A bunch of nmap flags because I often forget.

Detection Link to heading

  • -A - All the host detection stuff
  • -sV - Attempts to fingerprint services on ports
  • -sn - No port scanning, only discover hosts. Example command to discover hosts on the network:
nmap -sn ip_block/subnet

Ports Link to heading

  • -p- - Scan all ports
  • -p80,443 - Scan port 80 and 443
  • -p1-100 - Scan ports 1 to 100
  • F - Scan the top 100 most popular ports (Nmap defaults to 1000)

Timing templates Link to heading

A flag to set underlying timeouts for stuff based on the network


Defaults to -T3, -T4 is often nice on a ~decent~ network and may result in some speed ups if it is.

Example network scan Link to heading

Get internal address


Scan for hosts

nmap -sn ip_block/subnet

Then scan hosts with either of the following

nmap -sV -p- ip
nmap -A -T4 -p- ip

Also can easily check for things like exposed internal panels by curling it

curl http://ip