· Cybersecurity · 3 min read
Essential Nmap Commands for CEH, HTB, and TryHackMe

import DListItem from ’~/components/ui/DListItem.astro’;
Nmap (Network Mapper) is an essential tool in every security professional’s toolkit. Here’s my personal collection of frequently used Nmap commands, especially useful for CEH certification, HackTheBox, and TryHackMe challenges.
Host Discovery
Before diving into detailed scans, it’s crucial to identify active hosts in your target network:
# Scan for alive hosts (no port scan)nmap -sn $ip/24
# Faster host scan with no DNS resolutionnmap -sn -n $ip/24 > ip-range.txt
# Scan specific IP rangenmap -sP 10.0.0.0-100
Tip: Use these commands to identify which hosts are up before diving into detailed port or vulnerability scans.
Basic Scans
These are your bread-and-butter Nmap commands for initial reconnaissance:
# Basic scan of 1000 common portsnmap [target]
# Scan all TCP ports (65535)nmap -p- [target]
# Quick UDP scannmap -sU [target]
# Version & OS detectionnmap -sC -sV -O -oA initial [target]
# Fast scan of 100 common portsnmap -F [target]
Service & Vulnerability Enumeration
Deeper inspection of services and potential vulnerabilities:
# Default script scan & version detectionnmap -sC -sV -oN scan.txt [target]
# Scan for vulnerabilitiesnmap --script vuln [target]
# Use multiple script categoriesnmap --script vuln,safe,discovery -oN scan.txt [target]
Tip: Running service detection (-sV) and using scripts can give you insights into what versions are running and potential vulnerabilities, helping you prioritize further actions.
Specific Port Scans
Target specific ports or ranges:
# TCP scan of specific portsnmap -p T:80,443,8080 [target]
# Full connect scan on all portsnmap -v -p- -sT [target]
# Scan specific port range with no retriesnmap -p 21-25 [target] --max-retries 0
Aggressive & Full Scans
When you need comprehensive results:
# Aggressive scan (faster)nmap -T4 [target]
# Full TCP scan with scripts and version detectionnmap -sC -sV -p- -v -T4 -oN full.txt [target]
# Full UDP scannmap -sU -O -p- -T4 -oN nmap/udp.txt [target]
# Max scan delay controlnmap -sC -sV [target] -v --max-scan-delay=10
Tip: Aggressive timing templates like -T4 speed up scans but can be more detectable. Consider using stealthier options if you want to avoid detection.
Advanced Techniques
For more sophisticated scanning needs:
# Deep scanning - all ports with full connectnmap -v -p- -sT $ip
# TCP SYN scan (stealthy)nmap -sS [target]
# TCP ACK scannmap -sA [target]
# Top ports scannmap --top-ports=20 [target]
Port Knocking
Sometimes services are hidden behind port knock sequences:
# Port knock with retriesfor x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x $ipdone
Useful Automation Tools
Several tools can help automate and enhance your Nmap scans:
AutoRecon: A multi-threaded network reconnaissance tool
- GitHub: AutoRecon
Onetwopunch: Combines unicornscan and Nmap for efficient scanning
- GitHub: onetwopunch
nmapAutomator: Automates the Nmap scanning process
- GitHub: nmapAutomator
- GitHub: nmapAutomator
Best Practices
- Start Broad, Then Focus: Begin with host discovery and basic scans before diving into detailed port scans
- Consider the Network: Use appropriate timing templates based on network stability
- Save Your Output: Always use output options (-oN, -oX) for later reference
- Be Mindful of Noise: More aggressive scans are noisier and more detectable
Further Reading
For more advanced techniques on evading firewalls with Nmap, check out my detailed blog post on Firewalls Evading Techniques in Nmap.
Remember, with great power comes great responsibility. Always ensure you have proper authorization before scanning any networks or systems.