Nmap for Pentesters: Beyond -sV -sC

Last updated: April 26, 2026

Nmap is the universal port scanner. Every pentester runs it. Most run nmap -sV -sC target and accept whatever it reports. Senior practitioners use Nmap as a programmable engine — NSE scripts for vulnerability detection, custom scan timing for stealth or speed, output formats for downstream automation. This article covers the Nmap workflow that produces actionable intelligence in 2026.

The default trap

nmap -sV -sC target runs SYN scan, version detection, default scripts. It works but leaves intelligence on the table. The senior workflow:

# Phase 1: Fast discovery — confirm hosts up, find common ports
nmap -sn -PE -PS80,443,22,3389 10.0.0.0/24 -oA discovery

# Phase 2: Full TCP port sweep — slower but thorough
nmap -p- -sS -T4 --min-rate 1000 -oA full-tcp targets.txt

# Phase 3: Service detection on open ports
nmap -sV -sC --version-intensity 7 -p <ports> -oA services targets.txt

# Phase 4: Vulnerability scripts on identified services
nmap --script vuln,exploit -p <ports> -oA vulns targets.txt

# Phase 5: UDP top 100 (slow, but often skipped)
nmap -sU --top-ports 100 -oA udp targets.txt

Each phase feeds the next. Output to all formats (-oA writes .nmap, .gnmap, .xml) for processing.

NSE scripts that actually find bugs

• --script smb-vuln* — SMB vulnerability detection (EternalBlue, MS17-010)
• --script http-enum,http-headers,http-methods — web enumeration
• --script ssl-enum-ciphers,ssl-cert — TLS posture
• --script ssh-auth-methods,ssh2-enum-algos — SSH posture
• --script vulners — cross-references service version against CVE database
• --script discovery — domain enumeration via various protocols

The vulners script is the highest-leverage NSE script for pentest reporting — it returns CVE IDs and CVSS scores per service, ready for the report.

Stealth scanning

• -T2 or -T1 — slower timing, evades simple IDS
• --max-rate 100 — explicit packet rate limit
• --randomize-hosts — non-sequential targets
• --data-length <n> — pad packets to hide common scan signatures
• -D RND:10 — decoy IPs (less effective today; modern firewalls track patterns)
• --source-port 53 — outbound from DNS port (some firewalls allow)
• Through proxychains + Tor for anonymisation

Output processing

Nmap XML output is structured; pipe into other tools:

# Find HTTP services for further enumeration
xmlstarlet sel -t -m "//port[service/@name='http' or service/@name='https']" \
  -v "concat(../../@addr, ':', @portid)" -n services.xml | sort -u

# Or use python-libnmap for richer parsing
python -c "from libnmap.parser import NmapParser; r = NmapParser.parse_fromfile('full-tcp.xml'); print([h.address for h in r.hosts])"

The 2026 specific tricks

• IPv6 scanning — -6 flag; many networks have weaker IPv6 controls than IPv4. Test both.
• HTTP/2 and HTTP/3 detection — modern --script http2-info identifies HTTP/2 services for downstream API testing.
• Cloud-aware scanning — for cloud workloads, nmap alone is inefficient. Pair with cloud-native enumeration tools (CloudMapper, ScoutSuite) that read APIs directly.

Defender perspective

• Network IDS (Snort, Suricata) detects most Nmap scans by default.
• Cloud workloads should not have public ports beyond what’s necessary; security groups enforce this.
• VPC Flow Logs / firewall logs identify scanning sources and patterns.
• Honeypots (Canary tokens, custom services) detect internal scanning specifically.

The takeaway

Nmap is more programmable than its reputation suggests. The default scan is the start, not the end, of an engagement. NSE scripts, output processing, and phased workflow turn Nmap into the engine that drives the rest of the pentest. Senior practitioners spend 10x less time on enumeration with this discipline.