Basic Nmap Enumeration for OSCP: A Two-Step Process That Just Works

By /

Listen to this Post

When preparing for the OSCP exam, efficiency and accuracy in enumeration are crucial. Missing even a single port can cost you valuable time and points. Here’s a simple yet effective Nmap enumeration technique that helped me pass the OSCP exam.

Step 1: Quick Scan for Live Hosts and Open Ports 

nmap -Pn -n -sS --min-rate 5000 --max-retries 1 -T4 -p- -oA quick_scan <target_IP>

-Pn: Skip host discovery (treat all hosts as online).
-n: Disable DNS resolution (faster scans).
-sS: TCP SYN scan (stealthy).
--min-rate 5000: Send packets rapidly for speed.
--max-retries 1: Reduce retransmissions.
-T4: Aggressive timing template.
-p-: Scan all 65,535 ports.
-oA quick_scan: Output results in all formats (normal, XML, grepable).

Step 2: Deep Service Enumeration on Discovered Ports

nmap -Pn -n -sV -sC -O --script vuln -p <open_ports> -oA full_scan <target_IP>

-sV: Service version detection.
-sC: Run default NSE (Nmap Scripting Engine) scripts.
-O: OS detection.
--script vuln: Check for known vulnerabilities.

You Should Know:

  • Aggressive vs. Stealthy Scans: Use `-T4` for speed but switch to `-T2` if you suspect IDS/IPS.
  • Common NSE Scripts: 
    --script=http-enum,ftp-anon,smb-enum-shares
  • Bypassing Firewalls: Fragment packets with `-f` or use decoys (-D RND:10).
  • Saving and Comparing Scans: 
    ndiff scan1.xml scan2.xml

For more details, check the original article: Basic Nmap Enumeration for OSCP.

What Undercode Say

Nmap remains the Swiss Army knife of network reconnaissance. Mastering it is non-negotiable for penetration testers. Here are additional commands to enhance your skills:

  • Scanning Specific Port Ranges: 
    nmap -p 1-1000,3389,8080 <target_IP>
  • UDP Port Scanning: 
    nmap -sU -p 53,161,123 <target_IP>
  • Saving Output for Reporting: 
    nmap -oN report.txt -oX report.xml <target_IP>
  • Evasion Techniques: 
    nmap --data-length 50 --badsum <target_IP>
  • HTTP Enumeration: 
    nmap --script=http-title,http-headers <target_IP>

For Windows-based testing, consider:

Test-NetConnection -ComputerName <target_IP> -Port 80

Expected Output:

A comprehensive scan report detailing open ports, services, and potential vulnerabilities, ready for exploitation.

Original source: Basic Nmap Enumeration for OSCP

References:

Reported By: Activity 7314683183009042432 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: