Port Scanning
The goal is the complete set of open ports on each host. The pattern that balances speed and completeness is two passes: a fast full-range sweep to find which ports are open, then a detailed scan of only those ports (covered in Service Enumeration).
Pass 1: fast full-range TCP sweep
Scan all 65,535 TCP ports quickly to find what’s open. I reach for one of two tools here.
nmap (the classic)
host=203.0.113.10
mkdir -p "hosts/$host/recon"
sudo nmap -p- --open -Pn -n \
--min-rate 1500 --max-retries 1 \
-T4 \
"$host" \
-oA "hosts/$host/recon/nmap-quick-tcp"
# Pull the open ports into a comma list for pass 2
ports=$(awk -F/ '/open/{print $1}' "hosts/$host/recon/nmap-quick-tcp.gnmap" \
| tr '\n' ',' | sed 's/,$//')
-p-— all 65,535 ports.--open— only report open ports.-Pn— skip host discovery (you already know it’s up).-n— no DNS resolution (faster, quieter).--min-rate/--max-retries— speed knobs; raise min-rate on robust networks, lower it on fragile ones.
naabu (faster for many hosts)
naabu uses a SYN scan and is
noticeably quicker across large host lists. Pipe its results straight into nmap
for versioning:
naabu -host "$host" -p - -silent -o "hosts/$host/recon/naabu-tcp.txt"
ports=$(cut -d: -f2 "hosts/$host/recon/naabu-tcp.txt" | paste -sd,)
masscan is an option for very large IP ranges (it can scan the internet in
minutes), but it trades accuracy for speed and needs careful rate limiting. For
typical engagement-sized scope, nmap --min-rate or naabu is plenty.
Incremental / batched scanning for large scope
When you have many hosts, scanning every port on every host serially takes forever. Arsenic batches this: scan the most popular ports across all hosts first (you get fast, high-value coverage), then work through the remaining port ranges in batches. The idea is to surface the interesting services early instead of waiting for a full sweep of one host before starting the next.
A simple version — popular ports across everything first:
TOP_PORTS=$(sort -r -k3 /usr/share/nmap/nmap-services | awk '/\/tcp/{print $2}' \
| cut -d/ -f1 | head -n 1000 | paste -sd,)
sudo nmap -sS -p"$TOP_PORTS" --open -Pn -n -T4 \
--min-hostgroup 255 --max-retries 1 \
-iL recon/ips/alive.txt \
-oA recon/nmap-popular-tcp
Then schedule the full -p- sweep per host as time allows.
UDP — don’t skip it entirely
UDP scanning is slow, but skipping it misses SNMP, DNS, SChannel, IKE, TFTP, NetBIOS and other juicy services. Scan the top UDP ports rather than all of them:
sudo nmap -sU --top-ports 100 --open -Pn -n -T4 \
"$host" -oA "hosts/$host/recon/nmap-udp"
With the open-port list in hand, move to Service Enumeration to find out what’s actually listening.