Initial Enumeration Tool (noisy as heck) | Performs NMAP Intense scan, runs tools based on results


My usual nmap starter scan for CTF, when stealth isn’t a requirement

nmap -v -A -oA intense <target>

A FEW OTHERS nmap scans

Full TCP port scan using with service version detection.

nmap -p 1-65535 -sV -T4 <target> -v

More about service discovery

nmap -p <port> -sV --version-intensity "level" -o <filename> <target> -v

Set from 0 (light) to 9 (try all probes)



Quickly Scan a range of IPs

nmap -v -T4

Scan a subnet

nmap -v

Scan targets from a text file

nmap -iL list-of-ips.txt -v

NSE Scripts

Get help for a script

nmap --script-help=ssl-heartbleed -v

Scan using a specific NSE script

nmap -sV -p 443 –script=ssl-heartbleed.nse -v

Scan with a set of scripts

nmap -sV --script=smb* -v

Show script options


To get an easy list of the installed scripts try

locate nse | grep script.

HTTP Service Information

Gather page titles from HTTP services

nmap --script=http-title -v

Get HTTP headers of web services

nmap --script=http-headers -v

Find web apps from known paths

nmap --script=http-enum -v

There are many HTTP information gathering scripts, here are a few that are simple but helpful when examining larger networks. Helps in quickly identifying what the HTTP service is that is running on the open port. Note the http-enumscript is particularly noisy. It is similar to Nikto in that it will attempt to enumerate known paths of web applications and scripts. This will inevitably generated hundreds of 404 HTTP responses in the web server error and access logs.


nmap -v -p 138,445 --script=smb-vuln* <target>

IP Address information

Find Information about IP address

nmap --script=asn-query,whois,ip-geolocation-maxmind -v

Gather information related to the IP address and netblock owner of the IP address. Uses ASN, whois and geoip location lookups. See the IP Tools for more information and similar IP address and DNS lookups.


The entire MIB tree

snmpwalk -c public -v1

Windows Users:

snmpwalk -c public -v1 <target>

Running Windows Processes:

snmpwalk -c public -v1 <target>

Open TCP Ports:

 snmpwalk -c public -v1 <target>

 Installed Software:

snmpwalk -c public -v1 <target>