Nmap
Nmap Cheatsheet for Reconnaissance.

Command Options

1
<Nmap>
2
-sV: Probe open ports to determine service/version info
3
-oA <basename>: Output in the three major formats at once
4
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename
5
-p <port ranges>: Set destination port(s).
6
-sn: Ping Scan - disable port scan
7
-sS: TCP SYN
8
-sA: ACK Scan
9
-sT: Connect() Scan (TCP)
10
-sU: UDP Scan
11
-sN/sF/sX: TCP Null, FIN, and Xmas scans
12
-O: Enable OS detection
13
-A: Enable OS detection, version detection, script scanning, and traceroute
14
-Pn: Treat all hosts as online -- skip host discovery
15
-n: Do not resolve hostnames via DNS
16
-v: Increment verbosity level by one.
17
-p1-65535/-p-: Scan for full ports 1-65535
18
--top-ports <number>: Scan <number> most common ports
19
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
20
--reason: Display the reason a port is in a particular state
21
--open: Only show open (or possibly open) ports
22
-F: Fast mode - Scan fewer ports than the default scan
23
-iL <inputfilename>: Input from list of hosts/networks
24
25
<NSE Script>
26
-sC: equivalent to --script=default
27
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
28
directories, script-files or script-categories
29
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
30
31
<DB_nmap>
32
# db_nmap MSF wrapper
33
msf > db_nmap -sS -Pn -A 10.11.1.217
34
35
# search the Metasploit database for machines with specific open ports
36
msf > services -p 443
Copied!
nmap | Kali Linux Tools
Kali Linux

Port Status

  • Open: This indicates that an application is listening for connections on this port.
  • Closed: This indicates that the probes were received but there is no application listening on this port.
  • Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
  • Unfiltered: This indicates that the probes were received but a state could not be established.
  • Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.
  • Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.

Timing Template

The main timing option is set through the -T parameter if you may want more control over the timing in order get the scan over and done with quicker. However, Nmap adjusts its timings automatically depending on network speed and response times of the victim. Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0–5) or their name as shown below:
  • T0: paranoid
  • T1: sneaky
  • T2: polite
  • T3: normal
  • T4: aggressive
  • T5: insane

General Scan

1
# Scan ip with default scripts and service version detection.
2
nmap -sC -sV -oA bastard 10.10.10.9
3
4
# Scan full ports with time option -T5 "insane"
5
nmap -p- -T5 -oA allports 10.10.10.51
6
7
# Scan full ports and show only open ports
8
nmap -p1-65535 192.168.1.127 --open
9
10
# Scan specific Both TCP and UDP at the same time
11
nmap -p U:53,137, T:21-25,80,443 193.19.20.5
12
13
# Ping Sweep
14
nmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt
15
16
# Banner Grabbing/Service Enumeration
17
nmap -sV -sT 10.0.0.19
18
19
# OS Fingerprinting
20
nmap -O 10.0.0.19
21
22
# Scan for top 20 TCP ports
23
nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt
24
25
# Scan for open SNMP ports
26
nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt
27
28
# Perform aggressive scan and reduce scanning timing
29
nmap –T4 192.168.1.127
30
31
# perform fast specific ip range excluding 192.168.1.114
32
nmap -F 192.168.1.110-255 --exclude 192.168.1.114
33
34
# Scan ip in a text file
35
nmap -iL /root/Desktop/scan.txt
Copied!

List NSE (Nmap Scripting Engine ) Scripts

1
# Path to nse scripts
2
ls /usr/share/nmap/scripts/
3
4
# List nse scripts in "vuln" category.
5
locate -r '\.nse#x27; | xargs grep categories | grep vuln
6
7
# List nse scripts related to "smb" with categories.
8
locate -r '\.nse#x27;| xargs grep categories | grep smb
Copied!

Scan with NSE Scripts

1
# Scan ip with scripts in "vuln" category.
2
nmap --script vuln -oA vulnscan 10.10.10.79
3
4
# Scan specific ports with scripts in "vuln" category.
5
nmap -p 110,119,22,25,4555,80 -sC -sV -oA vulnscan --script vuln 10.10.10.51
6
7
# Scan ip with scripts in "vuln" and "safe" categories.
8
nmap --script "vuln and safe" -Pn -n -p 445 <target ip>
9
10
# What does a script do?
11
nmap --script-help ftp-anon
12
13
# Scan FTP (21) with a script "ftp-anon.nse"
14
nmap -v -p 21 --script=ftp-anon.nse 10.11.1.1-254
15
16
# Scan with SMB-related scripts to find vulnerabilites
17
nmap --script smb-vuln* -p 139,445 <target ip>
18
19
# Scan with SMB-related scripts
20
nmap --script smb* -p 139,445 <target ip>
21
22
# scan SMB (139,445) with a script "smb-os-discovery"
23
nmap -v -p 139, 445 --script=smb-os-discovery 10.11.1.227
24
25
# Scan SMB (139,445) with a script "smb-vuln-ms08-067"
26
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.11.1.201
27
28
# Scan SMB (139,445) with a script "smb-vuln-ms08-067"
29
nmap -v -p 139, 445 --script=smb-security-mode 10.11.1.236
30
31
# Scan HTTP (80) with a script "http-shellshock"
32
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56
33
34
# Scan HTTP (80) with a script "http-vuln-cve2010-2861"
35
nmap -v -p 80 --script=http-vuln-cve2010-2861 10.11.1.210
36
37
# Scan DNS (53) with a script "dns-zone-transfer"
38
nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com
Copied!
Network Scanning using NMAP (Beginner Guide)
Hacking Articles
SANS Penetration Testing | SANS Pen Test Cheat Sheet: Nmap v1.1 | SANS Institute
NmapCheatSheetv1.1.pdf
198KB
PDF
Nmap Cheat Sheet, plus bonus Nmap + Nessus Cheat Sheet JPG & PDF
Comparitech
Last modified 1yr ago