"Nmap 5 Cheat Sheet"

ADVERTISEMENT
ADVERTISEMENT

Download "Nmap 5 Cheat Sheet"

Download PDF

Fill PDF online

Rate (4.3 / 5) 11 votes
Service and version detection
Target specification
-sV: version detection
--all-ports dont exclude ports
IP address, hostnames, networks, etc
--version-all try every single probe
Example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
--version-trace trace version scan activity
-iL
file input from list
-iR n choose random targets, 0 never ending
--exclude --excludefile file exclude host or list from file
-O
enable OS detection
--fuzzy guess OS detection
--max-os-tries set the maximum number of tries against a target
Host discovery
-PS
n tcp syn ping
-PA
n tcp ack ping
-PU n udp ping
Firewall/IDS evasion
-PM netmask req
-PP timestamp req
-PE
echo req
-f fragment packets
-D d1,d2 cloak scan with decoys
-sL list scan
-PO protocol ping
-PN no ping
-S ip spoof source address
–g source
spoof source port
-n no DNS
-R DNS resolution for all targets
mac
--randomize-hosts order
--spoof-mac mac change the src
--traceroute: trace path to host (for topology map)
-sP
ping same as –PP –PM –PS443 –PA80
Verbosity and debugging options
-v
Increase verbosity level
--reason
host and port reason
Port scanning techniques
-d (1-9) set debugging level
--packet-trace trace packets
-sS
tcp syn scan
-sT
tcp connect scan
-sU
udp scan
-sY sctp init scan
-sZ sctp cookie echo
-sO ip protocol
Interactive options
-sW tcp window
-sN –sF -sX null, fin, xmas –sA tcp ack
v/V increase/decrease verbosity level
d/D increase/decrease debugging level
Port specification and scan order
p/P turn on/off packet tracing
-p n-m range
-p-
all ports
-p n,m,z individual
-p U:n-m,z T:n,m U for udp T for tcp
-F
fast, common 100
Miscellaneous options
--top-ports n scan the highest-ratio ports
-r don’t randomize
--resume file
resume aborted scan (from oN or oG output)
-6 enable ipv6 scanning
-A
agressive same as -O -sV -sC --traceroute
Timing and performance
-T0 paranoid
-T1 sneaky
-T2 polite
Scripts
-T3 normal
-T4
aggresive
-T5 insane
-sC perform scan with default scripts
--script file
run script (or all)
--min-hostgroup
--max-hostgroup
--script-args n=v provide arguments
--min-rate
--max-rate
--script-trace print incoming and outgoing communication
--min-parallelism
--max-parallelism
--min-rtt-timeout
--max-rtt-timeout
--initial-rtt-timeout
Output
--max-retries
--host-timeout
--scan-delay
-oN normal
-oX xml
-oG grepable
–oA
all outputs
Examples
Quick scan
nmap -T4 -F
Fast scan (port80)
nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 --max_retries 0 -n -P0 -p80
Pingscan
nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4
Slow comprehensive
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all
Quick traceroute:
nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute
Service and version detection
Target specification
-sV: version detection
--all-ports dont exclude ports
IP address, hostnames, networks, etc
--version-all try every single probe
Example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
--version-trace trace version scan activity
-iL
file input from list
-iR n choose random targets, 0 never ending
--exclude --excludefile file exclude host or list from file
-O
enable OS detection
--fuzzy guess OS detection
--max-os-tries set the maximum number of tries against a target
Host discovery
-PS
n tcp syn ping
-PA
n tcp ack ping
-PU n udp ping
Firewall/IDS evasion
-PM netmask req
-PP timestamp req
-PE
echo req
-f fragment packets
-D d1,d2 cloak scan with decoys
-sL list scan
-PO protocol ping
-PN no ping
-S ip spoof source address
–g source
spoof source port
-n no DNS
-R DNS resolution for all targets
mac
--randomize-hosts order
--spoof-mac mac change the src
--traceroute: trace path to host (for topology map)
-sP
ping same as –PP –PM –PS443 –PA80
Verbosity and debugging options
-v
Increase verbosity level
--reason
host and port reason
Port scanning techniques
-d (1-9) set debugging level
--packet-trace trace packets
-sS
tcp syn scan
-sT
tcp connect scan
-sU
udp scan
-sY sctp init scan
-sZ sctp cookie echo
-sO ip protocol
Interactive options
-sW tcp window
-sN –sF -sX null, fin, xmas –sA tcp ack
v/V increase/decrease verbosity level
d/D increase/decrease debugging level
Port specification and scan order
p/P turn on/off packet tracing
-p n-m range
-p-
all ports
-p n,m,z individual
-p U:n-m,z T:n,m U for udp T for tcp
-F
fast, common 100
Miscellaneous options
--top-ports n scan the highest-ratio ports
-r don’t randomize
--resume file
resume aborted scan (from oN or oG output)
-6 enable ipv6 scanning
-A
agressive same as -O -sV -sC --traceroute
Timing and performance
-T0 paranoid
-T1 sneaky
-T2 polite
Scripts
-T3 normal
-T4
aggresive
-T5 insane
-sC perform scan with default scripts
--script file
run script (or all)
--min-hostgroup
--max-hostgroup
--script-args n=v provide arguments
--min-rate
--max-rate
--script-trace print incoming and outgoing communication
--min-parallelism
--max-parallelism
--min-rtt-timeout
--max-rtt-timeout
--initial-rtt-timeout
Output
--max-retries
--host-timeout
--scan-delay
-oN normal
-oX xml
-oG grepable
–oA
all outputs
Examples
Quick scan
nmap -T4 -F
Fast scan (port80)
nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 --max_retries 0 -n -P0 -p80
Pingscan
nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4
Slow comprehensive
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all
Quick traceroute:
nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute