The nmap commands I keep forgetting

I run nmap often enough that I should know every flag cold, and not often enough that I actually do. So I keep looking up the same handful. These are the five I've had to search for more than once. I'm writing them down here so I stop, and so the next person studying for the same exams has them in one place.

Quick honesty note before the commands: I'm still studying for the eJPT and Security+. I have not passed either yet. So treat this as study notes from someone in the trenches with you, not advice from someone on the other side of the cert. Only scan machines you own or have written permission to scan. On the exam that's the lab. Anywhere else, get permission first.

1. -sV for service and version detection

A plain port scan tells you a port is open. It does not tell you what is actually listening there. -sV probes the open ports and tries to figure out the service name and version.

nmap -sV 10.10.10.5

This is usually my first real step after I know something is up. Knowing it's "Apache 2.4.49" instead of just "port 80 open" changes everything about what I look at next. Version numbers are how you start mapping a service to known issues. I forget this flag because the basic scan feels like it already did the job, and then I'm staring at a list of open ports with no idea what they are.

2. -sC for the default scripts (or -A when I want everything)

nmap ships with a scripting engine (NSE), and -sC runs the default set of scripts against whatever it finds. These pull extra detail: HTTP titles, SMB info, anonymous FTP login, cert details, and more.

nmap -sC -sV 10.10.10.5

I almost always run -sC and -sV together because the scripts are more useful when nmap already knows the versions. If I want the kitchen sink, -A turns on service detection, default scripts, OS detection, and traceroute in one flag:

nmap -A 10.10.10.5

The tradeoff is -A is loud and slower. On a real engagement that noise matters. For learning in a lab, it's a fast way to see a lot at once. I forget the difference between -sC and -A constantly, so to be clear: -A includes -sC, plus OS detection and traceroute on top.

3. -p- to scan all 65535 ports

By default nmap only scans the top 1000 most common ports. That is fine most of the time, but services hide on weird high ports, and the box you're working on may have put SSH on 2222 or a web app on 8080 just to mess with you. -p- scans every port from 1 to 65535.

nmap -p- 10.10.10.5

This is slower, so a common pattern is to run -p- to find every open port, then run a deeper scan only on the ports that came back open:

nmap -p 22,80,2222,8080 -sV -sC 10.10.10.5

The reason I keep forgetting this one is muscle memory. The default scan finds something interesting fast, I get pulled into it, and I never go back to confirm I didn't miss a port. Missing a hidden port has burned me in labs more than once. If you only take one habit from this post, make it "run -p- early."

4. -Pn when ping is blocked

Before scanning ports, nmap tries to check if the host is even up, usually with something like an ICMP ping. If a firewall blocks that, nmap can decide the host is down and skip it entirely, even though it's sitting right there. -Pn tells nmap to skip the host discovery step and just scan, assuming the host is up.

nmap -Pn 10.10.10.5

This one trips me up because the symptom is confusing. nmap says "Host seems down. If it is really up, but blocking our ping probes, try -Pn." It literally tells you the fix, and I still forget until I read that line. If you're certain something is there but nmap insists it's down, -Pn is almost always the answer.

5. -oA (and -oN) to actually save output

This is the one I forget the most, and it's the one I regret forgetting the most. You run a long scan, get a great result, close the terminal, and it's gone. -oN saves human-readable output to a file. -oA saves in all three major formats at once: normal, XML, and grepable.

nmap -sC -sV -oA scans/initial 10.10.10.5

That writes scans/initial.nmap, scans/initial.xml, and scans/initial.gnmap. If I just want the plain text, -oN:

nmap -sC -sV -oN scans/initial.txt 10.10.10.5

The grepable output (.gnmap) is handy when you want to pull "all hosts with port 445 open" out of a big scan later. On a real assessment, saved output is also your evidence and the raw material for the report. Future me always wishes past me had used -oA.

Putting it together

Here's roughly the flow these five flags give me, in order:

# 1. Find every open port, save it
nmap -p- -oA scans/allports 10.10.10.5

# 2. Go deep on what's open, with scripts and versions, save again
nmap -p 22,80,8080 -sC -sV -oA scans/deep 10.10.10.5

# 3. If nmap claims the host is down but you know it's up
nmap -Pn -p- 10.10.10.5

That's it. Five flags I should have memorized a while ago. Writing them down like this is partly for you and mostly so I stop opening a new tab to look them up mid-scan.

If you're doing this on a phone the way I started, my free Termux Pocket Code notes cover getting a usable Linux setup running on Android, which is where I practiced a lot of this before I had a proper lab: aldowebsitellc.xyz/shop/termux-pocket-code. No pressure, it's free. Now go scan something you're allowed to scan.