Most Nmap guides reproduce the man page. This one covers the flags that appear in real engagement notes and CTF writeups, with the reasoning behind each choice.
Quick-Reference Table
| Goal | Command |
|---|---|
| Fast TCP scan (top 1000 ports) | nmap -T4 <target> |
| All 65535 TCP ports | nmap -p- -T4 <target> |
| Service + version detection | nmap -sV <target> |
| OS detection | nmap -O <target> |
| Aggressive (OS + version + scripts + traceroute) | nmap -A <target> |
| Stealth SYN scan | nmap -sS <target> |
| UDP scan (top 100 ports) | nmap -sU --top-ports 100 <target> |
| Default NSE scripts | nmap -sC <target> |
| Output all formats | nmap -oA scan_results <target> |
The Go-To Recon One-Liner
nmap -sV -sC -p- -T4 --min-rate 5000 -oA full_scan <target>-sVdetects service versions.-sCruns the default safe script category.-p-covers all 65535 ports.--min-rate 5000sets a floor on packet throughput, useful when you need results fast on non-production targets.-oAwrites.nmap,.gnmap, and.xmlsimultaneously, which matters when you want to post-process with other tools.
Useful NSE Scripts
# Enumerate SMB shares and check for EternalBlue
nmap -p 445 --script smb-enum-shares,smb-vuln-ms17-010 <target>
# HTTP title grab across a subnet
nmap -p 80,443,8080 --script http-title 192.168.1.0/24
# Check for anonymous FTP login
nmap -p 21 --script ftp-anon <target>Firewall and IDS Evasion
# Fragment packets to bypass naive stateless packet filters
nmap -f <target>
# Spoof source port to 53 — DNS traffic is frequently allowed outbound through firewalls
nmap --source-port 53 <target>
# Randomise host scan order when scanning a list to avoid sequential-port signatures
nmap --randomize-hosts -iL targets.txtOn -f: packet fragmentation splits the TCP header across multiple IP fragments. Stateless packet filters that inspect individual fragments will miss the port number entirely. Stateful firewalls and modern IDS reassemble fragments before inspection, so this only works against legacy or misconfigured infrastructure.
On --source-port 53: many firewalls have rules permitting inbound traffic on source port 53 as a shortcut for allowing DNS responses. Spoofing this fools the rule without touching DNS at all.
Where to Go From Here
The logical progression from here is service-specific enumeration against whatever Nmap surfaces. An open port 445 means running enum4linux-ng or crackmapexec smb. An open 8080 with http-title returning a Tomcat default page means checking for CVE-2020-1938 (Ghostcat) via nmap --script ajp-headers. The version strings from -sV are your roadmap: feed them to searchsploit --nmap and cross-reference against vulners.com for recent CVEs that Exploit-DB doesn’t index yet.
For CTF work specifically: always run -sU --top-ports 100 alongside your TCP scan. UDP is slow and easy to skip, which is exactly why CTF authors hide services there. SNMP on UDP 161 and TFTP on UDP 69 are reliable hiding spots.
The blue team detection surface: -sS SYN scans leave half-open connections in firewall state tables and generate RST responses visible in netflow. -T4 with --min-rate produces a connection-rate spike that any decent SIEM will flag. If detection avoidance matters, drop to -T2, remove --min-rate, and add --scan-delay 500ms. The scan takes longer but stays below most threshold-based alerting.