arrow_back Back to Learn
Reconnaissance

Nmap Enumeration
Scans, Scripts, Stealth

person 0x74shelby category Reconnaissance · Beginner
screenshot_monitor

01

Understanding Scan Types

The SYN scan (-sS) is Nmap's default when running as root and the one you'll use most often. It sends a SYN packet, waits for the response, and determines port state without completing the TCP handshake. Open ports respond with SYN-ACK. Closed ports respond with RST. Filtered ports don't respond or send ICMP unreachable. Because the connection never completes, it's faster and less likely to be logged by the target application than a full connect scan.

The connect scan (-sT) completes the full three-way handshake. It's used when you don't have raw packet privileges. UDP scanning (-sU) is slow but important — DNS on 53, SNMP on 161, and DHCP on 67/68 are UDP-only and missed by TCP-only scans.

standard scan sequence
sudo nmap -sS -p- --min-rate 5000 TARGET_IP -oN all_ports.txt

sudo nmap -sV -sC -p 22,80,443,445 TARGET_IP -oN targeted.txt

sudo nmap -sU --top-ports 20 TARGET_IP -oN udp.txt
02

Version Detection and OS Fingerprinting

Service version detection (-sV) goes beyond knowing a port is open. It probes each open port with protocol-specific payloads and reads the banner or response to determine what's running and what version. This information drives your vulnerability lookup. SSH 7.2 on Ubuntu 16.04 tells you exactly which CVEs to check.

OS fingerprinting (-O) analyses the TCP/IP stack behaviour. Different operating systems implement TCP in slightly different ways. The TTL value, window size, and TCP options in responses follow patterns that Nmap has catalogued. The result is a best-guess at the target OS, which helps you tailor exploits and privilege escalation approaches.

03

NSE Scripts

The Nmap Scripting Engine is where Nmap goes from a port scanner to an active reconnaissance platform. Scripts are categorised by purpose: auth, broadcast, brute, discovery, exploit, fuzzer, intrusive, safe, vuln. The default script set (-sC) runs safe discovery scripts automatically.

useful nse examples
nmap --script smb-enum-shares TARGET_IP
nmap --script smb-vuln-ms17-010 TARGET_IP
nmap --script http-enum TARGET_IP -p 80,443
nmap --script ssh-hostkey TARGET_IP -p 22
nmap --script vuln TARGET_IP         # run all vuln scripts

Timing Tradeoffs

Nmap's timing templates go from T0 (paranoid, slowest) to T5 (insane, fastest). T4 is fine for CTFs. On real engagements, T2 or T3 reduces the chance of triggering IDS rate-limit alerts. Speed matters less than visibility — one noisy scan that gets you blocked is worse than a slow scan that completes.