Nmap Commands Cheat Sheet 2023

Nmap Commands Cheat Sheet 2023

What is Nmap?

Imagine you’re a detective investigating a mysterious house. You want to know how many doors and windows are there, which ones are open, and maybe even what’s happening inside. In the world of computers, Nmap is like your detective tool for investigate and understand what’s happening in a computer network.

Nmap, short for Network Mapper, is a powerful open-source tool designed for network exploration and security auditing written in C, C++, Python and Lua. It is widely used by network administrators, security professionals, and ethical hackers to discover hosts, services, and vulnerabilities within a network. Nmap provides a comprehensive set of features for network scanning, ranging from simple host discovery to detailed port and service enumeration. Namp help to identify all the ways to attack a target.

Nmap Use Cases

Nmap is a versatile and powerful tool with various use cases in the realm of cybersecurity, network administration, and system analysis. Here are some common scenarios and use cases where Nmap can be employed:

  • Network discovery: To find all the devices (host) available on the network.
  • Port Scanning: To find which ports are open on a device.
  • Service Version Detection: To determine the specific version of a service running on a port.
  • OS Detection: To identify the operating system (and OS versions) of .
  • Firewall Testing: Check firewall and IDS settings and configurations.
  • Penetration Testing: During ethical hacking engagements to identify and fix vulnerabilities.
  • Vulnerability assessment: To identify potential weakness in a system.
  • Security Auditing: Help to improve their security posture by identifying potential vulnerabilities.
  • Network mapping: Help to visualize the network layout.
  • Incident Response: To quickly gather information about affected systems
  • Scripting Engine: Nmap allows users to run custom scripts to automate specific tasks.

Nmap Options summary

You can see this option summary by simply using the command ‘nmap’, ‘man nmap’ and ‘nmap –help’. But it does not contain the advance commands.

Nmap 7.94 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports sequentially - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --noninteractive: Disable runtime interactions via keyboard
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

Nmap Commands Cheat Sheet

Here’s a basic to advance Nmap commands cheat sheet to help you with network scanning and discovery: “The target is IP or Host”

Target Specification:

CommandDescription
nmap [target]Scan a single target.
nmap [target1 target2 ….]Scan multiple targets.
nmap 10.129.2.0/24Scan network range.
nmap 10.129.2.0-254Scan network range.
nmap -iL [host.lst]scan list of IP addresses

Note: It works only if the firewalls of the hosts allow it. Hosts can also ignore the default ICMP echo requests because of their firewall configurations and when nmap does not receive the response, it marks those hosts as inactive.

Host Discovery:

OptionDescription
nmap -sn [target]No port scan. Ping scan (disable port scan).
nmap -PR [target]ARP scan (local network).
nmap -Pn [target]No ping (disable ICMP echo request).
nmap -PE [target]Ping scan using ICMP echo request.
nmap [target] –disable-arp-pingDisable the ARP pings.

Note: Both Arp request and ICMP echo request are used to identify whether the host is alive or not.

nmap [target] -PE --packet-traces --reason --disable-arp-ping

Port Scanning Basic:

Port scanning basic, There are total 6 states for a scanned port we can obtain:

StatusDescription
openIndicate that the connection to the scanned port established. connection can be TCP, UDP, SCTP.
closedA closed port is accessible but there is no application listening on it.
filteredCan’t identify whether the port is open or closed because of no response from target or we get an error code from the target.
unfilteredThis state is only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot identify whether it is open or closed.
open|filtered It is unable to identify whether the port is open or filtered by firewall due to unusual response. Also when UDP port doesn’t respond.
closed|filteredOccurs in the IP ID idle scans and indicate that Nmap is unable to determine whether a port is closed or filtered.

Port Scanning Technique:

OptionDescription
nmap -sT [target]Full TCP Scan (TCP connect scan). Default TCP scan.
nmap -sS [target]used for TCP SYN Scan (Stealth or Half-Open scan)
nmap -sA [target]TCP ACK Scan (Firewall Detection)
nmap –sU [target]UDP Scan.
nmap [target] –top-ports=10scans the top 10 most frequent ports.
nmap -sN [target]Null scan, TCP request is sent with no flags to the target.
nmap -sf [target]TCP request sent with fin flag (used to close active connection).
nmap -sX [target]TCP request sent with a malformed packet and uses one of the (PSH, URG and FIN) flag.

Note:

  • By default, Nmap scans the top 1000 TCP ports.
  • Nmap TCP connect scan (-sT) uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. Nmap sends an SYN packet to the target, port considered to be open if target responds with an SYN-ASK packet and closed if it responds with an RST packet (RFC 9293).
  • Null, Fin and Xmas scans are generally used for firewall evasion. Microsoft windows respond with RST (port closed) for these scans.

Port Specification and Scan order:

OptionDescription
nmap -p 80 [target]scan a single port.
nmap -p 80,443 [target]scan multiple ports.
nmap -p 1-100 [target]Scan a range of ports.
nmap -p- [target]Scan all ports.
nmap -F [target]Fast scanning. Scan limited (top 100) ports.
nmap -r [target]Don’t scan random port. Scan port in increasing order means lowest value’s port scan first.

Service Version Detection:

OptionDescription
nmap -sV [target]Detect service’s versions.
nmap -A [target]Aggressive Scan. enables version detection among other things.

Operating System Detection:

OptionDescription
nmap -O [target]Detect the operating system.

Nmap Scripting Engine (NSE):

NSE libraries CategoryDescription
safewon’t affect the target.
intrusiveaffect the target. Not safe.
vulnscan for vulnerabilities.
exploitattempt to exploit a vulnerability.
authattempt to bypass authentication on running service.
bruteattempt to bruteforce credentials for running services.
discoveryattempt to query running services for more information abut the network.
OptionDescription
nmap -sC [target]Run Nmap scripts (default scripts).
nmap –script [script_category] [target]Run a category of nse script.
nmap –script [script_name] [target]Run a specific script. or run multiple script by separating using a comma.
nmap –script [script_name] –script-args [script_name].[argument] [target]some specific script require an argument.

Note:

  • NSE script is written in Lua language.
  • Browse NSE script online. And also you can browse locally at /usr/share/nmap/scripts on Linux.
  • Command to install new NSE script: sudo apt update && sudo apt install nmap or sudo wget -O /usr/share/nmap/scripts/<script-name>.nse
  • Update the script.db file: nmap –script-updatedb

Timing and Performance:

OptionDescription
nmap -T4 [target]Adjust timing (0-5, higher is faster):
nmap [target] --stats-every=5sShows the progress of the scan every 5 seconds.

Firewall/IDS Evasion and Spoofing:

OptionDescription
nmap -f [target]Fragment (smaller pieces) packets.
nmap -D decoy1,decoy2 [target]Use decoy addresses.
nmap –mtu <number> [target]set maximum transmission unit size of packets sent (must be multiple of 8).
nmap –scan-delay <time>s [target]used to add delay between the packets sent.
nmap [target] –badsumuse to determine the presence of firewall.
nmap [target] –data-length <num>used to add random data to the end of the packets being sent.

Note: Windows host’s firewall can block all ICMP packets.

Output Options:

OptionDescription
nmap -oN [filename] [target]Save results in normal format to a file ‘filename’ with the .nmap extension.
nmap -oA [filename] [target]Save results in all formats.
nmap -oX [filename] [target]save the result in XML format (.xml extension).
nmap -oG [filename] [target]save the result in grepable format (.gnmap extension).
nmap [target] –packet-traceShows sent and received packets.
nmap [target] –reasonDisplay the reason for specific result.
nmap -v [target]Increase verbosity level, displays more detailed information.
nmap -vv [target]Increase verbosity level to level two, displays more detailed information.
  • xsltproc target.xml -o target.html => using this command we can create the HTML stylesheet report from XML format report.

Nmap Other Options:

OptionDescription
nmap -6 [target]Scan an IPv6 target.

Other Useful Commands:

CommandsDescription
nc -nv 10.129.2.49 31337manually connect to the smtp server.

source: https://nmap.org/book/man.html

Discover more from Aman Aadi

Subscribe now to keep reading and get access to the full archive.

Continue reading

Scroll to Top