Skip to main content


Exploring Network Terrain: A Comprehensive Guide to Nmap Enumeration
As ethical hackers and penetration testers, the first step in uncovering potential vulnerabilities within a network is thorough enumeration. Nmap, a powerful network scanning tool, offers a plethora of scanning techniques to gather crucial information about target systems. In this article, we'll delve into various Nmap enumeration techniques, showcasing their utility and providing insights into their application.

1. Nmap Stealth Scan

sudo nmap -sS <TARGET IP>

The stealth scan employs TCP SYN packets to quietly explore open ports without completing the full TCP handshake, reducing the likelihood of detection.

2. Nmap Connect Scan

nmap -sT <TARGET IP>

The connect scan establishes a full TCP connection to target ports, offering a more reliable but potentially more detectable method of enumeration.

3. Nmap UDP Scan

sudo nmap -sU <TARGET IP>

Uncover open UDP ports with this scan, crucial for discovering potential entry points often missed by TCP scans.

4. Nmap Combination Scan

sudo nmap -sS -sU <TARGET IP>

Combine the stealth and UDP scans for a comprehensive assessment of the target's network landscape.

5. Nmap Network Sweeping

nmap -sn <TARGET IP RANGE>

Conduct a network sweep to identify live hosts within a specified IP range.

6. Nmap OS Fingerprinting

sudo nmap -O <TARGET IP>

Discover the operating system running on the target system using Nmap's OS fingerprinting capabilities.

7. Nmap Top 20 Port Scan and Output to Greppable Format

nmap -sT -A --top-ports=20 <TARGET IP RANGE> -oG top-port-sweep.txt

Focus on the top 20 ports, combining service version detection and outputting results to a greppable format for further analysis.

8. Nmap Banner Grabbing/Service Enumeration

nmap -sV -sT -A <TARGET IP>

Retrieve detailed information about services running on open ports, aiding in vulnerability assessment.

9. Nmap Scripting Engine (NSE) - SMB OS Discovery

nmap <TARGET IP> --script=smb-os-discovery

Utilize Nmap's Scripting Engine to connect to the SMB service and determine the target system's operating system.

10. Nmap DNS Zone Transferring

nmap --script=dns-zone-transfer -p 53 <TARGET DNS SERVER>

Check for potential DNS zone transfers, a common misconfiguration that can lead to valuable information disclosure.

11. Nmap NSE View Help

nmap --script-help <SCRIPT NAME>
# e.g., nmap --script-help dns-zone-transfer

Access the Nmap Scripting Engine's help to understand the functionalities of specific scripts.

12. Nmap SMB Enumeration

nmap -v -p 139,445 -oG smb.txt <TARGET IP RANGE>

Perform an in-depth enumeration of SMB services on target systems, identifying potential vulnerabilities.

13. Nmap SMB OS Discovery

nmap -v -p 139,445 --script=smb-os-discovery <TARGET IP>

Leverage Nmap's SMB OS Discovery script to determine the operating system of specific SMB services.

14. Nmap SMB Vulnerability Detection (MS08-067)

nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 <TARGET IP>

Identify missing critical patches related to the MS08-067 vulnerability in specific SMB services.

15. Nmap Scan for NFS Shares (Portmapper, rpcbind)

nmap -v -p 111 <TARGET IP RANGE>

Scan for Network File System (NFS) shares, potentially exposing sensitive information.

16. Nmap Find Services Registered with rpcbind

nmap -sV -p 111 --script=rpcinfo <TARGET IP RANGE>

Identify services registered with rpcbind, aiding in the discovery of additional attack vectors.

17. Nmap Scan for SNMP

sudo nmap -sU --open -p 161 <TARGET IP RANGE> -oG open-snmp.txt

Conduct a UDP scan to reveal open SNMP ports, a valuable resource for extracting network information.