Hakluke’s Guide to Nmap — Port Scanning is Just The Beginning

A while back, I posted a Twitter thread that described the Nmap features that I actually use. It really blew up! Nearly 80,000 people saw that thread, so I thought it would be good to put it into a blog post that can be searched and referred to over the long term. The original tweet is here: https://twitter.com/hakluke/status/1263821957163741185

The thing is, Nmap is one of those OG hacking tools that has been around since forever, and it’s incredible, but similar to amass, Nmap is one of those tools that is synonymous with hacking, and extremely well known, but most people don’t know how to use it to full advantage. Many people rarely do more than this:

$ nmap host

If you’re doing this, you’re not even scanning all the ports, and you’re definitely not exfiltrating all of the information that Nmap is capable of finding! Nmap is a port scanner at heart, but it does so much more than just tell you which ports are open. You can use Nmap for service/OS detection and even vuln scanning. In this blog post, I’m going to outline how I use Nmap. I hope that by reading this, you will be able to use Nmap more effectively, and find more bugs!

The Basic Scan

By default Nmap does a standard TCP SYN scan on the top 1000 ports of host. I never…