Nmap: Difference between revisions

Latest revision as of 09:14, 4 August 2025

Nmap CTF Quick Reference

Common Nmap commands optimized for speed and typical CTF scenarios.

Essential Options

-p- : Scan all 65535 TCP ports.
-p <ports> : Scan specific ports (e.g., -p 21,22,80,443, -p U:53,T:80).
-T4 : Aggressive timing (faster, good for CTFs). Use -T3 (default) if -T4 causes issues.
-Pn : Skip host discovery (Assume host is online). Crucial if ping is blocked.
-v / -vv : Verbosity (show progress/details).
-oA <basename> : Save output in All formats (.nmap, .gnmap, .xml). Recommended!
-O: OS detection
sudo : Often required for SYN scans (-sS - default) and OS detection (-O).

1. Initial Fast TCP Scan

Goal: Quickly find ALL open TCP ports.

sudo nmap -p- -T4 -Pn --min-rate=1000 -v -oA initial_scan <target_IP>

--min-rate=1000 : Tries to send packets quickly; adjust if needed.

2. Service Scan + Default Scripts (TCP)

Goal: Identify service versions & run safe scripts on specific/all ports. Most common CTF scan.

# Scan specific TCP ports (e.g., found from initial scan)
sudo nmap -p 22,80,445 -sV -sC -T4 -Pn -v -oA service_scan <target_IP>

# Scan ALL TCP ports (combines step 1 & 2)
sudo nmap -p- -sV -sC -T4 -Pn -v -oA full_tcp_scan <target_IP>

-sV : Detect Service/Version info.
-sC : Run Default Scripts (safe & very useful).

3. Aggressive Scan

Goal: Shortcut for OS detection, Version detection, Default scripts, Traceroute.

# Aggressive scan on default top 1000 TCP ports
sudo nmap -A -T4 -Pn -v -oA aggressive_default <target_IP>

# Aggressive scan on ALL TCP ports
sudo nmap -A -p- -T4 -Pn -v -oA aggressive_all_tcp <target_IP>

-A : Enables OS detection (-O), Version detection (-sV), Script scanning (-sC), and Traceroute (--traceroute).

4. UDP Scan

Goal: Find open UDP services (SNMP, NFS, TFTP, etc.). Warning: Slow!

# Scan Top 100 UDP ports (faster) + Service Detection
sudo nmap -sU -sV --top-ports 100 -T4 -Pn -v -oA udp_top100 <target_IP>

# Scan specific common UDP ports
sudo nmap -sU -sV -p U:53,69,123,161 -T4 -Pn -v -oA udp_specific <target_IP>

-sU : UDP scan.
--top-ports <number> : Limits scan to the most common ports (much faster than -p- for UDP).

5. NSE Script Scans

Goal: Run specific Nmap Scripting Engine scripts.

# Run vulnerability detection scripts on specific ports
sudo nmap --script vuln -p 80,443 -Pn -v -oA vuln_scan <target_IP>

# Run specific script(s) (e.g., HTTP enumeration)
sudo nmap -p 80 --script http-enum,http-title -Pn -v -oA http_enum <target_IP>

# Run SMB enumeration scripts
sudo nmap -p 139,445 --script smb-enum-shares,smb-os-discovery -Pn -v -oA smb_enum <target_IP>

--script <category|scriptname> : Specify scripts to run (e.g., vuln, discovery, http-enum). Check rules before using exploit scripts.

Common CTF Workflow

Fast full TCP scan: sudo nmap -p- -T4 -Pn --min-rate=1000 -v -oA initial <target_IP>
Identify open TCP ports from output (e.g., grep open initial.gnmap).
Detailed TCP scan on open ports: sudo nmap -p <open_ports> -sV -sC -T4 -Pn -v -oA details <target_IP>
Quick UDP scan: sudo nmap -sU -sV --top-ports 100 -T4 -Pn -v -oA udp_top <target_IP>
Targeted NSE scans based on findings (e.g., --script http-enum on port 80).

Quick Tips

Always use -oA to save results.
Use -Pn if hosts don't respond to ping.
Don't forget UDP, but scan specific/top ports first due to speed.
Review /usr/share/nmap/scripts/ or use nmap --script=help to find scripts.
Check CTF rules regarding scan intensity (-T5) or intrusive scripts (vuln, exploit).

@@ Line 9: / Line 9: @@
 * <code>-v</code> / <code>-vv</code> : Verbosity (show progress/details).
 * <code>-oA &lt;basename&gt;</code> : Save output in All formats (<code>.nmap</code>, <code>.gnmap</code>, <code>.xml</code>). '''Recommended!'''
+* <code>-O</code>: OS detection
 * <code>sudo</code> : Often required for SYN scans (<code>-sS</code> - default) and OS detection (<code>-O</code>).