Quick Guide on “nmap : Cheat Sheet”

There is need of some basics commands for information gathering. But a single tool can have multiple commands as many of us played any Video Game, PlayStation, PS2, PS3, PS4 games, nearly every games have some Cheat Sheets. For ex. GTA on PC have cheat of leavemealone, seaways, etc. In the same manner our main tools of information gathering also have Cheat Sheets.

Also Raed:- Information Gathering Online Tools

Here we are discussing about the well known tool called as nmap.

Many commands surely everyone knows. But that are 2 out of 10, here I am giving you a total commands of nmap.

Before proceeding its humble request to go through the warning.

Warning : Scanning any website, webapp, organization without the owner’s permission is illegal. According to the particular country might be it is crime. This is only for educational purpose, #TeamKnowledgeSuttra is neither encourage you nor advise you to do so. Do this at your own risk.

 

Target Specification

nmap 192.168.1.1
Scan a single IP
nmap 192.168.1.1 192.168.2.1
Scan specific IPs
nmap 192.168.1.1-254
Scan a range
nmap scanme.nmap.org
Scan a domain
nmap -iL targets.txt
 Scan using CIDR notation
nmap 192.168.1.0/24
 Scan targets from a file
nmap -iR 100 Scan 100
 random hosts
nmap –exclude 192.168.1.1
 Exclude listed hosts
nmap 192.168.1.1 -sS
 TCP SYN port scan (Default)

 Scan Techniques

nmap 192.168.1.1 –sTTCP connect port scan
nmap 192.168.1.1 -sU  UDP port scan
nmap 192.168.1.1-sA TCP ACK port scan
nmap 192.168.1.1 -sW TCP Window port scan
nmap 192.168.1.1 -sMTCP Maimon port scan

 

 

  Host Discovery
nmap 192.168.1.1-3 -sL
No Scan. List targets only
nmap 192.168.1.1/24 -sn
Disable port scanning
nmap 192.168.1.1-5 -Pn
 Disable host discovery. Port scan only
nmap 192.168.1.1-5 -PS22-25,80
 TCP SYN discovery on port x. Port 80 by default
nmap 192.168.1.1-5 -PA22-25,80
TCP ACK discovery on port x. Port 80 by default
nmap 192.168.1.1-5 -PU53
UDP discovery on port x. Port 40125 by default
nmap 192.168.1.1-1/24 -PR
 ARP discovery on local network
nmap 192.168.1.1 -n
 Never do DNS resolution

 

 Port Specification
nmap 192.168.1.1 -p 21 Port scan for port x
nmap 192.168.1.1 -p 21-100 Port range
nmap 192.168.1.1 -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports
 nmap 192.168.1.1 -p- Port scan all ports
nmap 192.168.1.1 -p http,https Port scan from service name
nmap 192.168.1.1 -F Fast port scan (100 ports)
nmap 192.168.1.1 –top-ports 2000 Port scan the top x ports
nmap 192.168.1.1 -p-65535 Leaving off initial port in range makes the scan start at port 1
nmap 192.168.1.1 -p0- Leaving off end port in range makes the scan go through to port 65535

Service and Version Detection

nmap 192.168.1.1 -sVAttempts to determine the version of the service running on port
nmap 192.168.1.1 -sV –version-intensity 8 Intensity level 0 to 9. Higher number increases possibility of correctness
 nmap 192.168.1.1 -sV –version-light Enable light mode. Lower possibility of correctness. Faster
 nmap 192.168.1.1 -sV –version-all Enable intensity level 9. Higher possibility of correctness. Slower
nmap 192.168.1.1 -AEnables OS detection, version detection, script scanning, and traceroute
nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting
nmap 192.168.1.1 -O –osscan-limit If at least one open and one closed TCP port are not found it will not try OS detection against hosts
nmap 192.168.1.1 -O –osscan-guess Makes Nmap guess more aggressively
nmap 192.168.1.1 -O –max-os-tries 1 Set the maximum number x of OS detection tries against a target
nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute.

Timing and Performance

nmap 192.168.1.1 -T0 Paranoid (0) Intrusion Detection System evasion
nmap 192.168.1.1 -T1 Sneaky (1) Intrusion Detection System evasion
nmap 192.168.1.1 -T2 Polite (2) slows down the scan to use less bandwidth and use less target machine resources
nmap 192.168.1.1 -T3 Normal (3) which is default speed
nmap 192.168.1.1 -T4Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
nmap 192.168.1.1 -T5 Insane (5) speeds scan; assumes you are on an extraordinarily fast network

NSE Scripts

nmap 192.168.1.1 -sC Scan with default NSE scripts. Considered useful for discovery and safe
nmap 192.168.1.1 –script default Scan with default NSE scripts. Considered useful for discovery and safe
nmap 192.168.1.1 –script=banner Scan with a single script. Example banner
nmap 192.168.1.1 –script=http* Scan with a wildcard. Example http
nmap 192.168.1.1 –script=http,banner Scan with two scripts. Example http and banner
nmap 192.168.1.1 –script “not intrusive” Scan default, but remove intrusive scripts
nmap –script snmp-sysdescr –script-args snmpcommunity=admin 192.168.1.1 NSE script with arguments

 Firewall / IDS Evasion and Spoofing

-f nmap 192.168.1.1 -f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
nmap 192.168.1.1 –mtu 32 Set your own offset size
nmap -D   192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1 Send scans from spoofed IPs
nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip Above example explained
nmap -S www.microso.com www.facebook.com Scan Facebook from Microso (-e eth0 -Pn may be required)
nmap -g 53 192.168.1.1 Use given source port number
nmap –proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1Relay connections through HTTP/SOCKS4 proxies
nmap –data-length 200 192.168.1.1 Appends random data to sent packets

Output 

-oN nmap 192.168.1.1 -oN normal.file Normal output to the file normal.file
nmap 192.168.1.1 -oX xml.file XML output to the file xml.file
nmap 192.168.1.1 -oG grep.fileGrepable output to the file grep.file
nmap 192.168.1.1 -oA results Output in the three major formats at once
nmap 192.168.1.1 -oG – Grepable output to screen. -oN -, -oX – also usable
 nmap 192.168.1.1 -oN file.file –append-outputAppend a scan to a previous scan file
nmap 192.168.1.1 -v  Increase the verbosity level (use -vv or more for greater effect)
nmap 192.168.1.1 -d Increase debugging level (use -dd or more for greater effect)
nmap 192.168.1.1 –reason Display the reason a port is in a particular state, same output as –vv
nmap 192.168.1.1 –open Only show open (or possibly open) ports
nmap 192.168.1.1 -T4 –packet-traceShow all packets sent and received

Miscellaneous Options

nmap –iflist Shows the host interfaces and routes
nmap –resume results.file Resume a scan
-6 nmap -6 2607:f0d0:1002:51::4 Enable IPv6 scanning
nmap -h nmap help screen
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn Discovery only on ports x, no port scan
nmap 192.168.1.1-1/24 -PR -sn -vv Arp discovery only on local network, no port scan
nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan
nmap 192.168.1.1-50 -sL –dns-server 192.168.1.1 Query the Internal DNS for hosts, list targets only

 

 

 

 

 

 

 

 

Sharing is caring!

Leave a Reply