7 Absolutely Essential Nmap Commands for Pen Testing
Kali is a beast. The Linux pentesting distro is preloaded with hundreds of tools for exploration, enumeration, and exploitation—and learning all of them can feel overwhelming. Fortunately, there’s a small core you’ll use again and again. We covered these top tools in a previous post, and you can find them throughout these cybersecurity courses. Today, we're going to deep dive into the tippy top of that list: the pentester's Swiss Army knife, Nmap.
This open-source network scanner does it all, from host discovery to port scanning to OS detection. It’s also fully extensible through the Nmap Scripting Engine, making it easy to automate scans—like hunting for Windows servers running unpatched SMB. One command, a short list of vulnerable hosts, and suddenly you’re holding the lowest-hanging fruit in the environment.
And yes, Nmap even made it into Hollywood. Trinity used it in this scene to spot a system with SSH open on port 22. The follow-up “sshnuke” exploit is pure movie magic, but the methodology is real: enumerate services, identify versions, and research vulnerabilities. SSHv1 exploits like that are long patched and obsolete today, but the workflow hasn’t changed.
You probably won’t be taking down power plants anytime soon—but let’s look at how you will use Nmap in everyday pentesting.
Using Kali and Stapler to Enumerate Targets with Nmap
To explore Nmap usage, we'll work with a boot-to-root image called Stapler. Boot-to-root images are virtual machines preconfigured with system services and other software, ready to run as a real-world server. They are intentionally vulnerable to hacking in some way; the machine serves as an exercise for your pentest skills in a safe, legal, controlled environment.
For this article and Stapler, download the image and run it in your favorite virtualization platform alongside Kali to follow along. Follow the same flow as the last article to find Stapler's IP on your virtual network with (surprise surprise) Nmap and the -sn flag to ping the entire subnet for live hosts.
The Stapler has many open ports, so we can enumerate many services with Nmap. With any pentest engagement or exercise, enumeration is key. You cannot simply start pounding on the first interesting-looking service you come across; many hours have been wasted due to insufficient enumeration.
You must explore every open port first, understanding the services running on each before forming a plan of attack.
Quick note: Stapler works well for demonstrating enumeration concepts, but many learners prefer newer platforms such as VulnHub, Hack The Box, or TryHackMe, which provide actively maintained targets and guided labs. Regardless of the platform, the enumeration workflow shown here remains the same.
1. Basic Nmap Scan
The basic Nmap is just running it with no flags, just the IP of the machine you are testing:
root@Kali:~# nmap 10.211.55.6
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 17:11 EST
Nmap scan report for 10.211.55.6
Host is up (0.00030s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysqlThis will scan your IP address on a set of around 1,000 of the most common ports, determine whether any are open, and then list the open ports. Nothing fancy, no determining what the application is, nothing interesting about the host—just a quick check for open ports.
Note: The output shown uses an older Nmap version, but the flags and behavior remain consistent across newer releases.
2. OS Enumeration
Add an -O flag on the end to tell Nmap to try to figure out the server's operating system:
root@Kali:~# nmap 10.211.55.6 -O
…
Device type: general purpose
Running: Linux 5.X|6.X
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:6
OS details: Linux 5.4 – 6.xBy the way, some output is going to be trimmed out from these examples to save space, this will be indicated by the ellipses.
It found a Linux machine but couldn't really narrow down on the kernel version. Nmap does this by examining specific characteristics of the response and comparing them against known responses from specific OSes.
Other machines might return something more specific, like Windows 2008 R2 or Sun Solaris 11.1, but for Stapler, we don't learn much beyond that it's a Linux box.
3. Scan all TCP Ports
The -p flag is typically used to define a range of ports to scan (for example, -p 100-200 would scan ports 100 through 200). -p- however scans all 65535 TCP ports, helpful for finding services listening on weird, high ports like 12380 in this case.
root@Kali:~# nmap 10.211.55.6 -p-
…
12380/tcp open unknownIt might be nothing, or it might be a sysadmin thinking he's clever by hiding something on an odd port.
4. Default Scripts
This is where the power of Nmap really starts to show. The Nmap Scripting Engine (NSE) allows anyone to add functionality to Nmap by means of scripts, which can supercharge Nmap to identify specific applications listening on ports, scan for known exploits against those applications, scan for common misconfigurations of services, and much more.
The -sC flag runs a set list of default scripts against your target. This can be a gold mine for a poorly configured server:
root@Kali:~# nmap 10.211.55.6 -sC
..
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.211.55.4
| Logged in as ftp
…
| vsFTPd 3.0.3 – secure, fast, stable
|_End of status
22/tcp open ssh
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open domain
| dns-nsid:
| id.server: ATL
|_ bind.version: dnsmasq-2.75
80/tcp open http
|_http-title: 404 Not Found
…
3306/tcp open mysql
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
…The complete output from Stapler is much longer, we just wanted to highlight a few juicy things it found. For example, the FTP server supports anonymous connections, meaning you can connect without logging in. Definitely make a note of that as something to check out later. There's also the FTP server application's name and version. Note those so you can check for known exploits.
SSH is open, and we get a public key, nothing too useful yet, but maybe we'll find some credentials later or get desperate and try to brute force a login. Dnsmasq and its version are worth checking for exploits. There's a web server running; note this so we can perform further file and directory enumeration with Gobuster. Finally, we have a MySQL instance. Put that in your notes; finding a credential could lead to later exfiltrating some interesting data.
That was a ton of information from just a single Nmap flag! Again, good enumeration means you are in it for the long game; don't just immediately connect to FTP and see what files are in there. There's no better time waster than going down rabbit holes.
Speaking of enumeration, a pro tip is to use -o to output your scan results to a file; it's handy for having something to reference later without waiting for scans to rerun.
5. The All Flag
Now, what if you could combine those three flags into one all-powerful flag? Well, that's as simple as using the -A flag. The -A flag enables OS detection, version detection, default NSE scripts, and traceroute in a single command:
root@Kali:~# nmap 10.211.55.6 -AThis makes -A a convenient option when you want a broad overview of a target without running multiple separate scans.
One important note: -A does not automatically scan all 65,535 TCP ports. By default, it still scans Nmap’s top ports unless you explicitly include -p-. If you want both aggressive detection and a full port sweep, combine the flags:
root@Kali:~# nmap 10.211.55.6 -A -p-That combination gives you deep visibility—but it’s also noisier and slower, so use it intentionally.
6. More Scripts
The default scripts are great, but what if you wanted to attack the machine a little more brazenly? Along with default, there's a whole set of script categories you can throw against a machine with this flag: –script default,discovery,exploit,vuln.
It won't reveal much on Stapler as there aren't any vulnerabilities on the exposed services, but keep this flag in the back of your head.
7. UDP Scans
If you remember your Net+ training, you'll know that, along with TCP, some network services also run on UDP. It's not nearly as common, but thorough enumeration always includes a check on that protocol as well.
UDP scanning is a lot slower than TCP, so it's recommended you use a flag like this, which will only scan the 250 most common UDP ports:
root@Kali:~# nmap 10.211.55.6 -sU --top-ports 250
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 18:00 EST
…
PORT STATE SERVICE
53/udp open|filtered domain
68/udp open|filtered dhcpc
69/udp open|filtered tftp
137/udp open netbios-ns
138/udp open|filtered netbios-dgmIn this case, scanning UDP revealed a potentially interesting TFTP server. Spoiler alert: Connecting to the TFTP server gets you write access into the same directory as the root of the web server. Upload a PHP reverse shell file, set up a listener on Kali, connect to the file on the website, and *BOOM* instant shell on the server as an unprivileged user. Good thing you scanned UDP ports, right?
Enumeration is super important in pentesting, and Nmap is always the first tool to use. A simple port scan gives you the most basic information when pentesting any machine. Think about it, without knowing what ports are open, how else could you start poking and prying at a server?
Final Thoughts
There are many more ways to use Nmap, both powerful and nuanced, but these basics you'll come back to again and again. Get practicing on machines in Vulnhub or HackTheBox and don't ever forget: ENUMERATE, ENUMERATE, ENUMERATE!
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.