🛠️ Nmap
Installation
sudo apt install nmapCommon Commands
Hack The Box / CTFs
This command scans ports, specifies service version and outputs in a file, mostly used for machines in HackTheBox.
nmap -p- -T4 -sC -sV -oN -oX [outfile] [target_ip] Scanning Phases (maybe a little more practical?)
The above command is actually quite noisy as it scans every ports with high --min-rate and T4 speed. In real-life cases, quieter scans are often preferred and the scan are split into difference phases in order to avoid detection.
1. Host detection List out target in the IP range and resolve their hostnames.
nmap -sL 192.162.1.0/242. Host discovery There may be dead IPs, this step helps indentifying them.
nmap -sn -PS443,80 [target]3. Port enumeration This is the main things and the hardest problem. Key things to remember:
- Use slow timing (
-T1or-T2) only. - Scan only a small number of ports (50 ports) only. We can know what port we may need to know by looking for services’ default ports on the Internet.
- Break packets into small chunks using
-fflag.
nmap -T1 --top-ports 50 -f [target]4. Obfuscation This is where we utilize evasion techniques, something like using decoy IP addresses to hide our own addresses to avoid being blocked
nmap -D RND:10 [target]The above command spoofs scan from 10 different source to sneak through the IDS.
Tips & Tricks
- Scanning for vulnerability (SMB misconfigurations or old SSL versions, etc.
nmap -sV --script=vuln [target]- Leverage Proxychains to scan ports on remote internal IP address:
proxychains nmap -sT -Pn -p 80,445,3389 <target_IP>Troubleshooting
”Host seems down”
Symptom: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
The Cause: Nmap sends an ICMP Echo Request (ping) by default to check if a host is alive before wasting time scanning ports. Windows machines and many firewalls block ICMP by default.
The Fixes:
- Skip Ping (Assume Up): Tells nmap to skip host discovery and just start scanning the IP.
nmap -Pn <target>- Alternative Discovery Probes: If
-Pntakes too long (because it scans dead IPs), use TCP SYN/ACK or UDP probes to check if the host is alive instead of ICMP.
nmap -PS22,80,443 <target> # TCP SYN ping to common ports
nmap -PU53,161 <target> # UDP ping to common portsAll Ports Returns as ‘Filtered’
Symptom: All 65535 scanned ports on <target> are in ignored states. OR thousands of ports show as filtered (net-unreach/no-response)
The Cause: Your packets are being dropped by a firewall, WAF, or AWS security group. This often happens if your scan is too aggressive and triggers a rate-limiter, or if you are scanning the wrong protocol (e.g., scanning TCP when the server only accepts UDP/QUIC).
The Fix:
- Slow Down (--max-rate 10 or -T2)
- Spoof Source port (-g 53)
- Send Fragmented packets (-f)
- UDP scans (-sU)
The Scan Takes Too Long
Symptom: Nmap hangs at a small percentage, and the ETA keeps climbing into hours.
The Cause: Scanning all 65,535 ports against a rate-limited or distant server takes time. Reverse DNS resolution can also bottleneck a scan.
The Fix:
- Stop resolving hostnames (-n)
- Speed up (-T4 or --min-rate 1000)
- Scan top ports only (--top-ports 100)
TCP Wrapped services
Symptom: Port is open, but the service is listed as tcpwrapped.
The Cause: A firewall (like TCP Wrappers) allowed the network connection but the application-level access control rejected you.
The Cause: There isn’t a direct nmap flag to bypass this. You are dealing with an application-layer firewall. You will need to spoof your IP, find whitelisted subnets, or look for other attack vectors.
Unrecognized Service
Symptom: Port is open, but the service is listed as unknown.
The Cause: Nmap knows a port is open, but the banner or response didn’t match anything in its nmap-services database. This often happens with custom CTF services or malware listeners.
The Fixes:
- **Aggressive Version Detection (-sV --version-all)
Related Usage
TABLE creation_date AS "Created"
FROM "05 - Content"
WHERE contains(tools, this.file.link) AND contains(tags, "🚩")
SORT file.name ASC