Information Gathering & Enumeration
Port Scanning with Nmap
5 min read
Port scanning is the foundation of every penetration test. Nmap is the industry-standard tool for network reconnaissance and is essential for OSCP.
Why Enumeration is Critical
The OSCP exam tests your methodology as much as your exploitation skills. A thorough enumeration phase typically reveals:
Enumeration Reveals:
├── Open ports and services
├── Software versions (for exploit matching)
├── Operating system hints
├── Misconfigurations
└── Attack surface for exploitation
OSCP Truth: "Enumerate harder" is more important than "Try harder." 80% of pentesting is enumeration.
Nmap Fundamentals
Basic Scan Types
# TCP SYN scan (default, fast, requires root)
sudo nmap -sS <target>
# TCP Connect scan (no root needed, but slower)
nmap -sT <target>
# UDP scan (slow but necessary)
sudo nmap -sU <target>
# Combined TCP + UDP
sudo nmap -sS -sU <target>
Understanding Scan Output
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
139/tcp filtered netbios-ssn
States explained:
├── open = Service accepting connections
├── closed = Port accessible but no service
├── filtered = Firewall blocking probes
└── unfiltered = Port accessible, state unknown
OSCP-Recommended Scan Methodology
Phase 1: Quick Initial Scan
Start with the most common ports to get quick wins:
# Top 1000 ports, fast timing
nmap -sC -sV -oN initial.txt <target>
| Flag | Purpose |
|---|---|
-sC |
Run default scripts |
-sV |
Detect service versions |
-oN |
Output to normal file |
Phase 2: Full TCP Scan
While working on initial findings, run a comprehensive scan:
# All 65535 TCP ports
sudo nmap -sS -p- -oN alltcp.txt <target>
# Or with timing optimization
sudo nmap -sS -p- --min-rate=1000 -oN alltcp.txt <target>
Phase 3: Targeted Service Scan
Once you find open ports, get detailed info:
# Detailed scan on discovered ports
sudo nmap -sC -sV -p 22,80,445,8080 -oN targeted.txt <target>
Phase 4: UDP Scan
Don't skip UDP—many exploitable services run here:
# Top 20 UDP ports (faster)
sudo nmap -sU --top-ports=20 -oN udp.txt <target>
# Common exploitable UDP services
sudo nmap -sU -p 53,67,68,69,123,161,162,500 <target>
Essential Nmap Options
Timing Templates
-T0 # Paranoid (IDS evasion, very slow)
-T1 # Sneaky
-T2 # Polite
-T3 # Normal (default)
-T4 # Aggressive (recommended for OSCP labs)
-T5 # Insane (may miss ports)
Output Formats
Always save your scans:
-oN scan.txt # Normal output (human readable)
-oG scan.gnmap # Grepable output
-oX scan.xml # XML output (for tools)
-oA scan # All formats at once
Script Categories
Nmap Scripting Engine (NSE) is powerful:
# Run all default scripts
nmap -sC <target>
# Run specific category
nmap --script=vuln <target>
# Common useful categories:
--script=default # Safe, general info
--script=discovery # Additional enumeration
--script=vuln # Vulnerability detection
--script=safe # Non-intrusive scripts
Practical Scanning Workflow
For each target in the OSCP exam, follow this pattern:
# Step 1: Quick scan for immediate work
nmap -sC -sV -oN nmap/initial $IP
# Step 2: Full port scan (run in background)
sudo nmap -sS -p- --min-rate=1000 -oN nmap/alltcp $IP &
# Step 3: Check results of full scan
cat nmap/alltcp | grep open
# Step 4: Deep scan on new ports found
sudo nmap -sC -sV -p <new,ports> -oN nmap/targeted $IP
# Step 5: UDP scan
sudo nmap -sU --top-ports=20 -oN nmap/udp $IP
Common Mistakes to Avoid
| Mistake | Why It's Bad | Solution |
|---|---|---|
| Skipping full port scan | Miss services on non-standard ports | Always do -p- |
| Forgetting UDP | Miss SNMP, TFTP, DNS | Scan top UDP ports |
| Not saving output | Lose valuable information | Always use -oA |
Using -T5 timing |
Unreliable results | Stick to -T4 |
| Scanning before target is up | Wasted time | Ping check first |
Nmap Cheat Sheet
# OSCP exam quick reference
sudo nmap -sC -sV -oA nmap/initial $IP # Initial
sudo nmap -sS -p- --min-rate=1000 -oA nmap/full $IP # Full TCP
sudo nmap -sU --top-ports=20 -oA nmap/udp $IP # UDP
# Version-specific scripts
nmap --script=http-enum $IP # Web enumeration
nmap --script=smb-enum* $IP # SMB enumeration
nmap --script=ftp-anon $IP # FTP anonymous check
# Vulnerability scanning
nmap --script=vuln -p 445 $IP # SMB vulnerabilities
nmap --script=http-vuln* -p 80 $IP # Web vulnerabilities
Next, we'll dive deep into service-specific enumeration techniques. :::