Recon Tooling — Operator Reference.
nmap scan templates by goal, transform-driven entity discovery in Maltego, and the timing-vs-stealth tradeoffs that decide when to use what.
nmap — scan templates by goal
- Breadth (find live hosts in /24).
nmap -sn -PE -PP -PS80,443,22 -PA80,443 10.0.0.0/24. ICMP echo + timestamp + TCP-SYN + TCP-ACK probes to defeat host-level firewalls that drop one. - Depth (full TCP enumeration on a target).
nmap -p- -sS -sV -sC --min-rate=1000 -oN out.txt target. All 65535 ports, syn-scan, version detection, default scripts. Plan for 10–20 min per target. - Stealth (assume monitored network).
nmap -sS -T2 -f --data-length 24 --top-ports 100 target. Slow timing, fragment packets, randomized payload length, top 100 ports only. - Version-pinning a service.
nmap -sV --version-intensity 9 -p 443 target. Forces every probe, useful when default version detection returns "tcpwrapped" or blank. - NSE for a specific service.
nmap --script "smb-vuln*" -p 445 target(orhttp-*,ssl-*,ldap-*). Filter NSE categories — never run--script allagainst production. - UDP, when you must.
nmap -sU --top-ports 30 -T4 target. UDP is slow and unreliable; scope to known interesting ports (53, 161, 500, 4500, 5353).
Per-phase nmap recipes
- Initial recon.
masscan -p1-65535 --rate 10000to find open ports across the range, thennmap -sV -sCagainst the discovered set. Two-stage scan saves hours. - Authenticated context (post-foothold).
nmap -sn 10.0.0.0/8for adjacent-segment discovery. Run from the pivot host, not from external. ICMP-only to stay quiet. - Post-exploitation enum.
nmap --script smb-enum-shares,smb-enum-users --script-args smbusername=u,smbpassword=p target. Authenticated NSE produces enumeration that anonymous scans miss.
Maltego — transform chains
- People → infrastructure. Domain → DNS A records → IP → ASN → all other domains in that ASN. Surfaces hidden second-brand and acquired-company assets.
- People → social graph. Name → LinkedIn profile → coworkers → emails (via Hunter/Apollo transform) → password-spray candidate list.
- Email → breach data. Email → HaveIBeenPwned breach list → password patterns from public dumps (legal scope only). Critical for password-spray realism.
- Infrastructure → certificate-transparency. Domain → CT log entries → all historical certs → all subdomains ever issued. Catches assets that DNS-bruteforce misses.
Curation discipline
- Triage before report. Maltego graphs grow unbounded; the deliverable is the trimmed subgraph that supports a specific finding, not the raw output.
- Confidence per entity. Mark guessed vs. confirmed in node metadata. Without this, reviewers later can't separate fact from inference.
- Re-run before each engagement phase. Recon outputs go stale fast. CT logs from last week miss this week's new certs.
Rule of thumbIf a nmap scan takes longer than you budgeted, kill it and run with
--top-ports first. You can always go deeper after you've seen the top-port output. Long blind full-port scans burn detection time without yielding new information.Related notes in this domain
- Featured Comprehensive Pentest Reference
- Featured Pentest Methodology — Canonical Reference
- Featured Advanced Penetration Testing & Red Team
- Featured Recon & Discovery
- Featured Web Server — Attack & Defense
- Featured Active Directory Pentest
- Featured Internal Pivoting & Lateral Movement
- Reference Operator Toolkits — Catalog & Reference
- Reference Automation vs. Manual Testing
- Background Social Engineering & Phishing
- Background Pentester Foundations & CTF Practice
From reference to evidence