nmap

Link

How I used it

Category	What I Run	Why I Run It
Service Enumeration	I grabbed the banner for top ports, the top scripts, and finger-print OS.	Checking banner grabbing with script can give us a starting point to continue the attack.
All Ports	Scan all the 65,535 ports with Stealth Scan.	Identify services that run on unusual ports.
Vulnerability Scanning	Run the vuln category of NSE scripts to identify vulnerabilities.	Identify low hanging fruit vulnerabilities for an easy win.
UDP Scanning	Run udp scans since it is the other half of TCP.	Identify any ports running the UDP protocol.

Proof

HTB Passage - Banner grab to identify the services. Trust but verify.
HTB Blue (found MS17-010) - Run the vuln category of NSE scripts.
THM Billing - Run the UDP scans.

Commands I Use Every Box

Banner Grabbing, Top Scripts, and Operating System Fingerprinting


┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -A -O -oN nmap <IP>

Stealth scan, all ports


┌──(kali㉿kali)-[~]
└─$ nmap -sS -p- -oN nmapfull <IP>

All Vulnerability Scripts


┌──(kali㉿kali)-[~]
└─$ nmap --script vuln -oN vulnchk <IP>

UDP Scanning


┌──(kali㉿kali)-[~]
└─$ nmap -sU -oN nmapudp <IP>

What I Learned

-A is loud
Runs OS detection, version detection, script scanning, and traceroute. Great for CTFs. Terrible for real pentests (triggers every IDS). Use targeted scans instead.

UDP scanning takes forever
Seriously. Don’t scan all 65535 UDP ports unless you enjoy watching paint dry. Top 20 ports catches 90% of interesting services.

NSE scripts are hit-or-miss
--script vuln finds easy wins (MS17-010, EternalBlue) but also throws tons of false positives. Always manually verify.

When Nmap Let Me Down

HTB Love - Service was on a weird high port that didn’t show up in top 1000. Had to run full -p- scan. Lesson: if you’re stuck, scan everything.

THM Billing - SNMP was running on UDP. Missed it completely until I ran UDP scan. Lesson: don’t forget UDP exists. Also, SNMP is always interesting when you find it.