Scribd
Upload
2 views

nmap_odd_numbner

The Nmap Cheat Sheet provides a comprehensive overview of various Nmap commands for target specification, scan techniques, host discovery, port specification, NSE scripts, and firewall evasion. It includes examples and descriptions for each command, helping users effectively utilize Nmap for network scanning and security assessments. Key features include different scanning methods, port scanning options, and useful NSE scripts for specific tasks.

Uploaded by

nikic65223
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

nmap_odd_numbner

The Nmap Cheat Sheet provides a comprehensive overview of various Nmap commands for target specification, scan techniques, host discovery, port specification, NSE scripts, and firewall evasion. It includes examples and descriptions for each command, helping users effectively utilize Nmap for network scanning and security assessments. Key features include different scanning methods, port scanning options, and useful NSE scripts for specific tasks.

Uploaded by

nikic65223
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Nmap Cheat Sheet

Target Specification Scan Techniques


Switch Example Description Switch Example Description
nmap 192.168.1.1 Scan a single IP -sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)
nmap 192.168.1.1 192.168.2.1 Scan specific IPs -sT nmap 192.168.1.1 -sT TCP connect port scan
nmap 192.168.1.1-254 Scan a range (Default without root privilege)
nmap scanme.nmap.org Scan a domain -sU nmap 192.168.1.1 -sU UDP port scan
nmap 192.168.1.0/24 Scan using CIDR notation -sA nmap 192.168.1.1 -sA TCP ACK port scan
-iL nmap -iL targets.txt Scan targets from a file -sW nmap 192.168.1.1 -sW TCP Window port scan
-iR nmap -iR 100 Scan 100 random hosts -sM nmap 192.168.1.1 -sM TCP Maimon port scan
--exclude nmap --exclude 192.168.1.1 Exclude listed hosts

Host Discovery
Switch Example Description
-sL nmap 192.168.1.1-3 -sL No Scan. List targets only
-sn nmap 192.168.1.1/24 -sn Disable port scanning
-Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only
-PS nmap 192.168.1.1-5 -PS22-25,80 TCP SYN discovery on port x. Port 80 by default
-PA nmap 192.168.1.1-5 -PA22-25,80 TCP ACK discovery on port x. Port 80 by default
-PU nmap 192.168.1.1-5 -PU53 UDP discovery on port x. Port 40125 by default
-PR nmap 192.168.1.1-1/24 -PR ARP discovery on local network
-n nmap 192.168.1.1 -n Never do DNS resolution

Port Specification
Switch Example Description
-p nmap 192.168.1.1 -p 21 Port scan for port x
-p nmap 192.168.1.1 -p 21-100 Port range
-p nmap 192.168.1.1 -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports
-p- nmap 192.168.1.1 -p- Port scan all ports
-p nmap 192.168.1.1 -p http,https Port scan from service name
-F nmap 192.168.1.1 -F Fast port scan (100 ports)
--top-ports nmap 192.168.1.1 --top-ports 2000 Port scan the top x ports
-p-65535 nmap 192.168.1.1 -p-65535 Leaving off initial port in range makes the scan start at port 1
-p0- nmap 192.168.1.1 -p0- Leaving off end port in range makes the scan go through to port 65535
www.stationx.net/nmap-cheat-sheet/
1
NSE Scripts
Switch Example Description
-sC nmap 192.168.1.1 -sC Scan with default NSE scripts. Considered useful for discovery and safe
--script default nmap 192.168.1.1 --script default Scan with default NSE scripts. Considered useful for discovery and safe
--script nmap 192.168.1.1 --script=banner Scan with a single script. Example banner
--script nmap 192.168.1.1 --script=http* Scan with a wildcard. Example http
--script nmap 192.168.1.1 --script=http,banner Scan with two scripts. Example http and banner
--script nmap 192.168.1.1 --script "not intrusive" Scan default, but remove intrusive scripts
--script-args nmap --script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1 NSE script with arguments

Useful NSE Script Examples


Command Description
nmap -Pn --script=http-sitemap-generator scanme.nmap.org http site map generator
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000 Fast search for random web servers
nmap -Pn --script=dns-brute domain.com Brute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 Safe SMB scripts to run
nmap --script whois* domain.com Whois query
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org Detect cross site scripting vulnerabilities.
nmap -p80 --script http-sql-injection scanme.nmap.org Check for SQL injections

Firewall / IDS Evasion and Spoofing


Switch Example Description
-f nmap 192.168.1.1 -f Requested scan (including ping scans) use tiny fragmented
IP packets. Harder for packet filters
--mtu nmap 192.168.1.1 --mtu 32 Set your own offset size
-D nmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1 Send scans from spoofed IPs
-D nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip Above example explained
-S nmap -S www.microso.com www.facebook.com Scan Facebook from Microso (-e eth0 -Pn may be required)
-g nmap -g 53 192.168.1.1 Use given source port number
--proxies nmap --proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1 Relay connections through HTTP/SOCKS4 proxies
--data-length nmap --data-length 200 192.168.1.1 Appends random data to sent packets

Example IDS Evasion command


nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1

www.stationx.net/nmap-cheat-sheet/
3
Identifying Open Ports with Nmap

TCP SYN SCAN (-sS) TCP connect() SCAN (-sT) TCP FIN SCAN (-sF)

TCP XMAS TREE SCAN (-sX) TCP NULL SCAN (-sN) TCP PING SCAN (-sP)

VERSION DETECTION SCAN (-sV) UDP SCAN (-sU) IP PROTOCOL SCAN (-sO)
Version scan identifies open pots with a TCP SYN scan…

…and then queries the port with a customized signature. TCP ACK SCAN (-sA) TCP WINDOW SCAN (-sW)

www.stationx.net/nmap-cheat-sheet/
5

You might also like