Nmap Cheat Sheet

Nmap Cheat SheetScan TechniquesTarget SpecificationSwitch-iL-iR--excludeExamplenmap 192.168.1.1nmap 192.168.1.1 192.168.2.1nmap 192.168.1.1-254nmap scanme.nmap.orgnmap 192.168.1.0/24nmap -iL targets.txtnmap -iR 100nmap --exclude 192.168.1.1DescriptionScan a single IPScan specific IPsScan a rangeScan a domainScan using CIDR notationScan targets from a fileScan 100 random hostsExclude listed hostsSwitchExample-sU-sA-sW-sMnmap 192.168.1.1 -sUnmap 192.168.1.1 -sAnmap 192.168.1.1 -sWnmap 192.168.1.1 -sM-sS-sTnmap 192.168.1.1 -sSnmap 192.168.1.1 -sTHost DiscoverySwitch-sL-sn-Pn-PS-PA-PU-PR-nExamplenmap 192.168.1.1-3 -sLnmap 192.168.1.1/24 -snnmap 192.168.1.1-5 -Pnnmap 192.168.1.1-5 -PS22-25,80nmap 192.168.1.1-5 -PA22-25,80nmap 192.168.1.1-5 -PU53nmap 192.168.1.1-1/24 -PRnmap 192.168.1.1 -nDescriptionNo Scan. List targets onlyDisable port scanningDisable host discovery. Port scan onlyTCP SYN discovery on port x. Port 80 by defaultTCP ACK discovery on port x. Port 80 by defaultUDP discovery on port x. Port 40125 by defaultARP discovery on local networkNever do DNS resolutionPort -p0-Examplenmap 192.168.1.1 -p 21nmap 192.168.1.1 -p 21-100nmap 192.168.1.1 -p U:53,T:21-25,80nmap 192.168.1.1 -pnmap 192.168.1.1 -p http,httpsnmap 192.168.1.1 -Fnmap 192.168.1.1 --top-ports 2000nmap 192.168.1.1 -p-65535nmap 192.168.1.1 -p0-DescriptionPort scan for port xPort rangePort scan multiple TCP and UDP portsPort scan all portsPort scan from service nameFast port scan (100 ports)Port scan the top x portsLeaving off initial port in range makes the scan start at port 1Leaving off end port in range makes the scan go through to port nTCP SYN port scan (Default)TCP connect port scan(Default without root privilege)UDP port scanTCP ACK port scanTCP Window port scanTCP Maimon port scan

Service and Version DetectionSwitch-sV-sV --version-intensity-sV --version-light-sV --version-all-AExamplenmap 192.168.1.1 -sVnmap 192.168.1.1 -sV --version-intensity 8nmap 192.168.1.1 -sV --version-lightnmap 192.168.1.1 -sV --version-allnmap 192.168.1.1 -ADescriptionAttempts to determine the version of the service running on portIntensity level 0 to 9. Higher number increases possibility of correctnessEnable light mode. Lower possibility of correctness. FasterEnable intensity level 9. Higher possibility of correctness. SlowerEnables OS detection, version detection, script scanning, and tracerouteOS DetectionSwitchExample-O --osscan-guess-O --max-os-tries-Anmap 192.168.1.1 -O --osscan-guessnmap 192.168.1.1 -O --max-os-tries 1nmap 192.168.1.1 -A-O-O --osscan-limitDescriptionnmap 192.168.1.1 -Onmap 192.168.1.1 -O --osscan-limitRemote OS detection using TCP/IP stack fingerprintingIf at least one open and one closed TCP port are not found it will not tryOS detection against hostMakes Nmap guess more aggressivelySet the maximum number x of OS detection tries against a targetEnables OS detection, version detection, script scanning, and tracerouteTiming and ap 192.168.1.1 -T0nmap 192.168.1.1 -T1nmap 192.168.1.1 -T2nmap 192.168.1.1 -T3nmap 192.168.1.1 -T4nmap 192.168.1.1 -T5DescriptionParanoid (0) Intrusion Detection System evasionSneaky (1) Intrusion Detection System evasionPolite (2) slows down the scan to use less bandwidth and use less target machine resourcesNormal (3) which is default speedAggressive (4) speeds scans; assumes you are on a reasonably fast and reliable networkInsane (5) speeds scan; assumes you are on an extraordinarily fast network--host-timeout time out time --min-hostgroup/max-hostgroup size --min-parallelism/max-parallelism numprobes --scan-delay/--max-scan-delay time --max-retries tries --min-rate number --max-rate number Example input1s; 4m; 2h1s; 4m; 2h50; 102410; 120ms; 2s; 4m; 5h3100100DescriptionGive up on target a er this longSpecifies probe round trip timeParallel host scan group sizesProbe parallelizationAdjust delay between probesSpecify the maximum number of port scan probe retransmissionsSend packets no slower than number per secondSend packets no faster than number per secondwww.stationx.net/nmap-cheat-sheet/2

NSE ScriptsSwitch-sC--script gsExampleDescriptionnmap 192.168.1.1 -sCScan with default NSE scripts. Considered useful for discovery and safenmap 192.168.1.1 --script defaultScan with default NSE scripts. Considered useful for discovery and safenmap 192.168.1.1 --script bannerScan with a single script. Example bannernmap 192.168.1.1 --script http*Scan with a wildcard. Example httpnmap 192.168.1.1 --script http,bannerScan with two scripts. Example http and bannernmap 192.168.1.1 --script "not intrusive" Scan default, but remove intrusive scriptsnmap --script snmp-sysdescr --script-args snmpcommunity admin 192.168.1.1NSE script with argumentsUseful NSE Script ExamplesCommandDescriptionnmap -Pn --script http-sitemap-generator scanme.nmap.orghttp site map generatornmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000Fast search for random web serversnmap -Pn --script dns-brute domain.comBrute forces DNS hostnames guessing subdomainsnmap -n -Pn -vv -O -sV --script *,smb-vuln*,smbv2* -vv 192.168.1.1nmap --script whois* domain.comWhois querynmap -p80 --script http-unsafe-output-escaping scanme.nmap.orgDetect cross site scripting vulnerabilities.nmap -p80 --script http-sql-injection scanme.nmap.orgCheck for SQL injectionsSafe SMB scripts to runFirewall / IDS Evasion and SpoofingSwitch-fExampleDescriptionnmap 192.168.1.1 -fRequested scan (including ping scans) use tiny fragmentedIP packets. Harder for packet filters--mtunmap 192.168.1.1 --mtu 32Set your own offset size-Dnmap -D 1.23 192.168.1.1 Send scans from spoofed IPs-Dnmap -D 4 remote-host-ip Above example explained-Snmap -S www.microso .com www.facebook.comScan Facebook from Microso (-e eth0 -Pn may be required)-gnmap -g 53 192.168.1.1Use given source port number--proxiesnmap --proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1Relay connections through HTTP/SOCKS4 proxies--data-length nmap --data-length 200 192.168.1.1Appends random data to sent packetsExample IDS Evasion commandnmap -f -t 0 -n -Pn --data-length 200 -D 1.23 192.168.1.1www.stationx.net/nmap-cheat-sheet/3

OutputSwitch-oN-oX-oG-oA-oG flist--resumeExamplenmap 192.168.1.1 -oN normal.filenmap 192.168.1.1 -oX xml.filenmap 192.168.1.1 -oG grep.filenmap 192.168.1.1 -oA resultsnmap 192.168.1.1 -oG nmap 192.168.1.1 -oN file.file --append-outputnmap 192.168.1.1 -vnmap 192.168.1.1 -dnmap 192.168.1.1 --reasonnmap 192.168.1.1 --opennmap 192.168.1.1 -T4 --packet-tracenmap --iflistnmap --resume results.fileDescriptionNormal output to the file normal.fileXML output to the file xml.fileGrepable output to the file grep.fileOutput in the three major formats at onceGrepable output to screen. -oN -, -oX - also usableAppend a scan to a previous scan fileIncrease the verbosity level (use -vv or more for greater effect)Increase debugging level (use -dd or more for greater effect)Display the reason a port is in a particular state, same output as -vvOnly show open (or possibly open) portsShow all packets sent and receivedShows the host interfaces and routesResume a scanHelpful Nmap Output examplesCommandnmap -p80 -sV -oG - --open 192.168.1.1/24 grep opennmap -iR 10 -n -oX out.xml grep "Nmap" cut -d " " -f5 live-hosts.txtnmap -iR 10 -n -oX out2.xml grep "Nmap" cut -d " " -f5 live-hosts.txtndiff scanl.xml scan2.xmlxsltproc nmap.xml -o nmap.htmlgrep " open " results.nmap sed -r 's/ / /g' sort uniq -c sort -rn lessDescriptionScan for web servers and grep to show which IPs are running web serversGenerate a list of the IPs of live hostsAppend IP to the list of live hostsCompare output from nmap using the ndiffConvert nmap xml files to html filesReverse sorted list of how o en ports turn upMiscellaneous OptionsSwitch-6-hExampleDescriptionnmap -6 2607:f0d0:1002:51::4nmap -hEnable IPv6 scanningnmap help screenOther Useful Nmap CommandsCommandnmap -iR 10 -PS22-25,80,113,1050,35000 -v -snnmap 192.168.1.1-1/24 -PR -sn -vvnmap -iR 10 -sn -traceroutenmap 192.168.1.1-50 -sL --dns-server 192.168.1.1DescriptionDiscovery only on ports x, no port scanArp discovery only on local network, no port scanTraceroute to random targets, no port scanQuery the Internal DNS for hosts, list targets onlywww.stationx.net/nmap-cheat-sheet/4

Identifying Open Ports with NmapTCP SYN SCAN (-sS)TCP connect() SCAN (-sT)TCP FIN SCAN (-sF)TCP XMAS TREE SCAN (-sX)TCP NULL SCAN (-sN)TCP PING SCAN (-sP)VERSION DETECTION SCAN (-sV)UDP SCAN (-sU)IP PROTOCOL SCAN (-sO)TCP ACK SCAN (-sA)TCP WINDOW SCAN (-sW)Version scan identifies open pots with a TCP SYN scan and then queries the port with a customized signature.www.stationx.net/nmap-cheat-sheet/5

IDLESCAN (-sI zombie host: [probeport] )Step 1: Nmap sends a SYN/ACK to the zombie workstationto induce a RST in return. This RST frame contains theinitial IPID that nmap will remember for later.Step 2: Nmap sends a SYN frame to the destinationaddress, but nmap spoofs the IP address to make it seemas if the SYN frame was sent from the zombie workstation.Step 3: Nmap repeats the original SYN/ACK probe of thezombie station. If the IPID has incremented, then the portthat was spoofed in the original SYN frame is open on thedestination device.FTP BOUNCE ATTACK (-b ftp relay host )A closed port will result with the FTP server informing the source station that the FTP server can’t build the connection.An open port completes the transfer over the specified connection.NOTE: Be aware that the FTP bounce scan is not workable since most FTP Servers will not perform what is needed for the scan.This is more for information purposes.www.stationx.net/nmap-cheat-sheet/6

--iflist nmap --iflist Shows the host interfaces and routes--resume nmap --resume results.file Resume a scan Helpful Nmap Output examples Command Description nmap -p80 -sV -oG - --open 192.168.1.1/24 grep open Scan for web s