recon/port_enumeration
Useful Nmap Scan Combinations
Port Discovery
High-Speed Port Scan
nmap -p- --min-rate 5000 -T5 --open -Pn TARGET_IPStealth Scan
nmap -sS -p- --open -Pn TARGET_IPService Detection
Service-Version + Default Script + OS detection
nmap -p PORT_LIST sCV -O -Pn TARGET_IPUDP Scan
nmap -sU TARGET_IPAutomating Port Reconnaissance
If we are auditing a network, and not a single host, we can proceed as follows once we have the list of targets in a file named, for example, targets.txt:
Step 1: Initial Port Discovery
nmap -sS --min-rate MIN_RATE -p- --open -iL targets.txt -oN tcp_scan.txt
# For Labs/Certs => MIN_RATE = ~5000
# For real networks => MIN_RATE = ~100
To be even more considerate, we can add the following options on real networks:
--max-retries 2: Limits retries per probe to 2, reducing additional network traffic from lost packets.--max-scan-delay 20ms: Adds a 20ms delay between probes, decreasing scan aggressiveness and network load.
nmap -sS --min-rate 100 -p- --open --max-retries 2 --max-scan-delay 20ms -iL targets.txt -oN tcp_scan.txtStep 2: Extracting Port List
Extract the list of ports from the tcp_scan.txt file using commands to filter, format, and prepare them as a comma-separated list (PORT_LIST).
grep '^[0-9]' tcp_scan.txt | cut -d '/' -f1 | sort -u | xargs | tr ' ' ',' Step 3: Targeted Port Scan
Conduct an Nmap scan (nmap) targeting hosts listed in targets.txt (-iL targets.txt) using the ports listed in PORT_LIST. This scan focuses on open ports (--open), and includes checks for service scripts (-sC), service/version detection (-sV), and excludes host discovery (-Pn). Results are saved in tcp_scan_full.txt
nmap -p<PORT_LIST> --open -sC -sV -iL targets.txt -Pn -oN tcp_scan_full.txtPort Enum
21/tcp - FTP22/tcp - SSHLast updated