CPT Scan Recipes
These recipes combine multiple Nmap flags to address common operational scenarios encountered during Cyber Protection Team (CPT) missions. Each recipe is designed to balance scan thoroughness, speed, and operational awareness.
Unless conducting in-memory one-liners, always pair scan recipes with -oA <filename> to save results in all formats for deconfliction, documentation, and post-mission reporting.
Initial Network Reconβ
Two-Phase Discovery + Enumerationβ
A two-phase approach: first identify live hosts, then enumerate services only on those hosts. This avoids wasting time scanning dead IPs on large subnets.
# Phase 1 β Identify live hosts
nmap -sn -n 192.168.1.0/24 -oG /tmp/live_hosts.gnmap
# Phase 2 β Service scan only live hosts
nmap -sS -sV -sC -n -Pn \
-p 21,22,23,25,53,80,88,135,139,389,443,445,636,1433,3268,3389,5985,8080,8443 \
-iL <(grep "Status: Up" /tmp/live_hosts.gnmap | awk '{print $2}') \
-oA /tmp/service_scan
- Use Case: Standard initial assessment of an unknown network.
- Why: Separating discovery from enumeration significantly reduces total scan time and avoids generating excessive noise against dead IPs.
Quick Top-Port Sweepβ
nmap -sS -n -T4 --top-ports 100 --open 192.168.1.0/24 -oA /tmp/quick_sweep
- Use Case: Rapid initial visibility into the most common services before committing to a longer scan.
- Why: The top 100 ports cover the vast majority of commonly exposed services and complete in a fraction of the time of a full scan.
Full Network Enumerationβ
All TCP Ports with Service and Script Detectionβ
nmap -sS -sV -sC -p- -T4 -n --open 192.168.1.0/24 -oA /tmp/full_enum
- Use Case: Thorough enumeration when time allows and all services must be identified.
- Why:
-p-scans all 65535 TCP ports;-sV -sCidentifies service versions and runs default NSE scripts;--openreduces output noise.
A full -p- scan of a /24 subnet can take hours even at -T4. Consider segmenting the subnet into smaller chunks or running against a live host list from Phase 1.
Top 1000 TCP + Top 100 UDP Combinedβ
nmap -sS -sU --top-ports 100 -sV -n -T4 192.168.1.0/24 -oA /tmp/tcp_udp_scan
- Use Case: Balancing TCP and UDP coverage without committing to a full 65535-port sweep.
- Why: Combining TCP SYN and UDP in a single scan saves time.
--top-ports 100for UDP focuses on the highest-value services (DNS, SNMP, DHCP, TFTP, NTP, etc.).
Windows Host Enumerationβ
Find WinRM-Enabled Hostsβ
nmap -Pn -n -p 5985,5986 --open 192.168.1.0/24 -oG - | grep "open" | awk '{print $2}'
- Use Case: Identifying hosts with Windows Remote Management (WinRM) enabled β primary targets for remote PowerShell access.
- Why:
-Pnskips host discovery since WinRM hosts may not respond to ping. Targets ports 5985 (HTTP) and 5986 (HTTPS) directly.
Full Windows Service Fingerprintβ
nmap -Pn -sV -sC -n \
-p 135,139,445,3389,5985,5986 \
--script=smb-os-discovery,smb2-security-mode \
192.168.1.0/24 -oA /tmp/windows_scan
- Use Case: Rapidly characterizing Windows hosts for SMB signing status, OS version, RDP availability, and WinRM exposure.
- Why:
smb-os-discoveryreturns OS version, domain, and workgroup;smb2-security-modereveals whether SMB signing is required, enabled but not required, or disabled.
Find Domain Controllersβ
Domain controllers typically expose LDAP (389), LDAPS (636), Global Catalog (3268/3269), and Kerberos (88).
nmap -Pn -n -p 88,389,636,3268,3269 --open 192.168.1.0/24 -oG - | grep "open" | awk '{print $2}'
- Use Case: Identifying domain controllers for targeted enumeration or lateral movement planning.
- Why: The combination of ports 88 and 389 open on a single host is a strong indicator of a domain controller.
Web Infrastructure Discoveryβ
Find Web Servers and Grab Page Titlesβ
nmap -Pn -n -p 80,443,8080,8443,8888 -sV \
--script=http-title,http-server-header \
--open 192.168.1.0/24 -oA /tmp/web_scan
- Use Case: Discovering web services and quickly characterizing their purpose before manual investigation.
- Why:
http-titleretrieves the HTML page title;http-server-headergrabs theServer:response header β together they rapidly identify web applications without manual browsing.
SSL Certificate Enumerationβ
nmap -Pn -n -p 443,8443 \
--script=ssl-cert,ssl-enum-ciphers \
192.168.1.0/24 -oA /tmp/ssl_scan
- Use Case: Enumerating SSL/TLS certificates and assessing cipher suite strength on HTTPS services.
- Why:
ssl-certextracts certificate details including Common Name, Subject Alternative Names, issuer, and expiry;ssl-enum-ciphersidentifies weak ciphers and deprecated protocol versions (SSL 3.0, TLS 1.0/1.1).
Credential and Authentication Exposureβ
Find Anonymous FTP / SMB Null Sessionsβ
nmap -Pn -n -p 21,445 \
--script=ftp-anon,smb-enum-shares \
--open 192.168.1.0/24 -oA /tmp/anon_scan
- Use Case: Identifying misconfigured services that allow unauthenticated access.
- Why:
ftp-anontests for anonymous FTP login;smb-enum-sharesattempts to enumerate SMB shares including those accessible via null session.
Stealth / Evasion Recipesβ
Low-and-Slow Sweepβ
nmap -sS -T1 -n -f --data-length 25 --randomize-hosts \
-p 22,80,443,3389,5985 \
192.168.1.0/24 -oA /tmp/stealth_scan
- Use Case: Minimizing detection footprint when scanning a monitored environment.
- Why:
-T1slows probe rate;-ffragments packets;--data-length 25changes packet sizes;--randomize-hostsbreaks sequential sweep patterns.
Decoy-Assisted Scanβ
nmap -sS -D RND:8 --source-port 53 -n -T2 \
-p 22,80,443,445,3389 \
192.168.1.1 -oA /tmp/decoy_scan
- Use Case: Obscuring the true scan origin against log-based detection.
- Why: 8 random decoys combined with source port 53 spoofing make it significantly harder to identify the actual scanning host from raw connection logs.
Output Pipeline Recipesβ
Build a Live IP Listβ
nmap -sn -n 192.168.1.0/24 -oG - | grep "Status: Up" | awk '{print $2}' | tee /tmp/live_hosts.txt
Find All Hosts with a Specific Port Openβ
nmap -Pn -n -p 3389 192.168.1.0/24 -oG - | grep "3389/open" | awk '{print $2}' | tee /tmp/rdp_hosts.txt
Multi-Format Output with Timestampβ
nmap -sV -sC -T4 192.168.1.0/24 -oA "/tmp/scan_$(date +%Y%m%d_%H%M%S)"
- Use Case: Automatically timestamping output files to avoid overwriting previous scan results during iterative scanning.