Port Discovery & Initial Scanning
A fast, asynchronous scan to identify open ports on a target.
sudo nmap --min-rate 10000 -p- {{target_ip}} -oA nmap/Port-ScanService & Version Detection
Comprehensive scan for service versions, default scripts, and OS detection.
sudo nmap -T4 -A -p {{ports}} {{target_ip}} -oA nmap/Service-ScanDomain Controller Discovery
Identify systems running Kerberos (port 88), usually indicating a Domain Controller.
nmap -p 88 --open {{ip_range}}LDAP Enumeration (NSE)
Use Nmap scripts to enumerate LDAP information without brute-forcing.
nmap -n -sV --script 'ldap*' and not brute -p 389 {{dc_ip}}Standard Full Scan
A thorough scan with service detection and default scripts across all ports.
nmap -Pn -sC -sV -p- -oA full_scan {{target_ip}}Auxiliary: Network Discovery
Quickly discover live hosts on the network using ARP or Netdiscover.
sudo netdiscover -r {{ip_range}}
sudo arp-scan -lDescription
A versatile network scanner used for host discovery, port scanning, service version detection, and vulnerability research via the Nmap Scripting Engine (NSE). In PNPT, Nmap is foundational for initial reconnaissance, helping to map the attack surface and identify potential entry points like SMB, HTTP, or Domain Services.