Skip to content
Reconnaissance

Port Scanning & Service Enum

Nmap, masscan, and service enumeration techniques

Port Scanning & Service Enumeration

Comprehensive port scanning and service discovery reference.

Nmap Basics

Host Discovery

BASH 
nmap -sn 192.168.1.0/24           # Ping scan
nmap -sn -PS22,80 192.168.1.0/24  # TCP SYN ping
nmap -sn -PA80,443 10.0.0.0/8     # TCP ACK ping
nmap -sn -PU53 192.168.1.0/24     # UDP ping

Port Scanning

BASH 
nmap -sS 10.10.10.10              # TCP SYN (stealth)
nmap -sT 10.10.10.10              # TCP connect
nmap -sU 10.10.10.10              # UDP scan
nmap -sA 10.10.10.10              # ACK scan (firewall)

Port Specification

BASH 
nmap -p 80 10.10.10.10            # Single port
nmap -p 80,443,8080 10.10.10.10   # Multiple ports
nmap -p 1-1000 10.10.10.10        # Range
nmap -p- 10.10.10.10              # All 65535 ports
nmap --top-ports 100 10.10.10.10  # Top 100 common

Service Detection

BASH 
nmap -sV 10.10.10.10              # Version detection
nmap -sV --version-intensity 5    # Aggressive version
nmap -sC 10.10.10.10              # Default scripts
nmap -A 10.10.10.10               # OS + version + scripts

Speed Optimization

BASH 
nmap -T4 10.10.10.10              # Aggressive timing
nmap -T5 10.10.10.10              # Insane (may miss)
nmap --min-rate 1000              # Min 1000 packets/sec
nmap --max-retries 1              # Reduce retries
nmap -n 10.10.10.10               # No DNS resolution

Nmap Scripts

BASH 
# Categories
nmap --script=vuln 10.10.10.10
nmap --script=safe 10.10.10.10
nmap --script=exploit 10.10.10.10

# Specific scripts
nmap --script=http-enum 10.10.10.10
nmap --script=smb-vuln* 10.10.10.10
nmap --script=ssl-heartbleed 10.10.10.10

# All HTTP scripts
nmap --script "http-*" -p 80 10.10.10.10

Useful Scripts

BASH 
http-enum              # Directory bruteforce
http-headers           # HTTP headers
http-methods           # Allowed methods
smb-enum-shares        # SMB shares
smb-vuln-ms17-010      # EternalBlue
ftp-anon               # Anonymous FTP
ssh-brute              # SSH bruteforce

Masscan (Fast Scanning)

BASH 
# Scan all ports fast
masscan -p1-65535 10.10.10.0/24 --rate=10000

# Specific ports
masscan -p80,443,8080 10.0.0.0/8 --rate=100000

# Output for nmap
masscan -p1-65535 10.10.10.10 -oL masscan.txt

RustScan (Speed + Nmap)

BASH 
# Fast port discovery + nmap
rustscan -a 10.10.10.10 -- -sC -sV

# Custom port range
rustscan -a 10.10.10.10 -r 1-65535

# Multiple targets
rustscan -a 10.10.10.10,10.10.10.11

Service-Specific Enumeration

HTTP/HTTPS (80/443)

BASH 
whatweb http://target.com
nikto -h http://target.com
wappalyzer (browser extension)

SMB (445)

BASH 
smbclient -L //10.10.10.10 -N
enum4linux -a 10.10.10.10
crackmapexec smb 10.10.10.10 --shares

DNS (53)

BASH 
dig axfr @10.10.10.10 domain.com
dnsrecon -d domain.com -t axfr

SNMP (161)

BASH 
snmpwalk -c public -v1 10.10.10.10
onesixtyone 10.10.10.10 public

LDAP (389)

BASH 
ldapsearch -x -H ldap://10.10.10.10 -s base

Output Formats

BASH 
nmap -oN output.txt 10.10.10.10   # Normal
nmap -oX output.xml 10.10.10.10   # XML
nmap -oG output.gnmap 10.10.10.10 # Grepable
nmap -oA output 10.10.10.10       # All formats
Back to Cheatsheets
On this page