Nmap

Nmap Cheatsheet for Reconnaissance.

Command Options

<Nmap>
-sV: Probe open ports to determine service/version info
-oA <basename>: Output in the three major formats at once
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename
-p <port ranges>: Set destination port(s).
-sn: Ping Scan - disable port scan
-sS: TCP SYN
-sA: ACK Scan
-sT: Connect() Scan (TCP)
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
-O: Enable OS detection
-A: Enable OS detection, version detection, script scanning, and traceroute
-Pn: Treat all hosts as online -- skip host discovery
-n: Do not resolve hostnames via DNS
-v: Increment verbosity level by one.
-p1-65535/-p-: Scan for full ports 1-65535
--top-ports <number>: Scan <number> most common ports
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
-F: Fast mode - Scan fewer ports than the default scan
-iL <inputfilename>: Input from list of hosts/networks
<NSE Script>
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
<DB_nmap>
# db_nmap MSF wrapper
msf > db_nmap -sS -Pn -A 10.11.1.217
# search the Metasploit database for machines with specific open ports
msf > services -p 443

Port Status

  • Open: This indicates that an application is listening for connections on this port.

  • Closed: This indicates that the probes were received but there is no application listening on this port.

  • Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.

  • Unfiltered: This indicates that the probes were received but a state could not be established.

  • Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.

  • Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.

Timing Template

The main timing option is set through the -T parameter if you may want more control over the timing in order get the scan over and done with quicker. However, Nmap adjusts its timings automatically depending on network speed and response times of the victim. Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0–5) or their name as shown below:

  • T0: paranoid

  • T1: sneaky

  • T2: polite

  • T3: normal

  • T4: aggressive

  • T5: insane

General Scan

# Scan ip with default scripts and service version detection.
nmap -sC -sV -oA bastard 10.10.10.9
# Scan full ports with time option -T5 "insane"
nmap -p- -T5 -oA allports 10.10.10.51
# Scan full ports and show only open ports
nmap -p1-65535 192.168.1.127 --open
# Scan specific Both TCP and UDP at the same time
nmap -p U:53,137, T:21-25,80,443 193.19.20.5
# Ping Sweep
nmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt
# Banner Grabbing/Service Enumeration
nmap -sV -sT 10.0.0.19
# OS Fingerprinting
nmap -O 10.0.0.19
# Scan for top 20 TCP ports
nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt
# Scan for open SNMP ports
nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt
# Perform aggressive scan and reduce scanning timing
nmap –T4 192.168.1.127
# perform fast specific ip range excluding 192.168.1.114
nmap -F 192.168.1.110-255 --exclude 192.168.1.114
# Scan ip in a text file
nmap -iL /root/Desktop/scan.txt

List NSE (Nmap Scripting Engine ) Scripts

# Path to nse scripts
ls /usr/share/nmap/scripts/
# List nse scripts in "vuln" category.
locate -r '\.nse$' | xargs grep categories | grep vuln
# List nse scripts related to "smb" with categories.
locate -r '\.nse$'| xargs grep categories | grep smb

Scan with NSE Scripts

# Scan ip with scripts in "vuln" category.
nmap --script vuln -oA vulnscan 10.10.10.79
# Scan specific ports with scripts in "vuln" category.
nmap -p 110,119,22,25,4555,80 -sC -sV -oA vulnscan --script vuln 10.10.10.51
# Scan ip with scripts in "vuln" and "safe" categories.
nmap --script "vuln and safe" -Pn -n -p 445 <target ip>
# What does a script do?
nmap --script-help ftp-anon
# Scan FTP (21) with a script "ftp-anon.nse"
nmap -v -p 21 --script=ftp-anon.nse 10.11.1.1-254
# Scan with SMB-related scripts to find vulnerabilites
nmap --script smb-vuln* -p 139,445 <target ip>
# Scan with SMB-related scripts
nmap --script smb* -p 139,445 <target ip>
# scan SMB (139,445) with a script "smb-os-discovery"
nmap -v -p 139, 445 --script=smb-os-discovery 10.11.1.227
# Scan SMB (139,445) with a script "smb-vuln-ms08-067"
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.11.1.201
# Scan SMB (139,445) with a script "smb-vuln-ms08-067"
nmap -v -p 139, 445 --script=smb-security-mode 10.11.1.236
# Scan HTTP (80) with a script "http-shellshock"
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56
# Scan HTTP (80) with a script "http-vuln-cve2010-2861"
nmap -v -p 80 --script=http-vuln-cve2010-2861 10.11.1.210
# Scan DNS (53) with a script "dns-zone-transfer"
nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com