Nmap Notes for eJPT Certification

- 2 mins read

Network device discovery

nmap -sn <IP range>
nmap -sn <IP range> | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort

The -sn option in Nmap runs a ping scan: it only checks which hosts are up, without scanning any ports.

OS detection from IP

nmap -O <IP>

The -O option enables OS detection by sending multiple probes and analyzing responses to guess the target’s operating system. It’s quite aggressive, generates noticeable traffic, and can trigger IDS/firewalls or affect unstable devices, so it’s best avoided unless OS fingerprinting is strictly necessary.

Open ports scanning

nmap -p- --open -sS --min-rate 5000 -vvv <IP> -n -Pn

The -sS option performs a fast, relatively stealthy TCP SYN “half-open” scan that checks port states without completing the TCP handshake.
The --min-rate 5000 option sets a minimum send rate of 5000 packets per second, speeding up the scan but making it noisier and easier to detect.
The -n option disables DNS resolution, improving scan speed and avoiding extra DNS traffic.
The -Pn option skips host discovery and assumes the target is up, useful when pings are filtered but wasting time on hosts that are actually down.

Stealth port scan (IDS evasion)

nmap -p<port list> <IP> -f

The -f option in Nmap allows you to fragment packets and send them separately in order to evade firewall detection.

nmap -p<port list> -D <decoy IPs list> <target IP>

The -D option enables decoy scanning by adding fake source IP addresses alongside your real one. This makes IDSs see multiple IPs apparently probing the target ports, which helps to hide the true origin of the scan.

nmap --source-port <spoofing port> -Pn <IP>

The --source-port option lets you force the TCP or UDP source port that your scan packets appear to come from. This could bypass some naive firewalls or ACLs only filter based on source or destination ports.

nmap --data-length <bytes> <IP>

The --data-length option tells nmap to pad each probe packet with extra data up to a specific total payload size. This can be useful for avoiding simplistic “small packet” filters.

Service discovery on open ports

nmap -p<port list> -sV <IP>

The -sV option enables service/version detection, probing open ports to identify which service is running on them (e.g., HTTP, SSH) and which exact version.