Enrich and speed up your port scan recon by using masscan first to identify open ports. Then run service scans with nmap.
$ sudo masscan -p 1-65535,U:1-65535 ${IP} --rate 10000 -oL recon/masscan-${IP}
$ tcp=$(grep -F 'open tcp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ udp=$(grep -F 'open udp' recon/masscan-${IP} | awk '{print $3}' | tr '\n' ',' | sed "s/,$//")
$ [ -n ${tcp} ] && sudo nmap -n -A -p ${tcp} ${IP} -oA recon/tcp-${IP} &
$ [ -n ${udp} ] && sudo nmap -n -sU -A -p ${udp} ${IP} -oA recon/udp-${IP} &
Depending on the service, you can sometimes get additional context with a separate scan using nmap --script safe
. Add -e tun0
to the initial masscan
run if you're doing this on HTB.