Nmap and not missing ports (Irked)

So I used nmap today on irked and probably spent 30 minutes checking for exploits before realising there might be more ports and set nmap -p- to run whilst I was searching for exploits. Obviously it came back with one I missed and this ended up being the way into the box.

Is it a good idea to always run nmap as per normal and then whilst im enumerating the output from that, to run a more thorough scan on all ports to see if there are any uncommon ports open? Or maybe run Sparta in the background?

How does everyone else do it to make sure that they don’t miss a port?

TIA

I usually do two nmap scans:

  1. Just a normal nmap scan for regular services (as you described)
  2. All ports

I tend to do method 1) and enumerate findings of that particular scan while having method 2) in the background to not waste time.


Neat trick you can use:

nmap -sS -T4 --max-retries 0 -p- machine.htb

will scan all the ports in roughly 1 minute (VIP connection). You can then re-run your scan with -A or other options on the specific open ports. Saves a loooot of time :).


Note: Using --max-retries might produce unreliable results if used for UDP scanning. Be cautious.

Awesome thanks guys, i’ll start implementing this!

I have another problem related to this:

PORT STATE SERVICE VERSION
65534/tcp open unknown

I’m running nmap 7.91. Not sure why it does not identify such port as IRC. Unable to continue without such information.

Type your comment> @partizan said:

I have another problem related to this:

PORT STATE SERVICE VERSION
65534/tcp open unknown

I’m running nmap 7.91. Not sure why it does not identify such port as IRC. Unable to continue without such information.

Either that port isn’t normally open on IRKED or it doesn’t matter for progress.

There are lots of reasons why nmap might not be able to identify a service. It doesn’t always matter.