Nmap you’re doing it wrong

I’m a long time fan of Nmap as I’m sure we all are and have spent hours on end scanning and building boxes specifically for scanning. Recon is one of my favorite topics and connectivity is what originally sparked my passion for computers. I love the versatility and stability of Nmap and I use it daily. So it’s easy to understand why I get annoyed when people run it default like this:

Nmap your doing it wrong default

With the long list of features in this long standing and amazingly awesome tool if you fire it off like above I’m sorry but you’re doing it wrong. Taking the time to get to know Nmap can help you speed up your scans significantly as well as make them more informative and useful. Let me walk you through the right way to use Nmap on a typical assessment.

Host scans

The first thing your going to want to do on any assessment is take the list of addresses that are in scope( I like to put all of my verified in scope addresses/ranges into a text file so that I don’t accidentally fat finger the keys and scan something out of scope) and discover which ip addresses’s have hosts that are up. This is also sometimes referred to as a ping scan. This will save you time because when you begin port scanning you can fire it off specifically on host that Nmap has identified as up. Nmap won’t port scan hosts that don’t respond to some sort of probe request but it’s still better to quickly form this list.

Here are some of the switches I use in my host scans to get faster results:

  • -iL This allows you to specify an input list(Like I said to avoid scanning out of scope hosts)
  • --exclude or --exclude-file This allows to specify addresses not to scan
  • -sn This will disable port scanning
  • -n Never do dns resolution(unless you have a good reason)
  • -oA Output in all formats
  • -T<0-5> Timing templates(This can speed up your scan but use with caution)


root@kali:~/Doingitwrong# nmap -sn -n -T3 -iL scope.txt -oA hosts.txt

Nmap your doing it wrong Host scan

You can see that to scan 254 hosts it took 35 seconds which is much faster than it would have been if we included port scanning. Now that you have your list of up hosts you create a new list and start running more thorough port scanning, service fingerprinting, and OS detection

Working with output

So you may have noticed that we output our data to all output types with the -oA command. This is so we can take the data and create our new list of host that are up. In our case we could have technically just used the -oG switch instead to just get greppable output. In many cases you may be looking for something very specific such as hosts that have port 80 open and are up. I found quite a bit of information about working with the greppable format here for scenarios like this. In our scenario we will take the hosts that Nmap has identified as up and turn it into a new ip address list.

root@kali:~/Doingitwrong# grep -v ^# hosts.txt.gnmap | awk '{print $2}' > portscan

Nmap your doing it wrong output

off course there are tons of ways you can get to the same result so do your research so that you are familiar with awk, cut, & grep. The point is that you want to chisel your list down before entering into the information gathering stage.

Gathering more info

After getting your new list of hosts that Nmap has identified as up you can start creating a scan to get more information about each host. This can be done by port scanning, service/version detection, and OS detection. This is a stage where understanding more than just the use of Nmap can go a long way. Understanding the 3 way handshake and some fundamental details about networking can be important.

Here are some of the switches I use for gathering info:

  • -sS Send a TCP SYN and waits for a syn/ack to determine if port is open
  • -sV Determine service version of the service running on a port
  • -O Determine the operating system of the host
  • -p Specify what ports to scan(Important ports 21,22,23,80,443,445,1433,3306,3389,5432)
  • --reason Helps determine why Nmap says a port is closed or filtered


root@kali:~/Doingitwrong# nmap -sS -sV -O -p 21,22,23,80,443,445,1433,3306,3389,5432 --reason -T4 -iL portscan.txt

Nmap your doing it wrong infogather

Now you have some nice information to dig through to identify vulnerable services and map the network. What to do after this goes outside of the scope of this article. Off course I could talk about Nmap scans all day and with all the features it’s possible but I simply wanted to make a point that getting to know Nmap can really assist you in having much better scanning techniques

Other notable features

There are a few other features I want to note:

  • --open only list ports that are open. You may only want to see open ports. You can also grep this out later
  • --sT TCP Connect scan. If you think your not getting accurate service version info use this(slows down scans)
  • --sU Scan for UDP ports that would otherwise be missed


References and More Resources

Post navigation