Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Nmap Basics - The Security Practitioner's Swiss Army Knife SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Nmap Basics - The Security Practitioner's Swiss Army Knife

To elaborate on Xavier's and Bojan's excellent nmap diaries over the last few days, I thought that today might be a good day to go back to basics on nmap and demonstrate why nmap really is a security practitioner’s swiss army knife and should be in each of our testing toolkits.
If you just run the basic nmap command you are taking advantage of Fyodor’s team excellent work to make nmap more than just a basic port scanner. For example: 

$ nmap -sT <scan_target>

On the surface this is just a simple TCP portscan.  But even this takes advantage of work that was done as part of building nmap.  Nmap -sT, by default, does not scan every TCP port.  By default nmap scans the top 1000 ports that are commonly open on the Internet.  So rather than taking a whole lot of time scanning all 65,536 TCP ports nmap focuses the scan to the 93% of ports that are most likely to be open, thus reducing the time required for the scan.  If 93% is not good enough this value can be adjusted using the --top-ports option.  For example:

nmap -sT--top-ports=5000 <scan_target>

will scan greater than 99% of the most common ports.  If you are curious about the top open ports more details can be found on the nmap most popular ports page  and for the incurably curious the open frequency for each port is in the nmap-services file in each nmap installation.

This basic scan looks a lot like a port scan:

$ nmap -sT <scan_target>
Starting Nmap 7.60 ( ) at 2020-05-09 18:45 UTC
Nmap scan report for <scan_target> (<IP>)
Host is up (0.067s latency).
rDNS record for <IP>: <DNS lookup>
Not shown: 997 filtered ports
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 5.85 seconds


But adding a few parameters can get you a whole lot more information for very little work.

Bojan referred to -sV in his diary.  -sV enables version detection; which interrogates the port to see if nmap can determine what application is running on the port.  This can be taken a lot further with one more flag -A. -A, is sort of the catch all flag.  It enables a number of features, service detection (-sV), OS detection (-O), script scanning (-sC) and traceroute (--traceroute).  This scan will take longer, and will generate more network traffic, but will give you a whole lot more information about the target.

OS Detection (-O) uses operating system fingerprinting on the target to try and determine which operating system and version are running on the target. 
Script scanning (-sC) will run the most common NSE scripts, based on the detected open ports, to attempt to learn more about the port.
Traceroute (--traceroute) executes a traceroute from your scanning machine to the target.

$ nmap -sT -A <scan_target>
Starting Nmap 7.60 ( ) at 2020-05-09 19:09 UTC
Nmap scan report for <scan_target> (<IP>)
Host is up (0.064s latency).
rDNS record for <IP>: <DNS Lookup>
Not shown: 997 filtered ports
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 7e:9f:44:b9:38:55:65:4a:17:49:ce:2a:70:1d:75:5e (RSA)
|   256 da:30:3c:2d:9c:42:95:28:1f:b0:95:da:0d:d4:79:87 (ECDSA)
|_  256 a2:4e:02:e1:39:f7:55:b2:45:8a:a3:1f:8c:19:69:07 (EdDSA)
80/tcp  open   http    Apache httpd 2.2.34
| http-auth:
| HTTP/1.1 401 Authorization Required\x0D
|_  Basic realm=<redacted>
|_http-server-header: Apache/2.2.34 (<redacted>)
|_http-title: 401 Authorization Required
443/tcp closed https
Aggressive OS guesses: Vodavi XTS-IP PBX (92%), Android 5.0 - 5.1 (91%), Linux 3.2 - 3.10 (91%), Linux 3.2 - 3.16 (91%), Linux 3.2 - 4.8 (91%), Linux 3.10 (90%), Linux 4.2 (90%), Linux 3.13 (90%), Linux 4.4 (89%), Linux 2.6.32 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: <scan_target>

TRACEROUTE (using proto 1/icmp)
<traceroute removed for brevity>

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 30.06 seconds

I have set up several periodic scans like this as part of what my group calls automated red team, but what is really just automated data gathering for our red team.  In addition to the command above we write the results out to a file as XML, and use the ndiff command to compare this week’s scan with last week’s scan and email the result to our response team for investigation. -oA <filename> will store the scan results in all three of nmaps output formats, normal (.nmap), XML (.xml), and grepable (.gnmap).  All of these formats have their advantages (and disadvantages).  The two format I find I use the most are XML, which is what ndiff takes, and grepable, which I find is the easiest to use for adhoc searches.

To avoid the risk of being too verbose, I am going to end this diary here.  If you have any questions about this material, feel free to email me at rwanner(at) and I will endeavor to help you out.  I would also be curious to hear of any creative ways you utilze nmap to make your day to job as a security practitioner easier.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)


307 Posts
ISC Handler
May 9th 2020
Awesome write-up! I appreciate the breakdown of scans included in -A.
Thanks for sharing!

Sign Up for Free or Log In to start participating in the conversation!