The three Nmap scans I actually run
Most engagements only need three scans. Here's the rotation I settled on after too many over-scripted one-liners.
Over time my Nmap usage has collapsed into three scans. They overlap, but each one answers a different question.
1. The fast triage
nmap -sS -T4 --min-rate 1000 -p- -oN nmap/full.txt $TARGET
Answers: which ports are open? Nothing else. No version detection, no scripts. Just the map. I want this back in under two minutes so I can start thinking.
2. The slow deep dive
nmap -sV -sC -p <open-ports-from-scan-1> -oN nmap/deep.txt $TARGET
Answers: what’s behind those ports? Run this only against the open ports from scan #1. It’s the expensive one. Run it once, come back later.
3. The UDP glance
nmap -sU --top-ports 50 -oN nmap/udp.txt $TARGET
Answers: is there something obvious on UDP? I don’t bother with -p- on
UDP — it takes forever and usually yields nothing. Top 50 is enough to
catch SNMP, DNS, NTP, TFTP, and the occasional surprise.
Why not one big command?
Because:
- If scan #1 is slow I want to cancel early, not wait on version detection running against ports I haven’t confirmed yet.
- Splitting the output into three files keeps the notes readable months later.
- UDP is almost always a throwaway — keeping it separate means I don’t forget to run it but can also skip it when I’m sure I don’t need it.
Simple beats clever on the clock.