🔍 Recon Notes

Network Reconnaissance with Nmap: Advanced Scanning Techniques for Penetration Testers

March 30, 202611 min read4,194 views
Network Reconnaissance with Nmap: Advanced Scanning Techniques for Penetration Testers

Advanced Nmap Scanning Techniques

Nmap remains the industry-standard tool for network discovery and security auditing. This report covers advanced scanning techniques that go beyond basic port scanning.

Target Discovery

# ARP scan for local network discovery
nmap -sn -PR 10.10.10.0/24

TCP SYN discovery on common ports


nmap -sn -PS22,80,443,445,3389 10.10.10.0/24


Combined discovery scan


nmap -sn -PE -PP -PS80,443 -PA3389 -PU40125 10.10.10.0/24 -oA discovery

Service Enumeration

Detailed service version detection reveals the attack surface:

# Aggressive service scan with OS detection
nmap -sS -sV -O -A --version-intensity 9 -p- 10.10.10.50 -oA full_scan

UDP scan on common services


nmap -sU --top-ports 100 --version-intensity 5 10.10.10.50

NSE Vulnerability Scanning

# SMB vulnerability checks
nmap --script smb-vuln* -p445 10.10.10.50

HTTP enumeration


nmap --script http-enum,http-title,http-methods,http-headers -p80,443,8080 10.10.10.50


Full vulnerability scan


nmap --script vuln -sV -p- 10.10.10.50 -oA vuln_scan

Firewall Evasion

# Fragment packets
nmap -f --mtu 24 -p80,443 10.10.10.50

Decoy scan


nmap -D RND:10 -sS -p80 10.10.10.50


Source port manipulation


nmap --source-port 53 -sS -p- 10.10.10.50

NmapNetwork SecurityKali Linux

Related Lab Tools

Completedutility🛡️ Original

SentinelX

SentinelX is an open-source Python cybersecurity tool for SOC analysis, reconnaissance processing, and MITRE ATT&CK mapping, generating structured security reports for ethical learning and research.

Related Research

← Back to Blog