Skip to main content

CPT Scan Recipes


These recipes combine multiple Nmap flags to address common operational scenarios encountered during Cyber Protection Team (CPT) missions. Each recipe is designed to balance scan thoroughness, speed, and operational awareness.

Save All Output

Unless conducting in-memory one-liners, always pair scan recipes with -oA <filename> to save results in all formats for deconfliction, documentation, and post-mission reporting.


Initial Network Recon​

Two-Phase Discovery + Enumeration​

A two-phase approach: first identify live hosts, then enumerate services only on those hosts. This avoids wasting time scanning dead IPs on large subnets.

# Phase 1 β€” Identify live hosts
nmap -sn -n 192.168.1.0/24 -oG /tmp/live_hosts.gnmap

# Phase 2 β€” Service scan only live hosts
nmap -sS -sV -sC -n -Pn \
-p 21,22,23,25,53,80,88,135,139,389,443,445,636,1433,3268,3389,5985,8080,8443 \
-iL <(grep "Status: Up" /tmp/live_hosts.gnmap | awk '{print $2}') \
-oA /tmp/service_scan
  • Use Case: Standard initial assessment of an unknown network.
  • Why: Separating discovery from enumeration significantly reduces total scan time and avoids generating excessive noise against dead IPs.

Quick Top-Port Sweep​

nmap -sS -n -T4 --top-ports 100 --open 192.168.1.0/24 -oA /tmp/quick_sweep
  • Use Case: Rapid initial visibility into the most common services before committing to a longer scan.
  • Why: The top 100 ports cover the vast majority of commonly exposed services and complete in a fraction of the time of a full scan.

Full Network Enumeration​

All TCP Ports with Service and Script Detection​

nmap -sS -sV -sC -p- -T4 -n --open 192.168.1.0/24 -oA /tmp/full_enum
  • Use Case: Thorough enumeration when time allows and all services must be identified.
  • Why: -p- scans all 65535 TCP ports; -sV -sC identifies service versions and runs default NSE scripts; --open reduces output noise.
Scan Time

A full -p- scan of a /24 subnet can take hours even at -T4. Consider segmenting the subnet into smaller chunks or running against a live host list from Phase 1.

Top 1000 TCP + Top 100 UDP Combined​

nmap -sS -sU --top-ports 100 -sV -n -T4 192.168.1.0/24 -oA /tmp/tcp_udp_scan
  • Use Case: Balancing TCP and UDP coverage without committing to a full 65535-port sweep.
  • Why: Combining TCP SYN and UDP in a single scan saves time. --top-ports 100 for UDP focuses on the highest-value services (DNS, SNMP, DHCP, TFTP, NTP, etc.).

Windows Host Enumeration​

Find WinRM-Enabled Hosts​

nmap -Pn -n -p 5985,5986 --open 192.168.1.0/24 -oG - | grep "open" | awk '{print $2}'
  • Use Case: Identifying hosts with Windows Remote Management (WinRM) enabled β€” primary targets for remote PowerShell access.
  • Why: -Pn skips host discovery since WinRM hosts may not respond to ping. Targets ports 5985 (HTTP) and 5986 (HTTPS) directly.

Full Windows Service Fingerprint​

nmap -Pn -sV -sC -n \
-p 135,139,445,3389,5985,5986 \
--script=smb-os-discovery,smb2-security-mode \
192.168.1.0/24 -oA /tmp/windows_scan
  • Use Case: Rapidly characterizing Windows hosts for SMB signing status, OS version, RDP availability, and WinRM exposure.
  • Why: smb-os-discovery returns OS version, domain, and workgroup; smb2-security-mode reveals whether SMB signing is required, enabled but not required, or disabled.

Find Domain Controllers​

Domain controllers typically expose LDAP (389), LDAPS (636), Global Catalog (3268/3269), and Kerberos (88).

nmap -Pn -n -p 88,389,636,3268,3269 --open 192.168.1.0/24 -oG - | grep "open" | awk '{print $2}'
  • Use Case: Identifying domain controllers for targeted enumeration or lateral movement planning.
  • Why: The combination of ports 88 and 389 open on a single host is a strong indicator of a domain controller.

Web Infrastructure Discovery​

Find Web Servers and Grab Page Titles​

nmap -Pn -n -p 80,443,8080,8443,8888 -sV \
--script=http-title,http-server-header \
--open 192.168.1.0/24 -oA /tmp/web_scan
  • Use Case: Discovering web services and quickly characterizing their purpose before manual investigation.
  • Why: http-title retrieves the HTML page title; http-server-header grabs the Server: response header β€” together they rapidly identify web applications without manual browsing.

SSL Certificate Enumeration​

nmap -Pn -n -p 443,8443 \
--script=ssl-cert,ssl-enum-ciphers \
192.168.1.0/24 -oA /tmp/ssl_scan
  • Use Case: Enumerating SSL/TLS certificates and assessing cipher suite strength on HTTPS services.
  • Why: ssl-cert extracts certificate details including Common Name, Subject Alternative Names, issuer, and expiry; ssl-enum-ciphers identifies weak ciphers and deprecated protocol versions (SSL 3.0, TLS 1.0/1.1).

Credential and Authentication Exposure​

Find Anonymous FTP / SMB Null Sessions​

nmap -Pn -n -p 21,445 \
--script=ftp-anon,smb-enum-shares \
--open 192.168.1.0/24 -oA /tmp/anon_scan
  • Use Case: Identifying misconfigured services that allow unauthenticated access.
  • Why: ftp-anon tests for anonymous FTP login; smb-enum-shares attempts to enumerate SMB shares including those accessible via null session.

Stealth / Evasion Recipes​

Low-and-Slow Sweep​

nmap -sS -T1 -n -f --data-length 25 --randomize-hosts \
-p 22,80,443,3389,5985 \
192.168.1.0/24 -oA /tmp/stealth_scan
  • Use Case: Minimizing detection footprint when scanning a monitored environment.
  • Why: -T1 slows probe rate; -f fragments packets; --data-length 25 changes packet sizes; --randomize-hosts breaks sequential sweep patterns.

Decoy-Assisted Scan​

nmap -sS -D RND:8 --source-port 53 -n -T2 \
-p 22,80,443,445,3389 \
192.168.1.1 -oA /tmp/decoy_scan
  • Use Case: Obscuring the true scan origin against log-based detection.
  • Why: 8 random decoys combined with source port 53 spoofing make it significantly harder to identify the actual scanning host from raw connection logs.

Output Pipeline Recipes​

Build a Live IP List​

nmap -sn -n 192.168.1.0/24 -oG - | grep "Status: Up" | awk '{print $2}' | tee /tmp/live_hosts.txt

Find All Hosts with a Specific Port Open​

nmap -Pn -n -p 3389 192.168.1.0/24 -oG - | grep "3389/open" | awk '{print $2}' | tee /tmp/rdp_hosts.txt

Multi-Format Output with Timestamp​

nmap -sV -sC -T4 192.168.1.0/24 -oA "/tmp/scan_$(date +%Y%m%d_%H%M%S)"
  • Use Case: Automatically timestamping output files to avoid overwriting previous scan results during iterative scanning.