Nmap Cheet Sheet PDF

 

Nmap Cheat Sheet Scan Techniques

Target Specification Switch

-iL -iR --ex -excl clud udee

E nxmaampp1le92.168.1.1 nmap 192.168.1.1 192.168. 192.168.2.1 2.1 nmap 1 92 92.168.1.1-254 nmap sc scanme.nmap.org nmap 192 192..168. 8.1. 1.0/ 0/224 nmap -iL targets.txt nmap -iR 100 nmap nm ap ---ex excl clud udee 19 192. 2.16 168. 8.1. 1.11

D Sceasncraipstiinognle IP Scan specif specific ic IPs IPs Scan a range Scan a domain Scan using CIDR no nottatio ion n Scan targets from a file Scan 100 random hosts Exc xclu lud de li list sted ed ho host stss

S -swSitch

E am nxm appl1e92.168.1.1 -sS

D esPcrSip tiopnort scan (Default) TC YN

-sT

nmap 192.168.1.1 -sT

-sU -sA -sW -sM

nmap 192.168. 8.11.1 -sU nmap 192.168.1.1 -sA nmap 192.168.1.1 -sW nmap 192.168.1.1 -sM

TCP connect port scan (Default without root privilege) UDP port scan TCP ACK port scan TCP Window port scan TCP Maimon port scan

Switch -sL -sn -Pn -PS -PA -PU -P U -PR -n

Host Discovery Example Description nmap 192.168.1.1-3 -sL No Scan. List targets only nmap 192.168.1.1/24 -sn Disable port scanning nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only nmap 192.168.1.1-5 -PS22-25,80 TCP SYN discovery on port x. Port 80 by default nmap 192.168.1.1-5 -PA22-25,80 TCP ACK discover y on port x. Port 80 by default nmap nm ap 19 192. 2.16 168. 8.1. 1.11-55 -P -PU5 U533 UDP dis isccov over eryy on por ortt x. Por ortt 40 4012 1255 by de deffau ault lt nmap 192.168.1.1-1/24 -PR ARP discovery on local network nmap 192.168.1.1 -n Never do DNS resolution Port Specification

Switch -p -p -p -p-p -F

Example nmap 192.168.1.1 -p 21 nmap 192.168.1.1 -p 21-100 nmap 192 92..168 68..1.1 -p U:53 53,,T:211-25 25,,80 nmap 192.168.1.1 -pnmap 192.168.1.1 -p http,https nmap 192.168.1.1 -F

Description Port scan for port x Port range Port scan multiple TCP and UDP po rt rts Port scan all ports Port scan from service name Fast port scan (100 ports)

--top-por --topports ts -p-65535 -p0-

nmap 192. nmap 192.168. 168.1.1 1.1 --t --top-p op-port ortss 2000 nmap 192.168.1.1 -p-65535 nmap 192.168.1.1 -p0-

Port sca Port scan n the top x por ports ts Leaving off initial port in range makes the scan start at port 1 Leaving off end port in range makes the scan go through to port 65535 www.stationx.net/nmap-cheat-sheet/

1

1  

Service and Version Detection Switch

Example

Description

-sV -sV --ve --versi rsionon-int intens ensity ity -sV --version-light -sV ---version-all -A

nmap 192.168.1.1 -sV nmap nma p 192.168. 192.168.1.1 1.1 -sV -sV --vers --version ion-in -inten tensit sityy 8 nmap 192.168.1.1 -sV --version-light nmap 19 192.1 .1668.1.1 -s -sV ---ver erssion-all nmap 192.168.1.1 -A

Attempts to determine the version of the service running on port Intens Int ensity ity level level 0 to 9. Higher Higher numbe numberr incre increase asess possibi possibilit lityy of correc correctne tness ss Enable light mode. Lower possibility of correctness. Faster Enable in inten enssity lev leveel 9. 9. Hi Higher possibility of of co correctness. Sl Slower Enables OS detection, version detection, script scanning, and traceroute

OS Detection Switch

Example

Description

-O -O ---os ossc scan an-l -lim imit it

nmap 192.168.1.1 -O nmap nm ap 19 192.1 2.168 68.1 .1.1 .1 -O ---os ossc scan an-l -lim imit it

-O --o --oss ssca cann-gu gues esss -O --m --max ax-o -oss-tr trie iess -A

nmap 192 nmap 192.1 .168 68.1 .1.1 .1 -O -O ---os ossc scan an-g -gue uess ss nmap nm ap 192. 192.16 168. 8.1. 1.11 -O ---ma maxx-os os-t -tri ries es 1 nmap 192.168.1.1 -A

Remote OS detection using TCP/IP stack fingerprinting If at le leas astt one one op open en an and d one one cl clos osed ed TC TCP P por portt are are no nott fou found nd it wi will ll no nott try try OS detection against host Makkes Nma Ma Nmap p gues guesss mor moree aggr aggres essi sive vely ly Sett the Se the maxi maximu mum m numb number er x of of OS OS dete detect ctio ion n trie triess agai agains nstt a tar targe gett Enables OS detection, version detection, script scanning, and traceroute Timing and Performance

Switch

Example

Description

-T0 -T0 -T11 -T -T22 -T -T3 -T44 -T -T55 -T

nmap 19 nmap 192.1 2.168 68.1 .1.1 .1 -T -T00 nmap nm ap 19 192.1 2.168 68.1 .1.1 .1 -T -T11 nmap nma p 192. 192.168 168.1. .1.11 -T2 nmap nm ap 19 192. 2.16 168. 8.1. 1.11 -T -T33 nmap nma p 192. 192.168 168.1. .1.11 -T4 nmap nma p 192. 192.168 168.1. .1.11 -T5

Par aran anoi oid d (0 (0)) In Intr trus usio ion n De Dete tect ctio ion n Sy Syst stem em ev evas asio ion n Snea Sn eaky ky (1 (1)) In Intr trus usio ion n De Dete tect ctio ion n Sy Syst stem em ev evas asio ion n Polit Po litee (2) slo slows ws dow down n the sca scan n to use les lesss ba bandw ndwidt idth h and use les lesss ta targ rget et mac machin hinee res resour ource cess Norm No rmal al (3 (3)) wh whic ich h is de defa faul ultt sp spee eed d Aggres Agg ressiv sivee (4) spe speeds eds sc scans ans;; ass assume umess you ar aree on a re reaso asonab nably ly fas fastt and rel reliab iable le net netwo work rk Insane Ins ane (5) spe speeds eds sc scan; an; ass assum umes es you ar aree on an ext extra raord ordina inaril rilyy fa fast st net networ workk

Switch

Example input

Description

--host-timeout --mi -minn-rt rttt-ti time meou out/ t/ma maxx-rt rttt-t -tim imeo eout ut/i /ini niti tial al-r -rtt tt-t -tim imeo eout ut --min-hostgroup/max-hostgroup --min-parallelism/max-parallelism --scan-delay/--max-scan-delay --max-retries --min-rate --max-rate

1s; 4m; 2h 1s;; 4m 1s 4m;; 2h 50; 1024 10; 1 20ms; 2s; 4m; 5h 3 100 100

Give up on target aer this long Spec Sp ecif ifie iess pr prob obee rou ound nd tr trip ip ti time me Parallel host scan group sizes Probe parallelization Adjust delay between probes Specify the maximum number of port scan probe retransmissions Send packets no slower than per second Send packets no faster than per second

www.stationx.net/nmap-cheat-sheet/

2  

NSE Scripts Switch

Example

Description

-sC --sc -scri ript pt de deffau ault lt --script --sc -scri ript pt

nmap 192.168.1.1 -sC nmap nm ap 19 192. 2.16 168. 8.1. 1.11 --s --scr crip iptt def defau ault lt nmap 192.168.1.1 --script=banner nmap nm ap 19 192. 2.16 168. 8.1. 1.11 ---sc scri ript pt=h =htt ttp* p*

Scan with default NSE scripts. Considered useful for discovery and safe Scan Sc an wi with th de defa faul ultt NSE NSE sc scri ript pts. s. Co Cons nsid ider ered ed us usef eful ul fo forr dis disccov over eryy and and sa safe fe Scan with a single script. Example banner Scan Sc an wi with th a wi wild ldccar ard. d. Ex Exam ampl plee ht http tp

--script --scr ipt --scr --script ipt --scri --s cript pt-ar -args gs

nmap 192.168 192.168.1.1 192.168 .1.1 --scr --script=ht --scr ipt=http,b tp,banner anner Scan defa withult, twobut scripts. scrip ts. Exam Example plesive httpscrip andtsbann banner er nmap 192.168.1.1 .1.1 --script ipt "not intrusive" intru sive" Scan default, remove remo ve intru intrusive scripts nmap nm ap --s --scri cript pt snm snmp-s p-sysd ysdesc escrr --s --scri cript pt-ar -args gs snm snmpc pcomm ommuni unity= ty=adm admin in 192 192.16 .168.1. 8.1.11 NSE scr script ipt wit with h arg argume uments nts

Useful NSE Script Examples

Command Description nmap -Pn --script=http-sitemap-gener --script=http-sitemap-generator ator scanme.nmap scanme.nmap.org .org http site map generator nmap -n -Pn -Pn -p -p 80 --ope --open n -sV -sV -vvv -vvv --scri --script pt banne banner, r,http-t http-title itle -iR 1000 1000 Fastt search Fas search for ran random dom web server serverss nmap -Pn --script=dns-brute domain.com Brute forces DNS hostnames guessing subdomains nmap -n -Pn -vv -O -sV --script smb-enum*,sm smb-enum*,smb-ls,smb-mbenum,smb-os-disc b-ls,smb-mbenum,smb-os-discovery,smb-s overy,smb-s*,smb-vuln*,smbv2* *,smb-vuln*,smbv2* -vv 192.168.1.1 nmap -p80 --scrip t wipt hoishttp-un * tp-unsafe-o domasafe-output in.comutput-esca nmap --script --scr ht -escaping ping scan scanme.nm me.nmap.or ap.org g nmap -p80 --script http-sql-injection scanme.nmap scanme.nmap.org .org

Safe SMB scripts to run

Whoect is qcross ery site scrip Det Detect cuross scripting ting vulne vulnerab rabilitie ilities. s. Check for SQL injections

Firewall / IDS Evasion and Spoofing Switch

Example

Description

-f

nmap 192.168.1.1 -f

Requested scan (including ping scans) use tiny fragmented

--mtu -D -D -S -g --proxies --pr oxies --data-length

IP filters nmap 192.168.1.1 --mtu 32 Sepackets. t your owHarder n offsetfor sizpacket e nmap nm ap -D 19 192. 2.16 168. 8.1. 1.10 101, 1,19 192. 2.16 168. 8.1. 1.10 102, 2,19 192. 2.16 168. 8.1. 1.10 103, 3,19 192. 2.16 168. 8.1. 1.23 23 19 192. 2.16 168. 8.1. 1.11 Se Send nd sc scan anss fr from om sp spoo oofe fed d IPs IPs nmap -D decoy-ip1,decoy-ip2, decoy-ip1,decoy-ip2,your-own-ip, your-own-ip,decoy-ip3,decoy-ip4 decoy-ip3,decoy-ip4 remote-host-ip Above example explained nmap nm ap -S ww www w.m .mic icro roso so. .ccom ww www w.f .fac aceb eboo ook. k.ccom Scan Sc an Fac aceb eboo ookk fr from om Mi Micr cros oso o ((-ee et eth0 h0 -P -Pn n ma mayy be re requ quir ired ed)) nmap -g 53 192.168.1.1 Use given source port number nmap --pro --proxies xies http:/ http://192.1 /192.168.1.1 68.1.1:8080, :8080, http:/ http://192.1 /192.168.1.2: 68.1.2:8080 8080 192.16 192.168.1.1 8.1.1 Relay con connecti nections ons throu through gh HTTP HTTP/SOC /SOCKS4 KS4 pro proxies xies nmap --data-length 200 192.168.1.1 Appends random data to sent packets

Example IDS Evasion command

nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1 www.stationx.net/nmap-cheat-sheet/

3  

Output Switch

Example

Description

-oN -oX -oG -oA

nmap 192.168.1.1 -oN normal.file nmap 192.168.1.1 -oX xml.file nmap 192.168.1.1 -oG grep.file nmap 192.168.1.1 -oA results

Normal output to the file normal.file XML output to the file xml.file Grepable output to the file grep.file Output in the three major formats at once

--oappe G -pend --ap nd-o -out utpu putt -v -d --re -reas ason on --open --pack --p acket et-tr -trac acee --iflist --resume

n ma p 1192. 2.1168. 688.1. .11.1 .11 -oN -oG -fil nmap nm ap 1992.16 file. e.fi file le --a --app ppen endd-ou outp tput ut nmap 192.168.1.1 -v nmap 192.168.1.1 -d nmap nm ap 19 192. 2.16 168. 8.1. 1.11 ---re reas ason on nmap 192.168.1.1 --open nmap nma p 192. 192.168 168.1. .1.11 -T4 --p --pack acket et-tr -trac acee nmap --iflist nmap --resume results.file

G repend pand bleaoscan uan tputo sceviou reeous n. s-oscan Nan -, -fil Xe - also usable Appe Ap sc ttotao previ pr sc foile Increase the verbosity level (use -vv or more for greater effect) Increase debugging level (use -dd or more for greater effect) Disp Di spla layy th thee re reas ason on a po port rt is in a pa part rtic icul ular ar st stat ate, e, sa same me ou outp tput ut as -v -vvv Only show open (or possibly open) ports Show Sho w all pac packe kets ts sen sentt and rec receive eived d Shows the host interfaces and routes Resume a scan

Helpful Nmap Output examples

Command nmap -p -p80 -s -sV -o -oG - --open 19 192.168.1.1/24 | grep op open nmap nm ap -iR -iR 10 10 -n -oX -oX out out.x .xml ml | gr grep ep "Nm "Nmap ap"" | cut cut -d -d " " -f5 -f5 > liv live-h e-hos osts ts.t .txt xt nmap nm ap -iR -iR 10 -n -oX -oX out2.x out2.xml ml | gr grep ep "Nmap "Nmap"" | cut cut -d -d " " -f5 -f5 >> liv live-ho e-hosts sts.tx .txtt ndiff scanl.xml scan2.xml xsltproc nmap.xml -o nmap.html grep " open " results.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | less

Description Scan fo for we web se servers an and gr grep to to sh show wh which IP IPs ar are ru running we web se servers Gene Ge nera rate te a li list st of of the the IPs IPs of li live ve hos hosts ts Append App end IP to to the the list list of live live host hostss Compare output from nmap using the ndiff Convert nmap xml files to html files Reverse sorted list of how oen ports turn up

Miscellaneous Options Switch

Example

Description

-6 -h

nmap -6 2607:f0d0:1002:51::4 nmap -h

Enable IPv6 scanning nmap help screen

Other Useful Nmap Commands

Command nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn nmap 192.168.1.1-1/24 -PR -sn -vv

Description Discovery only on ports x, no port scan Arp discovery only on local network, no port scan

n ma p -192. iR2.16 1168.1 0 -8.1.1 sn -.1-5 tr-50 ac0e-sL rou--d e ns-s nmap nm ap 19 -t-dns -serv erver er 192. 192.16 168.1 8.1.1 .1

T raery ceyrothe uteInt toerna ranal ndl oDNS mStafor rgrehost ts,sts, ns, o list pst ortar scgets ants onl Quer Qu Inter DN fo ho li ttarge onlyy www.stationx.net/nmap-cheat-sheet/