• version scan
nmap -Pn -n -p- doctor.htb --min-rate=1000 | tee port_scan.txt 
ports=$(cat port_scan.txt | grep "open" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p $ports worker.htb -oA version_scan
nmap -sS -Pn -sV --open -nvvv -T4 -iL scope.txt -oA 1024
nmap -sT -Pn -sV --open -nvvv -T4 -iL scope.txt -oA full -O -p-
  • check for smb signing
nmap --script smb-security-mode.nse -p445 -iL scope.txt -oA smb-signing
  • check for ms17 vulnerability
nmap -p445 --script smb-vuln-ms17-010 -iL scope.txt -oA ms17-010

nmap cheat sheet

    / nmap_cheet_sheet_v7.pdf