A clean, practical nmap reference guide for CTF players and security professionals.
Bookmark it, star it, share it. Take a look around for noobs, students, CTF players, and pros. Click the arrows, scroll.
Part of the SudoCode Pentesting Methodology Guide — by SudoChef.
nmap (Network Mapper) is a free, open-source tool used to discover hosts and services on a network. Think of it like knocking on every door in a building to see who answers — and then noting what kind of door each one has.
It is one of the first tools you will run on any target during a penetration test (authorized security assessment) or CTF (Capture the Flag) challenge.
Official documentation: https://nmap.org/docs.html
🍽️ Scan Menu
These are the most useful named scan combinations. Pick the one that fits your situation.
| Scan Name |
Command |
Use Case |
| 🔍 The Standard |
nmap -sV -sC -oN scan.txt <target> |
Default starting scan for most targets |
| 👻 The Ghost |
nmap -sS -T2 -f --data-length 200 <target> |
Slow, fragmented — evade basic detection |
| 🔬 The Deep Dive |
nmap -sV -sC -p- -oN full.txt <target> |
All 65535 ports, full version + scripts |
| 🌐 The Full Sweep |
nmap -sn 192.168.1.0/24 |
Host discovery across a subnet |
| 🕸️ The Web Check |
nmap -sV -p 80,443,8080,8443 --script http-enum <target> |
Web service fingerprinting |
| 📡 The UDP Pass |
nmap -sU --top-ports 20 <target> |
Top 20 UDP ports |
| 🛡️ The Vuln Sweep |
nmap --script vuln <target> |
Check for known vulnerabilities |
🎯 Target Specification
| Flag |
What it does |
<target> |
Single IP or hostname |
192.168.1.0/24 |
Entire subnet |
-iL targets.txt |
Read targets from a file |
--exclude <IP> |
Skip a specific host |
⚡ Scan Techniques
🟢 Quiet | 🟡 Medium | 🟠 Loud | 🔴 Noisy
| Flag |
What it does |
Noise Level |
-sS |
SYN scan — half-open, fast, stealthy |
🟡 Medium |
-sT |
TCP connect scan — full connection |
🔴 Noisy |
-sU |
UDP scan |
🟡 Medium |
-sn |
Ping sweep — no port scan, just host discovery |
🟢 Quiet |
-sV |
Version detection — what software is running |
🟡 Medium |
-sC |
Default scripts — runs common nmap scripts |
🟡 Medium |
-A |
Aggressive — OS detection, version, scripts, traceroute |
🔴 Noisy |
-v |
Verbose — shows results as ports are found |
🟢 Quiet |
-vv |
More verbose — more detail during the scan |
🟢 Quiet |
-vvv |
Maximum verbosity — everything nmap is doing in real time (most references skip this one) |
🟢 Quiet |
🕐 Timing & Speed
Nmap has 6 timing templates. T0 is the slowest and stealthiest. T5 is the fastest and loudest.
| Flag |
Name |
When to use |
-T0 |
Paranoid |
IDS evasion — extremely slow |
-T1 |
Sneaky |
Slow evasion |
-T2 |
Polite |
Reduces bandwidth usage |
-T3 |
Normal |
Default |
-T4 |
Aggressive |
CTF and lab environments |
-T5 |
Insane |
Fast — unreliable on slow networks |
🔒 Port Specification
| Flag |
What it does |
-p 80 |
Scan a single port |
-p 80,443,8080 |
Scan specific ports |
-p 1-1000 |
Scan a port range |
-p- |
Scan all 65535 ports |
--top-ports 20 |
Scan the 20 most common ports |
💾 Output Formats
Always save your output. You will need it later.
| Flag |
What it does |
-oN scan.txt |
Normal output — human readable |
-oX scan.xml |
XML output — for tools like Metasploit |
-oG scan.gnmap |
Grepable output |
-oA scan |
All three formats at once |
⚔️ CTF vs Professional Use
| Situation |
CTF |
Professional Engagement |
| Speed |
Fast is fine — T4 |
Slow and deliberate — T2 or T3 |
| Noise |
Doesn't matter |
Matters — stay under IDS radar |
| Full port scan |
Always |
Only if scoped and approved |
| Aggressive scan (-A) |
Go for it |
Avoid — too loud |
| Save output |
Good habit |
Required — goes in your report |
| Scripts (--script) |
Use freely |
Check scope first |
View common ports and what to do when you find them
| Port |
Service |
What to do |
| 21 |
FTP |
Try anonymous login: ftp <target> |
| 22 |
SSH |
Check version, try creds if you have them |
| 23 |
Telnet |
Unencrypted — try connecting |
| 25 |
SMTP |
Email server — check for user enumeration |
| 53 |
DNS |
Try zone transfer: dig axfr @<target> |
| 80 |
HTTP |
Open in browser, run Nikto, gobuster |
| 110 |
POP3 |
Email — try default creds |
| 139/445 |
SMB |
Run enum4linux (legacy — prefer enum4linux-ng or netexec), check for EternalBlue |
| 443 |
HTTPS |
Same as 80 — check cert for info |
| 3306 |
MySQL |
Try mysql -u root -h <target> |
| 3389 |
RDP |
Remote Desktop — check for BlueKeep |
| 5432 |
PostgreSQL |
Try default creds |
| 6379 |
Redis |
Often unauthenticated — high value |
| 8080 |
HTTP-alt |
Another web server — check it |
| 27017 |
MongoDB |
Often unauthenticated |
These tools work alongside nmap to give you a fuller picture.
| Tool |
What it does |
Best for |
| RustScan |
Fast port scanner — finds open ports then hands off to nmap |
CTF speed runs |
| Masscan |
Fastest port scanner available — scans the entire internet |
Large networks |
| Nikto |
Web server scanner — finds misconfigs and vulnerabilities |
Web targets |
| Netcat |
Network swiss army knife — connect, listen, transfer |
Everything |
📋 Beginners Cheat Sheet (Intermediate and Advanced see below ⬇️
# Quick start — standard scan
nmap -sV -sC -oN scan.txt <target>
# Full port scan
nmap -sV -sC -p- -oN full.txt <target>
# Host discovery only
nmap -sn 192.168.1.0/24
# Stealth scan
nmap -sS -T2 <target>
# Vulnerability scripts
nmap --script vuln <target>
# UDP top ports
nmap -sU --top-ports 20 <target>
# Web enumeration
nmap -sV -p 80,443,8080 --script http-enum <target>
# Verbosity — add to any scan
nmap -sV -sC -v <target> # see results as they come in
nmap -sV -sC -vv <target> # more detail
nmap -sV -sC -vvv <target> # maximum — nothing hidden
📁 Advanced Reference Index
| File |
What's inside |
| Named Scans |
The Standard, The Ghost, The Deep Dive, The Full Sweep, and more |
| Field Scans |
Real scans used in CTF, school labs, research, and professional engagements |
| Advanced Techniques |
Pivot scanning, OS fingerprinting, decoys, firewall evasion, internal recon |
| What To Do With Your Results |
Post-scan workflow, service research, documentation habits |
| File |
What's inside |
| Common Ports Reference |
25 common ports, what they are, and exactly what to do when you find them open |
| File |
What's inside |
| Complementary Tools |
RustScan, Masscan, Nikto, Netcat — with Mac, Linux, and Windows install instructions |
by SudoChef · Part of the SudoCode Pentesting Methodology Guide