None

Real pentesters don't.

They think with Nmap.

Every flag, every option, every result answers one simple question:

"What is the target telling me — and what is it trying to hide?"

This blog explains Nmap usage the way a real pentester uses it — from the first network check to the point where enumeration begins.

Before You Scan: How a Pentester Thinks

Before touching Nmap, a pentester never starts with ports.

They start with context.

Three questions come first:

  1. Who am I on this network?
  2. Who is the target?
  3. Is the target reachable — or just silent?

The First Move: Knowing Yourself and the Target

Who Am I on This Network?

The very first step is identifying my own IP address:

ifconfig

Why this matters:

  • Confirms correct network connection
  • Helps avoid scanning the wrong subnet
  • Important later for callbacks and pivoting

A pentester never scans blindly.

Finding the Target Behind the Name

Targets often come as domains, not IPs.

In labs and internal environments, domains are mapped manually in:

/etc/hosts

This allows:

  • Correct domain resolution
  • Proper virtual host testing
  • Accurate web enumeration

Knocking on the Door: Is Anyone Home?

Naturally, we try:

ping <target>

But here's the reality:

Many servers block ICMP

So remember:

  • No ping response ≠ dead target
  • Ping response ≠ all ports open

This is where Nmap host discovery becomes critical.

Is the Target Alive — Or Just Silent?

Looking Without Touching: Silent Host Discovery

nmap -sn <target>
  • Discovers live hosts only
  • No port scanning
  • Useful for large networks

Speed Over Names: Skipping DNS for Efficiency

nmap -n <target>
  • Skips DNS resolution
  • Faster scans
  • Less noise

When the Target Plays Dead

nmap -Pn <target>

🔥 One of the most important flags in real pentesting.

Used when:

  • ICMP is blocked
  • Firewalls filter pings
  • You assume the host is alive

"I don't need permission to scan — I'll find out myself."

How Do You Knock on the Door?

Not all scans knock the same way.

The Stealth Knock: TCP SYN Scan

nmap -sS <target>
  • Half-open scan
  • Fast and stealthy
  • Default choice for pentesters
  • Requires root privileges

The Obvious Knock: TCP Connect Scan

nmap -sT <target>
  • Full TCP handshake
  • No root needed
  • Easier to detect

Reading Firewalls, Not Ports

nmap -sA <target>
  • Used to understand firewall rules
  • Doesn't tell if ports are open
  • Helps map filtering behavior

The Forgotten Roads: UDP Scanning

nmap -sU <target>
  • Scans UDP services (DNS, SNMP, NTP)
  • Slow but powerful
  • Often ignored — often rewarding

Where Should We Look First?

Targeted Curiosity: Scanning What Matters

nmap -p 22,80,443 <target>

Useful when:

  • Time is limited
  • You know what you're hunting

Nothing Left Behind: Scanning Every Door

nmap -p- <target>

A pentester's habit.

Because:

  • Services hide on non-standard ports
  • "Nothing found" often means "not scanned enough"

Fast, Not Thorough

nmap -F <target>
  • Scans common ports
  • Quick overview
  • Not enough for real pentests

Now Tell Me Who You Really Are

Finding open ports is not enough.

Now we enumerate.

Version Numbers That Open Doors

nmap -sV <target>

Reveals:

  • Service versions
  • Application banners
  • Potential vulnerabilities

Most exploits begin here.

Letting Nmap Ask the First Questions

nmap -sC <target>

Runs default scripts:

  • Service checks
  • Misconfigurations
  • Authentication hints

Fingerprinting the Operating System

nmap -O <target>
  • Identifies OS behavior
  • Helps choose attack paths
  • Improves exploit accuracy

Turning Everything On (Loud but Revealing)

nmap -A <target>

Includes:

  • OS detection
  • Version detection
  • Script scanning
  • Traceroute

Powerful, but noisy.

If You Didn't Save It, You Didn't Scan It

A pentest without logs is guesswork.

-oN  normal output  
-oX  XML output  
-oG  greppable output  
-oA  all formats

Example:

nmap -oA scan_results <target>

Reports need evidence — always.

When You Don't Want to Be Seen

Detection evasion helps avoid simple filters:

  • -f → Fragment packets
  • -D → Decoy IPs
  • -sI → Zombie scan
  • --source-port → Trusted port usage
  • -T0 to -T5 → Timing control

Slower scans often mean better results.

When Nmap Starts Thinking for You

Nmap scripts live in:

/usr/share/nmap/scripts

Common useful scripts:

  • smb-enum-users
  • smb-os-discovery
  • http-enum
  • http-title
  • banner
  • vuln

Run scripts using:

nmap -sC <target>
nmap --script vuln <target>

From Scanning to Exploitation: Passing the Baton

Nmap integrates perfectly with Metasploit.

nmap -oX result.xml <target>
service postgresql start
msfconsole
db_import result.xml
hosts

This bridges:

Scanning → Enumeration → Exploitation

Scanning Is Done. Enumeration Begins.

Once you know:

  • Open ports
  • Services
  • Versions
  • OS

👉 Information Gathering is complete