twitter

NMAP Cheatsheet

Nmap Targeting

Scan a single IP nmap 192.168.1.1
Scan a hostname nmap www.domain.com
Scan an IP range nmap 192.168.1.1-100
Scan a subnet nmap 192.168.1.0/24
Scan from a predefined list nmap -iL list.txt

Ports

Scan a single port nmap -p 22 192.168.1.1
Scan a range of ports nmap -p 1-20 192.168.1.1
Scan multiple ports nmap -p 22,80,443 192.168.1.1
Scan Mixed TCP/UDP ports nmap -p U:53,T:22 192.168.1.1
Scan 100 common ports nmap -F 192.168.1.1
Scan top # ports nmap –top-ports 300 192.168.1.1
Scan ports linearly nmap -r -p 1-1000 192.168.1.1
Scan all ports nmap -p- 192.168.1.1

Scan types

TCP Connect Scan nmap -sT 192.168.1.1
TCP SYN scan (Silent scan) nmap -sS 192.168.1.1
UDP scan nmap -sU -p 137,139 192.168.1.1
No ping scan nmap -Pn 192.168.1.1
Host Discovery (no ports) nmap -sn 192.168.1.1
Version Scan nmap -sV 192.168.1.1
OS Detection nmap -o 192.168.1.1

OS and Service Discovery

OS and Services nmap -A 192.168.1.1
Standard service discovery nmap -sV 192.168.1.1
Aggressive service discovery nmap -sV –version-intensity 5 192.168.1.1
Light banner grabbing nmap -sV –version-intensity 0 192.168.1.1

Aggregate Timing

Paranoid: Very slow nmap -t0 192.168.1.1
Sneaky: Quite slow nmap -t1 192.168.1.1
Polite: Slows down nmap -t2 192.168.1.1
Normal: Default nmap -t3 192.168.1.1
Aggressive: Fast and reliable nmap -t4 192.168.1.1
Insane: Very aggressive nmap -t5 192.168.1.1

Output Formats

Standard Nmap output nmap -oN output.txt 192.168.1.1
XML format nmap -oX output.txt 192.168.1.1
Greppable format nmap -oG output.txt 192.168.1.1
All formats output nmap -oA output.txt 192.168.1.1

NSE Scripts

Default scripts nmap -sV -sC 192.168.1.1
Script help nmap –script-help=ssl-heartbleed
NSE script scan nmap -sV –script=ssl-heartbleed -p 443 192.168.1.1
Scan with scripts sets nmap -sV –script=smb* 192.168.1.1
column1 nmap –script-help=scriptname

HTTP Service Discovery

Get page title nmap –script=http-title 192.168.1.0/24
Get HTTP header nmap –script=http-headers 192.168.1.0/24
Find web apps nmap –script=http-enum 192.168.1.0/24

Fine-Grained Timing

Parallel host scan group sizes –min-hostgroup/max-hostgroup <size>
Probe parallelization –min-parallelism/max-parallelism <numprobes>
Specifies probe round trip time –min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>
Caps number of port scan probe
retransmissions
–max-retries <tries>
Give up on target after time –host-timeout <time>
Adjust delay between probes –scan-delay/–max-scan-delay <time>
Send packets no slower –min-rate <number>
column1 –max-rate <number>