Quick Nmap Commands For CEH / HTB / TryHackMe

Basic Nmap Commands for CEH practical

My Personal Favorite

nmap -A -p- -T4 -v 192.168.1.0

Host Discovery

  • Scan for alive hosts (no port scan): nmap -sn $ip/24
  • Faster host scan: nmap -sn -n $ip/24 > ip-range.txt
  • Scan specific IP range: nmap -sP 10.0.0.0-100

Tip: Use these commands to identify which hosts are up before diving into detailed port or vulnerability scans.

Basic Scans

  • Basic scan of 1000 common ports: nmap [target]
  • Scan all TCP ports (65535): nmap -p- [target]
  • Quick UDP scan: nmap -sU [target]
  • Version & OS detection: nmap -sC -sV -O -oA initial [target]
  • Fast scan of 100 common ports: nmap -F [target]

Service & Vulnerability Enumeration

  • Default script scan & version detection: nmap -sC -sV -oN scan.txt [target]
  • Scan for vulnerabilities: nmap --script vuln [target]
  • Use script categories: nmap --script vuln,safe,discovery -oN scan.txt [target]

Tip: Running service detection (-sV) and using scripts can give you insights into what versions are running and potential vulnerabilities, helping you prioritize further actions.

Specific Port Scans

  • TCP scan of specific ports (80, 443, 8080): nmap -p T:80,443,8080 [target]
  • Full connect scan on all ports: nmap -v -p- -sT [target]
  • Scan specific port range: nmap -p 21-25 [target] --max-retries 0

Aggressive & Full Scans

  • Aggressive scan (faster): nmap -T4 [target]
  • Full TCP scan: nmap -sC -sV -p- -v -T4 -oN full.txt [target]
  • Full UDP scan: nmap -sU -O -p- -T4 -oN nmap/udp.txt [target]
  • Max scan delay: nmap -sC -sV [target] -v --max-scan-delay=10

Tip: Aggressive timing templates like -T4 speed up scans but can be more detectable. Consider using stealthier options if you want to avoid detection.

Automation

Advanced Nmap Commands

Deep Scanning

  • Scan all 65535 ports with full connect: nmap -v -p- -sT $ip
  • Maximum retries: nmap --max-retries 0 -p $port $ip

Output Options

  • Normal output format: nmap -oN output.txt [target]
  • XML output format: nmap -oX output.xml [target]

Advanced Techniques

  • TCP SYN scan (stealthy): nmap -sS [target]
  • TCP ACK scan: nmap -sA [target]
  • Top ports scan: nmap --top-ports=20 [target]

Port Knocking

  • Port knock with retries:
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x $ip; done

Tip: Port knocking can be used in situations where services might be hidden behind specific port sequences. This can help identify services behind these mechanisms.

Onetwopunch.sh

  • Run the script to scan an IP range: ./onetwopunch.sh -t ip-range.txt -p tcp

Tip: Onetwopunch uses unicornscan to scan all ports, then hands off open ports to Nmap for detailed analysis. This can be a time-saver when doing large scans.

This version maintains the script links and includes a few tips to help clarify when

Firewall Evading with Nmap

Here is Cool Blog Regarding This .

Blog - Firewalls Evading Techniques in Nmap

Some UseFull Links

https://github.com/superkojiman/onetwopunch.git

https://github.com/Tib3rius/AutoRecon

https://github.com/21y4d/nmapAutomator

Neeraj ♥️ Cyber

Just a simple Blog Made with ♥️ for Cyber Security Enthusiasts. We provide CTF, HackTheBox and TryHackMe write ups and information about various Cybersecurity tools, Cheat sheets and cybersecurity fields like forensics, cryptography, reverse engineering, Stenography, web,Penetration testing , windows and Linux privilege escalation etc.