If we are auditing a network, and not a single host, we can proceed as follows once we have the list of targets in a file named, for example, targets.txt:
Step 1: Initial Port Discovery
To be even more considerate, we can add the following options on real networks:
--max-retries 2: Limits retries per probe to 2, reducing additional network traffic from lost packets.
--max-scan-delay 20ms: Adds a 20ms delay between probes, decreasing scan aggressiveness and network load.
Step 2: Extracting Port List
Extract the list of ports from the tcp_scan.txt file using commands to filter, format, and prepare them as a comma-separated list (PORT_LIST).
Step 3: Targeted Port Scan
Conduct an Nmap scan (nmap) targeting hosts listed in targets.txt (-iL targets.txt) using the ports listed in PORT_LIST. This scan focuses on open ports (--open), and includes checks for service scripts (-sC), service/version detection (-sV), and excludes host discovery (-Pn). Results are saved in tcp_scan_full.txt
