Nmap cheat sheet – We saw about Nmap scanning in the previous post, if you have not read that post yet read that post first. In this post, I am going to divide all the commands that we can use in Nmap into sections and give them for you to understand.
What is Nmap?
The full name of Nmap is network mapper. Using this Nmap tool you can know the complete details about a network and also about that networking security. Simply put, Nmap is an information-gathering tool.
How to use Nmap?
Nmap can be used in a variety of ways depending on the user’s level of technical expertise.
Beginner – Zenmap the graphical user interface for Nmap
Intermediate – Command Line
Advanced – Python scripting with the Python-Nmap package
Nmap cheat sheet
Basic Scanning Techniques
The -s switch determines the type of scan to perform.
-sA – ACK scan
-sF – FIN scan
-sI – IDLE scan
-sL – DNS scan (a.k.a. list scan)
-sN – NULL scan
-sO – Protocol scan
-sP – Ping scan
-sR – RPC scan
-sS – SYN scan
-sT – TCP connect scan
-sW – Windows scan
-sX – XMAS scan
Scan a Single Target >> nmap [target]Scan Multiple Targets >> nmap [target1, target2, etc]Scan a List of Targets >> nmap -iL [list.txt]Scan a Range of Hosts >> nmap [range of IP addresses]Scan an Entire Subnet >> nmap [ip address/cdir]Scan Random Hosts >> nmap -iR [number]Exclude Targets From a Scan >>nmap [targets] --exclude [targets]Exclude Targets Using a List >> nmap [targets] --excludefile [list.txt]Perform an Aggressive Scan >> nmap -A [target]Scan an IPv6 Target >> nmap -6 [target] Port Scanning Options
The Nmap tool will scan the port first but the default setting will scan the open TCP port. If you want to scan the other port you have to do it manually. All port scanning commands are given below.
Perform a Fast Scan >> nmap -F [target]Scan Specific Ports >> nmap -p [port(s)] [target]Scan Ports by Name >> nmap -p [port name(s)] [target]Scan Ports by Protocol >> nmap -sU -sT -p U:[ports],T:[ports] [target]Scan All Ports >> nmap -p 1-65535 [target]Scan Top Ports >> nmap --top-ports [number] [target]Perform a Sequential Port Scan >> nmap -r [target]Attempt to Guess an Unknown OS >> nmap -O --osscan-guess [target]Service Version Detection >> nmap -sV [target]Troubleshoot Version Scan >> nmap -sV --version-trace [target]Perform a RPC Scan >> nmap -sR [target] Discovery options
Host Discovery The -p switch determines the type of ping to perform.
-PI – ICMP ping
-Po – No ping
-PS – SYN ping
-PT – TCP ping
Perform a Ping Only Scan
Do Not Ping
TCP SYN Ping
TCP ACK Ping
UDP Ping
SCTP INIT Ping
ICMP Echo Ping
ICMP Timestamp Ping
ICMP Address Mask Ping
IP Protocol Ping
ARP ping
Traceroute
Force Reverse DNS Resolution
Disable Reverse DNS Resolution
Alternative DNS Lookup
Manually Specify DNS Server
Create a Host List
nmap -sn [target]
nmap -Pn [target]
nmap -PS [target]
nmap -PA [target]
nmap -PU [target]
nmap -PY [target]
nmap -PE [target]
nmap -PP [target]
nmap -PM [target]
nmap -PO [target]
nmap -PR [target]
nmap –traceroute [target]
nmap -R [target]
nmap -n [target]
nmap –system-dns [target]
nmap –dns-servers [servers] [target]
nmap -sL [targets]
Timing and Performance
| Switch | Example | Description |
|---|---|---|
| -T0 | nmap 192.168.1.1 -T0 | Paranoid (0) Intrusion Detection System evasion |
| -T1 | nmap 192.168.1.1 -T1 | Sneaky (1) Intrusion Detection System evasion |
| -T2 | nmap 192.168.1.1 -T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine resources |
| -T3 | nmap 192.168.1.1 -T3 | Normal (3) which is default speed |
| -T4 | nmap 192.168.1.1 -T4 | Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network |
| -T5 | nmap 192.168.1.1 -T5 | Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
| Switch | Example input | Description |
|---|---|---|
| –host-timeout <time> | 1s; 4m; 2h | Give up on target after this long |
| –min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | 1s; 4m; 2h | Specifies probe round trip time |
| –min-hostgroup/max-hostgroup <size<size> | 50; 1024 | Parallel host scan group sizes |
| –min-parallelism/max-parallelism <numprobes> | 10; 1 | Probe parallelization |
| –scan-delay/–max-scan-delay <time> | 20ms; 2s; 4m; 5h | Adjust delay between probes |
| –max-retries <tries> | 3 | Specify the maximum number of port scan probe retransmissions |
| –min-rate <number> | 100 | Send packets no slower than <numberr> per second |
| –max-rate <number> | 100 | Send packets no faster than <number> per second |
OS Detection
| Switch | Example | Description |
|---|---|---|
| -O | nmap 192.168.1.1 -O | Remote OS detection using TCP/IP stack fingerprinting |
| -O –osscan-limit | nmap 192.168.1.1 -O –osscan-limit | If at least one open and one closed TCP port are not found it will not try OS detection against host |
| -O –osscan-guess | nmap 192.168.1.1 -O –osscan-guess | Makes Nmap guess more aggressively |
| -O –max-os-tries | nmap 192.168.1.1 -O –max-os-tries 1 | Set the maximum number x of OS detection tries against a target |
| -A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
Output
| Switch | Example | Description |
|---|---|---|
| -oN | nmap 192.168.1.1 -oN normal.file | Normal output to the file normal.file |
| -oX | nmap 192.168.1.1 -oX xml.file | XML output to the file xml.file |
| -oG | nmap 192.168.1.1 -oG grep.file | Grepable output to the file grep.file |
| -oA | nmap 192.168.1.1 -oA results | Output in the three major formats at once |
| -oG – | nmap 192.168.1.1 -oG – | Grepable output to screen. -oN -, -oX – also usable |
| –append-output | nmap 192.168.1.1 -oN file.file –append-output | Append a scan to a previous scan file |
| -v | nmap 192.168.1.1 -v | Increase the verbosity level (use -vv or more for greater effect) |
| -d | nmap 192.168.1.1 -d | Increase debugging level (use -dd or more for greater effect) |
| –reason | nmap 192.168.1.1 –reason | Display the reason a port is in a particular state, same output as -vv |
| –open | nmap 192.168.1.1 –open | Only show open (or possibly open) ports |
| –packet-trace | nmap 192.168.1.1 -T4 –packet-trace | Show all packets sent and received |
| –iflist | nmap –iflist | Shows the host interfaces and routes |
| –resume | nmap –resume results.file | Resume a scan |
Conclusion
I hope I have given all kinds of Nmap commands in this post, let me know through the command section if you know of any commands that are missing.
I hope you find this Nmap cheat sheet useful. I would also like to share this post with your friends.
# Nmap Cheat Sheet # Nmap Cheat Sheet
إرسال تعليق