A Better Way To Use Nmap

There is a reason that Neo uses Nmap at the beginning of The Matrix, it's because Nmap is awesome. I first learned about Nmap while reading Ethical Hacking , my mind was blown. Nearly all of the information I wanted to learn about a target was in the click of a few buttons, which is why Nmap is a staple in Red Teaming. I wanted as much info as possible, I'd use all the flags I found useful right away. My typical scan would look something like this:

sudo nmap -sV -A -oN my_scan.txt 10.10.10.10

The -sV flag is to find the service and version running on the open ports. -A flag allows for the detection of the operating system and version. Lastly, -oN flag outputs the scan into a text file. Knowing the OS version as well as all of the services running on open ports is very useful. So, why would a scan like this be a problem?

Well, I'd be bombarding the host with packets that are known by most IDS systems, and I'd draw unwanted attention to the frontline server. Another problem with running a scan like this is that even on one host it takes a lot of time. It's inefficient to be waiting even a couple of minutes for a scan to complete. When scanning multiple hosts this takes even longer.

I've changed my tactics regarding active enumeration. First I run a fast scan on a system to see whatever ports are open. Then I run one scan specifically to try to identify services/versions on only open ports with the -p flag. Lastly, I conducted one last scan with the -A flag to identify the OS version. Additionally, I attune the speed of the scan with the -t flag. Here is the new series of scans I conduct:

# scan one find open ports
nmap 10.10.10.10
# Suppose this comes back with 22,80,443,3000 open 
# -t(1-5) higher is faster
nmap -sV -p 22,80,443,3000 -t4 10.10.10.10
# one last scan
nmap -A -p 22,80,443,3000 -t4 10.10.10.10