husayn gokal
Geneva

← Writeups

Nmap

Tool
Date
2026-05-17

Nmap, without any specified options, only scans the first 1,000 most common ports by default.

By default, Nmap performs a TCP scan unless specifically requested to perform a UDP scan.

A “filtered” port STATE tells us that a firewall is only allowing access to the port from specific addresses.

By default, Nmap only shows the service name that is typically mapped to the specific port number. It won’t tell us what is actually listening on that port - unless specifically instructed, Nmap won’t interact with the service to attempt to tease out identifying information.

Port 3389 is the default port for RDS (Remote Desktop Services), an excellent indication that the device is a Windows machine.

Port 22 has to be configured manually on Windows machines. So it’s a good indication of a Linux machine.

The -sC parameter specifies that Nmap scripts should be used to retrieve more information.

While -sC runs many useful default scripts against a target, the --script command specifies a specific script.

The -sV parameter specifies a version scan from Nmap, fingerprinting services on the target system and identifying the service protocol, application name and version.

The version scan has a comprehensive database of over 1000 service signatures.

-p- specifies that all 65,535 TCP ports should be scanned.

Application versions can also help reveal the target OS version from quickly googling things. However such cross-referencing is not entirely reliable as installing a more recent package on an older OS is always possible.

The script scan -sC flag causes Nmap to report the server headers http-server-header page and the page title http-title for any web page hosted on the webserver.

A PHPInfo file is often manually created to confirm that PHP has successfully installed, and includes the PHP version which is worth noting if it is vulnerable.

I guess the “-p21” option will only scan port 21 of the IP Address?

.nse files are nmap scripts!

nmap -A does an overall scan of a lot of things.

--open only returns open ports.

-oA NAME…