nmap - Grimoire

Two-pass approach: fast -p- scan to find open ports, then -sV -sC on just those ports to avoid scanning 65535 ports with slow scripts.

# Fast full TCP
nmap -p- --min-rate 5000 -T4 $IP

# Service + scripts
nmap -sV -sC -p <ports> $IP

# UDP top 100
nmap -sU --top-ports 100 $IP

# All formats output
nmap -sV -sC -p <ports> $IP -oA scan

# NSE scripts
nmap --script smb-vuln* $IP
nmap --script http-enum $IP
nmap --script ftp-anon $IP

NetExec (nxc)BloodHound

⌘I