusive scripts (vuln, exploit).
Retrieved from "https://wiki.brunnerne.dk/index.php?title=Nmap&oldid=62"
Last modified
This page was last edited on 4 August 2025, at 09:14.