Nmap CTF Quick Reference
Common Nmap commands optimized for speed and typical CTF scenarios.
Essential Options
-p-: Scan all 65535 TCP ports.-p <ports>: Scan specific ports (e.g.,-p 21,22,80,443,-p U:53,T:80).-T4: Aggressive timing (faster, good for CTFs). Use-T3(default) if-T4causes issues.-Pn: Skip host discovery (Assume host is online). Crucial if ping is blocked.-v/-vv: Verbosity (show progress/details).-oA <basename>: Save output in All formats (.nmap,.gnmap,.xml). Recommended!sudo: Often required for SYN scans (-sS- default) and OS detection (-O).
1. Initial Fast TCP Scan
Goal: Quickly find ALL open TCP ports.
sudo nmap -p- -T4 -Pn --min-rate=1000 -v -oA initial_scan <target_IP>
--min-rate=1000: Tries to send packets quickly; adjust if needed.
2. Service Scan + Default Scripts (TCP)
Goal: Identify service versions & run safe scripts on specific/all ports. Most common CTF scan.
# Scan specific TCP ports (e.g., found from initial scan) sudo nmap -p 22,80,445 -sV -sC -T4 -Pn -v -oA service_scan <target_IP> # Scan ALL TCP ports (combines step 1 & 2) sudo nmap -p- -sV -sC -T4 -Pn -v -oA full_tcp_scan <target_IP>
-sV: Detect Service/Version info.-sC: Run Default Scripts (safe & very useful).
3. Aggressive Scan
Goal: Shortcut for OS detection, Version detection, Default scripts, Traceroute.
# Aggressive scan on default top 1000 TCP ports sudo nmap -A -T4 -Pn -v -oA aggressive_default <target_IP> # Aggressive scan on ALL TCP ports sudo nmap -A -p- -T4 -Pn -v -oA aggressive_all_tcp <target_IP>
-A: Enables OS detection (-O), Version detection (-sV), Script scanning (-sC), and Traceroute (--traceroute).
4. UDP Scan
Goal: Find open UDP services (SNMP, NFS, TFTP, etc.). Warning: Slow!
# Scan Top 100 UDP ports (faster) + Service Detection sudo nmap -sU -sV --top-ports 100 -T4 -Pn -v -oA udp_top100 <target_IP> # Scan specific common UDP ports sudo nmap -sU -sV -p U:53,69,123,161 -T4 -Pn -v -oA udp_specific <target_IP>
-sU: UDP scan.--top-ports <number>: Limits scan to the most common ports (much faster than-p-for UDP).
5. NSE Script Scans
Goal: Run specific Nmap Scripting Engine scripts.
# Run vulnerability detection scripts on specific ports sudo nmap --script vuln -p 80,443 -Pn -v -oA vuln_scan <target_IP> # Run specific script(s) (e.g., HTTP enumeration) sudo nmap -p 80 --script http-enum,http-title -Pn -v -oA http_enum <target_IP> # Run SMB enumeration scripts sudo nmap -p 139,445 --script smb-enum-shares,smb-os-discovery -Pn -v -oA smb_enum <target_IP>
--script <category|scriptname>: Specify scripts to run (e.g.,vuln,discovery,http-enum). Check rules before usingexploitscripts.
Common CTF Workflow
- Fast full TCP scan:
sudo nmap -p- -T4 -Pn --min-rate=1000 -v -oA initial <target_IP> - Identify open TCP ports from output (e.g.,
grep open initial.gnmap). - Detailed TCP scan on open ports:
sudo nmap -p <open_ports> -sV -sC -T4 -Pn -v -oA details <target_IP> - Quick UDP scan:
sudo nmap -sU -sV --top-ports 100 -T4 -Pn -v -oA udp_top <target_IP> - Targeted NSE scans based on findings (e.g.,
--script http-enumon port 80).
Quick Tips
- Always use
-oAto save results. - Use
-Pnif hosts don't respond to ping. - Don't forget UDP, but scan specific/top ports first due to speed.
- Review
/usr/share/nmap/scripts/or usenmap --script=helpto find scripts. - Check CTF rules regarding scan intensity (
-T5) or intrusive scripts (vuln,exploit).