Nmap Cheat Sheet

Network Mapper (Nmap) also known as the God of Port Scanners used for network discovery and the basis for most security enumeration during the initial stages of a Penetration Testing. Nmap has a multitude of options and when you first start playing with this excellent tool it can be a bit daunting. In this cheat sheet you will find a series of practical example commands for running Nmap and getting the most of this powerful tool. Below is Nmap Cheat Sheet and Helpful Tips and Techniques.

Keep in mind that this cheat sheet merely touches the surface of the available options. The Nmap Documentation portal is your reference for digging deeper into the options available.

Nmap in a nutshell

  • Target Specification
  • Host Discovery
  • Port Specification
  • Service Discovery / Version Detection
  • Operating System Version Detection
  • Firewall / IDS Evasion and Spoofing
  • Time and Performance based Scan
  • Output of Scan
  • Vulnerability / Exploit Detection, using Nmap Scripts (NSE)
Target Specification

Scan a single IP

Scan specific IPs

Scan a Range

Scan a Domain / Host

Scan Targets from a File

Exclude the Listed Host from the Target Range

Host Discovery

To List given targets only, no Scan

To Disable Port Scanning, Host Discovery only

To Disable Host Discovery. Port scan only

TCP SYN discovery on given port

TCP ACK discovery on given port

UDP discovery on given port

Port Specification

Scan a given Port (i.e 21 here)

Scan the given Port Range

Scan the multiple TCP and UDP ports

Scan all 65535 ports

Scans the given Service Name

Scans the Top 100 ports

Service Discovery / Version Detection

Detect Version of the Running Services

To set intensity range between 0 to 9. Higher number increases possibility of correctness

To enable the light mode(intensity =2). It is faster but have less possibility of correctness

To enables the intense mode(intensity =9). It is slower but have more possibility of correctness

Operating System Version Detection

Detect the Operating system

Aggressive mode i.e OS, Service Version, Trace route.

Firewall / IDS Evasion and Spoofing

Use tiny fragmented IP packets. Its harder for packet filters

Used to set our own offset size

Use the Spoofed IP to scan

Scans target.com from example.com (Domain Name Spoofing)

Uses the given port as a source

Appends random data to sent packets

Time and Performance based Scan

Slow scan

Sneaky scan

Timely scan

Default scan

Aggressive scan

Very Aggressive scan

Output of Scan

To scan in the Verbose mode (-vv for greater effect)

Save the scan results to the scan.file

Save the results in xml.file

Save the results in grep.file

Saves the Output in the three major formats at once

To scan in the debug mode (-dd for greater effect)

To see all the packets sent and received

Vulnerability / Exploit Detection, using Nmap Scripts (NSE)

Scan with default NSE Scripts

Scan with given NSE Script ( Example: nmap.nse )

Use script with arguments

 

Leave a comment

WhatsApp us