2026-03-15
Nmap Quick Reference
Common Nmap flags and scan types I use in CTFs and recon.
Basic Scans
# Default scan (top 1000 ports, SYN scan if root)
nmap <target>
# Scan all 65535 ports
nmap -p- <target>
# Aggressive scan (OS detect, version detect, script scan, traceroute)
nmap -A <target>
Port Specification
nmap -p 22,80,443 <target> # specific ports
nmap -p 1-1000 <target> # port range
nmap -p- <target> # all ports
Scan Types
| Flag | Type |
|------|------|
| -sS | SYN scan (stealth, requires root) |
| -sT | TCP connect scan |
| -sU | UDP scan |
| -sV | Version detection |
| -sC | Default scripts |
| -O | OS detection |
Output
nmap -oN output.txt <target> # normal output
nmap -oX output.xml <target> # XML output
nmap -oG output.gnmap <target> # grepable output
nmap -oA output <target> # all formats
Useful Combos
# Quick recon
nmap -sC -sV -oN scan.txt <target>
# Full port scan then targeted
nmap -p- --min-rate 5000 <target>
nmap -sC -sV -p <found-ports> <target>
These are the flags I reach for most in CTFs. Add -v or -vv for verbosity if you want to watch results live.
← back to blog