Wednesday 8 January 2014
0 comments

NMAP (Network Mapping) Cheat Sheet


Nmap (Network Mapping) Cheat Sheet. 

It is a very famous port scanner available for free. It is not just only a port scanner, it also do various jobs like banner grabbing, OS fingerprinting, Nmap script scanning, evading firewalls, etc. So we are gonna show you some important commands of Nmap.

Step 1: Open up the console and type nmap
It will give you the whole commands of Nmap. But we are here to understanding the commands so we should go ahead.

Here is the cheatsheet of NMAP.

BASIC SCANNING TECHNIQUES

GoalCommandExample
Scan a Single Targetnmap [target]nmap 192.168.0.1
Scan Multiple Targetsnmap [target1, target2, etc]nmap 192.168.0.1 192.168.0.2
Scan a List of Targetsnmap -iL [list.txt]nmap -iL targets.txt
Scan a Range of Hostsnmap [range of ip addresses]nmap 192.168.0.1-10
Scan an Entire Subnetnmap [ip address/cdir]nmap 192.168.0.1/24
Scan Random Hostsnmap -iR [number]nmap -iR 0
Excluding Targets from a Scannmap [targets] --exclude [targets]nmap 192.168.0.1/24 --exclude 192.168.0.100, 192.168.0.200
Excluding Targets Using a Listnmap [targets] --excludefile [list.txt]nmap 192.168.0.1/24 --excludefile notargets.txt
Perform an Aggressive Scannmap -A [target]nmap -A 192.168.0.1
Scan an IPv6 Targetnmap -6 [target]nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe


DISCOVERY OPTIONS
GoalCommandExample
Perform a Ping Only Scannmap -sP [target]nmap -sP 192.168.0.1
Don’t Pingnmap -PN [target]nmap -PN 192.168.0.1
TCP SYN Pingnmap -PS [target]nmap -PS 192.168.0.1
TCP ACK Pingnmap -PA [target]nmap -PA 192.168.0.1
UDP Pingnmap -PU [target]nmap -PU 192.168.0.1
SCTP INIT Pingnmap -PY [target]nmap -PY 192.168.0.1
ICMP Echo Pingnmap -PE [target]nmap -PE 192.168.0.1
ICMP Timestamp Pingnmap -PP [target]nmap -PP 192.168.0.1
ICMP Address Mask Pingnmap -PM [target]nmap -PM 192.168.0.1
IP Protocol Pingnmap -PO [target]nmap -PO 192.168.0.1
ARP Pingnmap -PR [target]nmap -PR 192.168.0.1
Traceroutenmap --traceroute [target]nmap --traceroute 192.168.0.1
Force Reverse DNS Resolutionnmap -R [target]nmap -R 192.168.0.1
Disable Reverse DNS Resolutionnmap -n [target]nmap -n 192.168.0.1
Alternative DNS Lookupnmap --system-dns [target]nmap --system-dns 192.168.0.1
Manually Specify DNS Server(s)nmap --dns-servers [servers] [target]nmap --dns-servers 201.56.212.54 192.168.0.1
Create a Host Listnmap -sL [targets]nmap -sL 192.168.0.1/24


ADVANCED SCANNING OPTIONS

GoalCommandExample
TCP SYN Scannmap -sS [target]nmap -sS 192.168.0.1
TCP Connect Scannmap -sT [target]nmap -sT 192.168.0.1
UDP Scannmap -sU [target]nmap -sU 192.168.0.1
TCP NULL Scannmap -sN [target]nmap -sN 192.168.0.1
TCP FIN Scannmap -sF [target]nmap -sF 192.168.0.1
Xmas Scannmap -sX [target]nmap -sX 192.168.0.1
TCP ACK Scannmap -sA [target]nmap -sA 192.168.0.1
Custom TCP Scannmap --scanflags [flags] [target]nmap --scanflags SYNFIN 192.168.0.1
IP Protocol Scannmap -sO [target]nmap -sO 192.168.0.1
Send Raw Ethernet Packetsnmap --send-eth [target]nmap --send-eth 192.168.0.1
Send IP Packetsnmap --send-ip [target]nmap --send-ip 192.168.0.1


PORT SCANNING OPTIONS

GoalCommandExample
Perform a Fast Scannmap -F [target]nmap -F 192.168.0.1
Scan Specific Portsnmap -p [port(s)] [target]nmap -p 21-25,80,139,8080 192.168.1.1
Scan Ports by Namenmap -p [port name(s)] [target]nmap -p ftp,http* 192.168.0.1
Scan Ports by Protocolnmap -sU -sT -p U:[ports],T:[ports] [target]nmap -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.0.1
Scan All Portsnmap -p '*' [target]nmap -p '*' 192.168.0.1
Scan Top Portsnmap --top-ports [number] [target]nmap --top-ports 10 192.168.0.1
Perform a Sequential Port Scannmap -r [target]nmap -r 192.168.0.1


VERSION DETECTION

GoalCommandExample
Operating System Detectionnmap -O [target]nmap -O 192.168.0.1
Submit TCP/IP Fingerprintswww.nmap.org/submit/
Attempt to Guess an Unknown OSnmap -O --osscan-guess [target]nmap -O --osscan-guess 192.168.0.1
Service Version Detectionnmap -sV [target]nmap -sV 192.168.0.1
Troubleshooting Version Scansnmap -sV --version-trace [target]nmap -sV --version-trace 192.168.0.1
Perform a RPC Scannmap -sR [target]nmap -sR 192.168.0.1


TIMING OPTIONS

GoalCommandExample
Timing Templatesnmap -T[0-5] [target]nmap -T3 192.168.0.1
Set the Packet TTLnmap --ttl [time] [target]nmap --ttl 64 192.168.0.1
Minimum # of Parallel Operationsnmap --min-parallelism [number] [target]nmap --min-parallelism 10 192.168.0.1
Maximum # of Parallel Operationsnmap --max-parallelism [number] [target]nmap --max-parallelism 1 192.168.0.1
Minimum Host Group Sizenmap --min-hostgroup [number] [targets]nmap --min-hostgroup 50 192.168.0.1
Maximum Host Group Sizenmap --max-hostgroup [number] [targets]nmap --max-hostgroup 1 192.168.0.1
Maximum RTT Timeoutnmap --initial-rtt-timeout [time] [target]nmap --initial-rtt-timeout 100ms 192.168.0.1
Initial RTT Timeoutnmap --max-rtt-timeout [TTL] [target]nmap --max-rtt-timeout 100ms 192.168.0.1
Maximum Retriesnmap --max-retries [number] [target]nmap --max-retries 10 192.168.0.1
Host Timeoutnmap --host-timeout [time] [target]nmap --host-timeout 30m 192.168.0.1
Minimum Scan Delaynmap --scan-delay [time] [target]nmap --scan-delay 1s 192.168.0.1
Maximum Scan Delaynmap --max-scan-delay [time] [target]nmap --max-scan-delay 10s 192.168.0.1
Minimum Packet Ratenmap --min-rate [number] [target]nmap --min-rate 50 192.168.0.1
Maximum Packet Ratenmap --max-rate [number] [target]nmap --max-rate 100 192.168.0.1
Defeat Reset Rate Limitsnmap --defeat-rst-ratelimit [target]nmap --defeat-rst-ratelimit 192.168.0.1


FIREWALL EVASION TECHNIQUES

GoalCommandExample
Fragment Packetsnmap -f [target]nmap -f 192.168.0.1
Specify a Specific MTUnmap --mtu [MTU] [target]nmap --mtu 32 192.168.0.1
Use a Decoynmap -D RND:[number] [target]nmap -D RND:10 192.168.0.1
Idle Zombie Scannmap -sI [zombie] [target]nmap -sI 192.168.0.38 192.168.0.1
Manually Specify a Source Portnmap --source-port [port] [target]nmap --source-port 1025 192.168.0.1
Append Random Datanmap --data-length [size] [target]nmap --data-length 20 192.168.0.1
Randomize Target Scan Ordernmap --randomize-hosts [target]nmap --randomize-hosts 192.168.0.1-20
Spoof MAC Addressnmap --spoof-mac [MAC|0|vendor] [target]nmap --spoof-mac Cisco 192.168.0.1
Send Bad Checksumsnmap --badsum [target]nmap --badsum 192.168.0.1


OUTPUT OPTIONS

GoalCommandExample
Save Output to a Text Filenmap -oN [scan.txt] [target]nmap -oN scan.txt 192.168.0.1
Save Output to a XML Filenmap -oX [scan.xml] [target]nmap -oX scan.xml 192.168.0.1
Grepable Outputnmap -oG [scan.txt] [targets]nmap -oG scan.txt 192.168.0.1
Output All Supported File Typesnmap -oA [path/filename] [target]nmap -oA ./scan 192.168.0.1
Periodically Display Statisticsnmap --stats-every [time] [target]nmap --stats-every 10s 192.168.0.1
133t Outputnmap -oS [scan.txt] [target]nmap -oS scan.txt 192.168.0.1


TROUBLESHOOTING AND DEBUGGING

GoalCommandExample
Getting Helpnmap -hnmap -h
Display Nmap Versionnmap -Vnmap -V
Verbose Outputnmap -v [target]nmap -v 192.168.0.1
Debuggingnmap -d [target]nmap -d 192.168.0.1
Display Port State Reasonnmap --reason [target]nmap --reason 192.168.0.1
Only Display Open Portsnmap --open [target]nmap --open 192.168.0.1
Trace Packetsnmap --packet-trace [target]nmap --packet-trace 192.168.0.1
Display Host Networkingnmap --iflistnmap --iflist
Specify a Network Interfacenmap -e [interface] [target]nmap -e eth0 192.168.0.1


NMAP SCRIPTING ENGINE

GoalCommandExample
Execute Individual Scriptsnmap --script [script.nse] [target]nmap --script banner.nse 192.168.0.1
Execute Multiple Scriptsnmap --script [expression] [target]nmap --script 'http-*' 192.168.0.1
Script Categoriesall, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Categorynmap --script [category] [target]nmap --script 'not intrusive' 192.168.0.1
Execute Multiple Script Categoriesnmap --script [category1,category2,etc]nmap --script 'default or safe' 192.168.0.1
Troubleshoot Scriptsnmap --script [script] --script-trace [target]nmap --script banner.nse --script-trace 192.168.0.1
Update the Script Databasenmap --script-updatedbnmap --script-updatedb

Download NMap

About the Author: 
Kislay Bhardwaj, He is a security researcher and specialized in Penetrating Testing, Cyber forensic, Linux security and other Security Assessments and Training.

0 comments:

Post a Comment

Note: only a member of this blog may post a comment.

 
Toggle Footer
Top