You Must Know These Nmap Scans

N3NU
4 min readNov 1, 2022

--

Table of Contents

Introduction

Vulnerability Scanning

Fast Mode

Aggressive Mode

Timing Templates

Scanning All Ports

Introduction

This blog post covers some Nmap scans you need to know if you are a penetration tester, capture-the-flag (CTF) player, or just a cybersecurity enthusiasts. Note that some of these scans can be combined to fine-tune your scan.

Vulnerability Scanning

Nmap scripts are segmented into several categories, one of them being vuln. Vuln scripts check for known vulnerabilities and generally only report results if they are found. We can run all vuln scripts against a target by running the following Nmap scan.

┌──(N3NU㉿kali)-[~]
└─$ nmap <target-ip> --script vuln

Figure 1 below shows the Nmap vuln script scan in action. If we observe the output, we can see that the Windows machine is vulnerable to MS12–020 and MS17–010.

Figure 1: Nmap Vuln Scan on a Windows Target

Fast Mode

When using Nmap in fast mode, Nmap scans the 100 most common ports instead of the default 1,000 most common ports. This is useful when working in a slow network where running a default scan might take too long for your needs. Fast mode can also be used as the first scan you run to pick up some open ports to investigate as you wait for your larger scan to finish running in the background.

┌──(N3NU㉿kali)-[~]
└─$ nmap -F <target-ip>

Figure 2 below shows the output of an Nmap scan ran with fast mode. Notice the speed of the scan at the end of the output.

Figure 2: Running a Fast Mode Nmap Scan

Aggressive Mode

Running Nmap on aggressive mode is a personal favorite of mine. Aggressive mode enables OS detection, version detection, script scanning, and traceroute. This type of scan is great on targets we interact with for the first time and have little to no information on.

┌──(N3NU㉿kali)-[~]
└─$ nmap -A <target-ip>

Figure 3 below displays the wealth of information we get when using aggressive mode.

Figure 3: Nmap Scan Using “-A” Option

Timing Templates

Nmap offers six timing templates which are used to adjust the speed of our scans. Looking at table 1 below, we can see that as the timing template option increases so does the speed of the scan.

Table 1: Timing Template Option, Name, and Description

Keep in mind that as you increase the speed of your scan you sacrifice accuracy and become noisier on the network. The opposite is true as you decrease the speed of your scan.

┌──(N3NU㉿kali)-[~]
└─$ nmap -T5 <target-ip>

An Nmap scan ran with a timing template of insane can be seen below in figure 4. This option should not be ran if you are trying to be evasive or accurate.

Figure 4: Nmap Scan Ran on a level of Insane

Scanning All Ports

One can sometimes forget that nmap does not scan all 65,535 ports by default. Whether you are involved in a capture-the-flag, a real-world assessment, or simply checking your own system exposure, you should know this Nmap option.

┌──(N3NU㉿kali)-[~]
└─$ nmap -p- <target-ip>

Notice how long scanning all of the ports took in figure 5 below. At no surprise, scanning all ports took considerably longer than a default scan which only took about 4.23 seconds.

Figure 5: Scanning All Ports With Nmap

I hope you have enjoyed reading about some awesome Nmap scans. Subscribe for more tools, tips, and tricks to add to your arsenal.

Until next time…

N3NU

Disclaimer: My content is for informational and educational purposes only. You may try out these hacks on your own computer at your own risk.

--

--

N3NU
N3NU

Responses (1)