In this part of the Useful CTF Commands series, we’ll explore one of the most essential tools in CTFs and real-world recon: Nmap.
Nmap (Network Mapper) is a powerful and flexible network scanning tool. It allows you to identify open ports, running services, and even detect the operating system of a target machine. In CTFs, it’s often the very first tool you run when facing a new host. To discover which ports are open and which services beeing used.
In this post, we’ll cover:
- Fast TCP scans (useful under time pressure)
- Full TCP scans (all 65,535 ports)
- Custom TCP port range scans
For more take a look at the nmap docs: https://nmap.org/docs.html
Fast TCP Port Scan
When you want to get quick initial results — e.g., during a CTF when time is limited and the organizer asks to keep the traffic amount limited, most of the time standard ports are beeing used, thats why scanning only the most common 1,000 ports (which is the default behavior of Nmap) is a good way to go.
$ nmap -sS -Pn example
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 23:29 CEST
Nmap scan report for example (10.10.10.10)
Host is up (0.023s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
Option Explanation:
-sS TCP SYN scan (stealthy and fast)
-Pn Skip host discovery (treat target as "up")
Full TCP Port Scan (All 65,535 Ports)
Some CTF services may run on non-standard ports. To find them, a full TCP port scan is necessary:
$ nmap -p- -sS -Pn example
What’s Different?
- -p- tells Nmap to scan all ports from 1 to 65535.
⚠️ Warning: This scan takes significantly longer, especially on slow networks or if the host has many filtered ports.
Scan a Specific TCP Port Range
You can also define a custom port range if you want to focus your scan (e.g., for performance or when you suspect a service is in a certain range).
$ nmap -p 1234,8000-9000 -sS -Pn example