Scribd
Upload
5 views

Nmap Cheat Sheet ∞

The document is a comprehensive cheat sheet for Nmap, a powerful network scanning tool used for network discovery and security enumeration. It includes various commands, examples, and options for host discovery, port scanning, service version detection, and script scanning, along with tips for performance and evasion techniques. Additionally, it provides insights into Nmap's capabilities and its usage in penetration testing scenarios.

Uploaded by

faggotkilla
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

Nmap Cheat Sheet ∞

The document is a comprehensive cheat sheet for Nmap, a powerful network scanning tool used for network discovery and security enumeration. It includes various commands, examples, and options for host discovery, port scanning, service version detection, and script scanning, along with tips for performance and evasion techniques. Additionally, it provides insights into Nmap's capabilities and its usage in penetration testing scenarios.

Uploaded by

faggotkilla
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

HOME BLOG

All Blog
Nmap Cheat Sheet ∞ Cheat Sheets
Techniques
Security Hardening
CHEAT-SHEET 13 Dec 2014 Arr0way
WalkThroughs

Nmap (network mapper), the god of Table of Contents CHEAT SHEETS


port scanners used for network Nmap Examples
discovery and the basis for most Nmap scan from file Penetra on Tes ng Tools
Cheat Sheet
security enumera on during the Nmap output formats
LFI Cheat Sheet
ini al stages of a penetra on test. Nmap Netbios Examples Vi Cheat Sheet
The tool was wri en and Nmap Nikto Scan Systemd Cheat Sheet
maintained by Fyodor AKA Gordon Nmap Cheatsheet
Reverse Shell Cheat
Sheet
Lyon. Target Specifica on
nbtscan Cheat Sheet
Host Discovery Nmap Cheat Sheet
Nmap displays exposed services on
Scan Techniques Linux Commands Cheat
a target machine along with other Sheet
Port Specifica on and Scan Order

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
useful informa on such as the Service Version Detec on More »

verion and OS detec on. Script Scan


WALKTHROUGHS
OS Detec on
Nmap has made twelve movie
Timing and Performance InsomniHack CTF Teaser
appearances, including The Matrix - Smartcat2 Writeup
Firewalls IDS Evasion and Spoofing
Reloaded, Die Hard 4, Girl With the InsomniHack CTF Teaser
Nmap Output Op ons
Dragon Ta oo, and The Bourne - Smartcat1 Writeup
Misc Nmap Op ons Fris Leaks 1.3
Ul matum.
Walkthrough
Nmap Enumera on Examples
SickOS 1.1 -
Enumera ng Netbios
Walkthrough
The Wall Boot2Root
Walkthrough
More »

TECHNIQUES

SSH & Meterpreter


Pivo ng Techniques
More »

SECURITY HARDENING

Nmap in a nutshell
Security Harden CentOS
Host discovery 7
More »

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Port discovery / enumera on /DEV/URANDOM

Service discovery MacBook - Post Install

Opera ng system version detec on Config + Apps


More »
Hardware (MAC) address detec on
OTHER BLOG
Service version detec on
Vulnerability / exploit detec on, using Nmap scripts (NSE) HowTo: Kali Linux
Chromium Install for
Web App Pen Tes ng
Nmap Examples Jenkins RCE via
Unauthen cated API
Basic Nmap scanning examples, o en used at the first stage of MacBook - Post Install
enumera on. Config + Apps
enum4linux Cheat Sheet
COMMAND DESCRIPTION Linux Local Enumera on
Script
Ping scans the network, lis ng
nmap -sP 10.0.0.0/24 HowTo Install Quassel on
machines that respond to ping.
Ubuntu
HowTo Install KeepNote
Full TCP port scan using with
service version detec on - usually on OSX Mavericks
nmap -p 1-65535 -sV -sS -T4 target my first scan, I find T4 more
accurate than T5 and s ll "pre y
quick".

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Prints verbose output, runs stealth
syn scan, T4 ming, OS and version
nmap -v -sS -A -T4 target
detec on + traceroute and scripts
against target services.

Prints verbose output, runs stealth


syn scan, T5 ming, OS and version
nmap -v -sS -A -T5 target
detec on + traceroute and scripts
against target services.

Prints verbose output, runs stealth


nmap -v -sV -O -sS -T5 target syn scan, T5 ming, OS and version
detec on.

Prints verbose output, runs stealth


nmap -v -p 1-65535 -sV -O -sS -T4 target syn scan, T4 ming, OS and version
detec on + full port range scan.

Prints verbose output, runs stealth


nmap -v -p 1-65535 -sV -O -sS -T5 target syn scan, T5 ming, OS and version
detec on + full port range scan.

ⓘ Agressive scan mings are faster, but could yeild inaccurate results!
T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise
if you need fast results.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Nmap scan from le

COMMAND DESCRIPTION

Scans a list of IP addresses, you can add op ons


nmap -iL ip-addresses.txt
before / a er.

Nmap output formats

COMMAND DESCRIPTION

Outputs "grepable"
output to a file, in this
example Netbios
nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24 servers.
E.g, The output file
could be grepped for
"Open".

nmap -sS -sV -T5 10.0.1.99 --webxml -oX - Export nmap output to
| xsltproc --output file.html - HTML report.

Nmap Netbios Examples

COMMAND DESCRIPTION

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
nmap -sV -v -p 139,445 10.0.0.1/24 Find all Netbios servers on subnet

nmap -sU --script nbstat.nse -p 137 target Nmap display Netbios name

nmap --script-args=unsafe=1 --script Nmap check if Netbios servers


smb-check-vulns.nse -p 445 target are vulnerable to MS08-067

‼ --script-args=unsafe=1 has the poten al to crash servers / services


Becareful when running this command.

Nmap Nikto Scan

COMMAND DESCRIPTION

Scans for h p servers on


nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h - port 80 and pipes into
Nikto for scanning.

Scans for h p/h ps servers


nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h - on port 80, 443 and pipes
into Nikto for scanning.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Nmap Cheatsheet

Target Speci cation

Nmap allows hostnames, IP addresses, subnets.

Example blah.highon.coffee, nmap.org/24, 192.168.0.1; 10.0.0-255.1-


254

COMMAND DESCRIPTION

-iL inputfilename: Input from list of hosts/networks

-iR num hosts: Choose random targets

--exclude host1[,host2][,host3],... : Exclude hosts/networks

--excludefile exclude_file: Exclude list from file

Host Discovery

COMMAND DESCRIPTION

-sL List Scan - simply list targets to scan

-sn Ping Scan - disable port scan

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
-Pn Treat all hosts as online -- skip host discovery

-PS/PA/PU/PY[portlist] TCP SYN/ACK, UDP or SCTP discovery to given ports

ICMP echo, mestamp, and netmask request discovery


-PE/PP/PM
probes

-PO[protocol list] IP Protocol Ping

Never do DNS resolu on/Always resolve [default:


-n/-R
some mes]

Scan Techniques

COMMAND DESCRIPTION

-sS TCP SYN scan


-sT Connect scan
-sA ACK scan
-sW Window scan
-sM Maimon scan

-sU UDP Scan

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
-sN TCP Null scan
-sF FIN scan
-sX Xmas scan

--scanflags Customize TCP scan flags

-sI zombie host[:probeport] Idle scan

-sY SCTP INIT scan


-sZ COOKIE-ECHO scan

-sO IP protocol scan

-b "FTP relay host" FTP bounce scan

Port Speci cation and Scan Order

COMMAND DESCRIPTION

-p Specify ports, e.g. -p80,443 or -p1-65535

-p U:PORT Scan UDP ports with Nmap, e.g. -p U:53

-F Fast mode, scans fewer ports than the default scan

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
-r Scan ports consecu vely - don't randomize

--top-ports "number" Scan "number" most common ports

--port-ratio "ratio" Scan ports more common than "ra o"

Service Version Detection

COMMAND DESCRIPTION

-sV Probe open ports to determine service/version info

--version-intensity "level" Set from 0 (light) to 9 (try all probes)

--version-light Limit to most likely probes (intensity 2)

--version-all Try every single probe (intensity 9)

--version-trace Show detailed version scan ac vity (for debugging)

Script Scan

COMMAND DESCRIPTION

-sC equivalent to --script=default

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
"Lua scripts" is a comma separated list of
--script="Lua scripts"
directories, script-files or script-categories

--script-args=n1=v1,[n2=v2,...] provide arguments to scripts

-script-args-file=filename provide NSE script args in a file

--script-trace Show all data sent and received

--script-updatedb Update script database

--script-help="Lua scripts" Show help about scripts

OS Detection

COMMAND DESCRIPTION

-O Enable OS Detec on

--osscan-limit Limit OS detec on to promising targets

--osscan-guess Guess OS more aggressively

Timing and Performance

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Op ons which take TIME are in seconds, or append 'ms' (milliseconds), 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

COMMAND DESCRIPTION

-T 0-5 Set ming template - higher is faster (less accurate)

--min-hostgroup SIZE
Parallel host scan group sizes
--max-hostgroup SIZE

--min-parallelism NUMPROBES
Probe paralleliza on
--max-parallelism NUMPROBES

--min-rtt-timeout TIME
--max-rtt-timeout TIME Specifies probe round trip me
--initial-rtt-timeout TIME

--max-retries TRIES Caps number of port scan probe retransmissions

--host-timeout TIME Give up on target a er this long

--scan-delay TIME
Adjust delay between probes
--max-scan-delay TIME

--min-rate NUMBER Send packets no slower than NUMBER per second

--max-rate NUMBER Send packets no faster than NUMBER per second

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Firewalls IDS Evasion and Spoo ng

COMMAND DESCRIPTION

-f; --mtu VALUE Fragment packets (op onally w/given MTU)

-D decoy1,decoy2,ME Cloak a scan with decoys

-S IP-ADDRESS Spoof source address

-e IFACE Use specified interface

-g PORTNUM
Use given port number
--source-port PORTNUM

Relay connec ons through HTTP / SOCKS4


--proxies url1,[url2],...
proxies

--data-length NUM Append random data to sent packets

--ip-options OPTIONS Send packets with specified ip op ons

--ttl VALUE Set IP me to live field

--spoof-mac ADDR/PREFIX/VENDOR Spoof NMAP MAC address

Send packets with a bogus TCP/UDP/SCTP


--badsum
checksum

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Nmap Output Options

COMMAND DESCRIPTION

-oN Output Normal

-oX Output to XML

-oS Script Kiddie / 1337 speak... sigh

-oG Output greppable - easy to grep nmap output

-oA BASENAME Output in the three major formats at once

-v Increase verbosity level use -vv or more for greater effect

-d Increase debugging level use -dd or more for greater effect

--reason Display the reason a port is in a par cular state

--open Only show open or possibly open ports

--packet-trace Show all packets sent / received

--iflist Print host interfaces and routes for debugging

--log-errors Log errors/warnings to the normal-format output file

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
--append-output Append to rather than clobber specified output files

--resume FILENAME Resume an aborted scan

--stylesheet PATH/URL XSL stylesheet to transform XML output to HTML

Reference stylesheet from Nmap.Org for more portable


--webxml
XML

--no-stylesheet Prevent associa ng of XSL stylesheet w/XML output

Misc Nmap Options

COMMAND DESCRIPTION

-6 Enable IPv6 scanning

Enable OS detec on, version detec on, script scanning, and


-A
traceroute

--datedir DIRNAME Specify custom Nmap data file loca on

--send-eth
Send using raw ethernet frames or IP packets
--send-ip

--privileged Assume that the user is fully privileged

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
--unprivileged Assume the user lacks raw socket privileges

-V Show nmap version number

-h Show nmap help screen

Nmap Enumeration Examples


The following are real world examples of Nmap enumera on.

Enumerating Netbios

The following example enumerates Netbios on the target networks, the


same process can be applied to other services by modifying ports / NSE
scripts.

Detect all exposed Netbios servers on the subnet.

Nmap find exposed Netbios servers

root:~# nmap -sV -v -p 139,445 10.0.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).

PORT STATE SERVICE VERSION


139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)

Service detection performed. Please report any incorrect results


at http://nmap.org/submit/ .

Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74


seconds
</p>

Nmap find Netbios name.

Nmap find exposed Netbios servers

root:~# nmap -sU --script nbstat.nse -p 137 10.0.1.12

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT


Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).

PORT STATE SERVICE VERSION


137/udp open netbios-ns

Host script results:


|_nbstat: NetBIOS name: STARSCREAM, NetBIOS user: unknown,
NetBIOS MAC: unknown (unknown)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74
seconds
</p>

Check if Netbios servers are vulnerable to MS08-067

Nmap check MS08-067

root:~#
nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445
10.0.0.1

Nmap scan report for ie6winxp.decepticons (10.0.1.1)


Host is up (0.00026s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: NOT VULNERABLE
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds
</p>

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
The informa on gathered during the enumera on indicates the target is
vulnerable to MS08-067, exploita on will confirm if it’s vulnerable to
MS08-067.

Share this on...


 Twi er  Facebook  Google+  Reddit

Follow Arr0way
 Twi er  GitHub

Also...

You might want to read these


Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
CATEGORY POST NAME

cheat-sheet Penetration Testing Tools Cheat Sheet

cheat-sheet LFI Cheat Sheet

kali linux HowTo: Kali Linux Chromium Install for Web App Pen Testing

walkthroughs InsomniHack CTF Teaser - Smartcat2 Writeup

walkthroughs InsomniHack CTF Teaser - Smartcat1 Writeup

walkthroughs FristiLeaks 1.3 Walkthrough

walkthroughs SickOS 1.1 - Walkthrough

walkthroughs The Wall Boot2Root Walkthrough

walkthroughs /dev/random: Sleepy Walkthrough CTF

walkthroughs /dev/random Pipe walkthrough

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
The contents of this website are © 2018
Proudly hosted by
HighOn.Coffee

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like