Protocol Scan

🔐 Authentication & Identity

LDAP (389, 636)

nmap -p 389,636 --script=ldap* <target>
nmap --script "(ldap*) and not brute" -p 389 <target>
nmap -p 636 --script=ldap-search,ldap-rootdse <target>

Kerberos (88)

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" <target>
nmap -p 88 --script=krb5-info <target>

SMB (139, 445)

nmap -p 139,445 --script=smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smb2-capabilities,smb2-security-mode <target>
nmap --script smb-vuln* -p 445 <target>
nmap -p 445 --script=smb-null-session <target>

RDP (3389)

nmap -p 3389 --script=rdp-enum-encryption <target>
nmap -p 3389 --script=rdp-vuln-ms12-020 <target>
nmap -p 3389 --script=rdp-ntlm-info <target>

WinRM (5985, 5986)

nmap -p 5985,5986 --script=http-windows-enum <target>
nmap -p 5985,5986 --script=winrm-enum-users <target>

📱 Network Services

FTP (21)

nmap -p 21 --script=ftp-anon,ftp-bounce,ftp-syst,ftp-vsftpd-backdoor,ftp-proftpd-backdoor,ftp-libopie <target>

SSH (22)

nmap -p 22 --script=ssh-hostkey,ssh-auth-methods,sshv1,ssh2-enum-algos,ssh-brute <target>

Telnet (23)

nmap -p 23 --script=telnet-encryption,telnet-ntlm-info <target>

SMTP (25, 465, 587)

nmap -p 25,465,587 --script=smtp-commands,smtp-enum-users,smtp-open-relay,smtp-ntlm-info <target>

DNS (53)

nmap -p 53 --script=dns-zone-transfer,dns-nsid,dns-service-discovery,dns-recursion,dns-cache-snoop,dns-random-srcport <target>

TFTP (69)

nmap -sU -p 69 --script=tftp-enum <target>

POP3 (110, 995)

nmap -p 110,995 --script=pop3-capabilities,pop3-brute <target>

IMAP (143, 993)

nmap -p 143,993 --script=imap-capabilities,imap-brute <target>

SNMP (161, 162)

nmap -sU -p 161,162 --script=snmp-info,snmp-interfaces,snmp-processes,snmp-win32-services,snmp-brute,snmp-sysdescr <target>

R-Services (512, 513, 514)

nmap -p 512,513,514 --script=rpcinfo <target>

IPMI (623)

nmap -p 623 --script=ipmi-version,ipmi-cipher-zero <target>

RSync (873)

nmap -p 873 --script=rsync-list-modules <target>

MSSQL (1433, 1434, 2433)

nmap -p 1433,1434,2433 --script=ms-sql-info,ms-sql-empty-password,ms-sql-dump-hashes,ms-sql-brute,ms-sql-config <target>

Oracle TNS (1521)

nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute <target>

NFS (2049)

nmap -p 2049 --script=nfs-ls,nfs-statfs,nfs-showmount,nfs-acls <target>

MySQL (3306)

nmap -p 3306 --script=mysql-info,mysql-users,mysql-databases,mysql-empty-password,mysql-query,mysql-brute,mysql-dump-hashes <target>

PostgreSQL (5432)

nmap -p 5432 --script=pgsql-brute,pgsql-databases,pgsql-users <target>
nmap -p 5432 --script=pgsql-enum <target>

PostgreSQL Secure (5433)

nmap -p 5433 --script=pgsql-info <target>

NetBIOS (137, 138)

nmap -p 137,138 --script=nbstat,smb-os-discovery,smb-enum-shares,smb-enum-users <target>

VNC (5900)

nmap -p 5900 --script=vnc-info,vnc-title,vnc-brute <target>

Redis (6379)

nmap -p 6379 --script=redis-info,redis-brute <target>

Elasticsearch (9200)

nmap -p 9200 --script=http-elasticsearch-head,http-title,http-methods,http-headers <target>

Memcached (11211)

nmap -p 11211 --script=memcached-info <target>

RPCBind (111)

nmap -sU -sT -p 111 --script=rpcinfo <target>

SIP (5060)

nmap -sU -p 5060 --script=sip-methods,sip-enum-users <target>

MQTT (1883)

nmap -p 1883 --script=mqtt-subscribe,mqtt-connect <target>

RMI (1099)

nmap -p 1099 --script=rmi-dumpregistry,rmi-vuln-classloader <target>

NTP (123)

nmap -sU -p 123 --script=ntp-info,ntp-monlist <target>

Docker (2375)

nmap -p 2375 --script=docker-version <target>

RabbitMQ (5672)

nmap -p 5672 --script=rabbitmq-info <target>

Jenkins (8080)

nmap -p 8080 --script=http-jenkins-info,http-headers,http-title <target>
# Common Vulnerabilities: Anonymous Access, Script Console Exposure

AJP (Apache JServ Protocol - 8009)

nmap -p 8009 --script=ajp-methods,ajp-headers,ajp-auth <target>
# Common Exploit: Ghostcat CVE-2020-1938 (File Inclusion via AJP)

Kubernetes API Server (6443)

nmap -p 6443 --script=http-kubernetes-info,http-headers,http-title <target>
# Check for: Unauthorized access, misconfigured kubelet, exposed dashboard

CouchDB (5984)

nmap -p 5984 --script=http-couchdb-info,http-title,http-headers <target>
# Common Exploits: CVE-2017-12635 & CVE-2017-12636 (Remote Code Execution)

VMware (902, 903, 443)

nmap -p 902,903,443 --script=vmware-version <target>

TeamViewer (5938)

nmap -p 5938 --script=teamviewer-info <target>

Bacula (9101)

nmap -p 9101 --script=bacula-info <target>

X11 (6000)

nmap -p 6000 --script=x11-access <target>

Web Services (80, 443, 8080, 8443)

nmap -p 80,443,8080,8443 --script=http-title,http-methods,http-enum,http-headers,http-server-header,http-auth-finder,http-vuln* <target>

WebDAV (80, 443, 8080)

nmap -p 80,443,8080 --script=http-webdav-scan <target>

Apache Hadoop (50070)

nmap -p 50070 --script=http-hadoop-info <target>

Tomcat (8080, 8443)

nmap -p 8080,8443 --script=http-tomcat-manager,http-tomcat-users <target>

Zookeeper (2181)

nmap -p 2181 --script=zookeeper-info <target>

Kafka (9092)

nmap -p 9092 --script=kafka-info <target>

Varnish (6081)

nmap -p 6081 --script=http-headers,http-title <target>

🧰 Other Useful Nmap Scripts

Common Nmap Automation & Misc Scripts

nmap --script=default,safe <target>
nmap -p- --min-rate=10000 -T4 <target>  # Fast full port scan
nmap -sV --version-all -p <port> <target>  # Aggressive service detection
nmap -sC -sV <target>  # Default scripts and version detection
nmap -Pn -n -sS -p- -T4 <target>  # Stealth SYN scan without DNS resolution

Brute Force

nmap -p 21,22,23,25,80,110,143,443,3306,5432,6379,8080 --script brute <target>

Vulnerability Detection

nmap --script vuln <target>
nmap -p 80,443 --script=http-vuln* <target>
nmap -p 445 --script=smb-vuln* <target>

Web Technologies & Frameworks

nmap -p 80,443 --script=http-headers,http-title,http-methods,http-enum,http-php-version,http-aspnet-debug,http-wordpress-enum,http-drupal-enum <target>

PreviousNmap Full Flag NextScan-Network-With-Nmap

Last updated 17 days ago

hashtag🔐 Authentication & Identity

hashtagLDAP (389, 636)

hashtagKerberos (88)

hashtagSMB (139, 445)

hashtagRDP (3389)

hashtagWinRM (5985, 5986)

hashtag📱 Network Services

hashtagFTP (21)

hashtagSSH (22)

hashtagTelnet (23)

hashtagSMTP (25, 465, 587)

hashtagDNS (53)

hashtagTFTP (69)

hashtagPOP3 (110, 995)

hashtagIMAP (143, 993)

hashtagSNMP (161, 162)

hashtagR-Services (512, 513, 514)

hashtagIPMI (623)

hashtagRSync (873)

hashtagMSSQL (1433, 1434, 2433)

hashtagOracle TNS (1521)

hashtagNFS (2049)

hashtagMySQL (3306)

hashtagPostgreSQL (5432)

hashtagPostgreSQL Secure (5433)

hashtagNetBIOS (137, 138)

hashtagVNC (5900)

hashtagRedis (6379)

hashtagElasticsearch (9200)

hashtagMemcached (11211)

hashtagRPCBind (111)

hashtagSIP (5060)

hashtagMQTT (1883)

hashtagRMI (1099)

hashtagNTP (123)

hashtagDocker (2375)

hashtagRabbitMQ (5672)

hashtagJenkins (8080)

hashtagAJP (Apache JServ Protocol - 8009)

hashtagKubernetes API Server (6443)

hashtagCouchDB (5984)

hashtagVMware (902, 903, 443)

hashtagTeamViewer (5938)

hashtagBacula (9101)

hashtagX11 (6000)

hashtagWeb Services (80, 443, 8080, 8443)

hashtagWebDAV (80, 443, 8080)

hashtagApache Hadoop (50070)

hashtagTomcat (8080, 8443)

hashtagZookeeper (2181)

hashtagKafka (9092)

hashtagVarnish (6081)

hashtag🧰 Other Useful Nmap Scripts

hashtagCommon Nmap Automation & Misc Scripts

hashtagBrute Force

hashtagVulnerability Detection

hashtagWeb Technologies & Frameworks

🔐 Authentication & Identity

LDAP (389, 636)

Kerberos (88)

SMB (139, 445)

RDP (3389)

WinRM (5985, 5986)

📱 Network Services

FTP (21)

SSH (22)

Telnet (23)

SMTP (25, 465, 587)

DNS (53)

TFTP (69)

POP3 (110, 995)

IMAP (143, 993)

SNMP (161, 162)

R-Services (512, 513, 514)

IPMI (623)

RSync (873)

MSSQL (1433, 1434, 2433)

Oracle TNS (1521)

NFS (2049)

MySQL (3306)

PostgreSQL (5432)

PostgreSQL Secure (5433)

NetBIOS (137, 138)

VNC (5900)

Redis (6379)

Elasticsearch (9200)

Memcached (11211)

RPCBind (111)

SIP (5060)

MQTT (1883)

RMI (1099)

NTP (123)

Docker (2375)

RabbitMQ (5672)

Jenkins (8080)

AJP (Apache JServ Protocol - 8009)

Kubernetes API Server (6443)

CouchDB (5984)

VMware (902, 903, 443)

TeamViewer (5938)

Bacula (9101)

X11 (6000)

Web Services (80, 443, 8080, 8443)

WebDAV (80, 443, 8080)

Apache Hadoop (50070)

Tomcat (8080, 8443)

Zookeeper (2181)

Kafka (9092)

Varnish (6081)

🧰 Other Useful Nmap Scripts

Common Nmap Automation & Misc Scripts

Brute Force

Vulnerability Detection

Web Technologies & Frameworks