Beruflich Dokumente
Kultur Dokumente
https://highon.coffee/blog/nmap-cheat-sheet/
HOME
BLOG
All Blog
Cheat Sheets
Techniques
CHEAT-SHEET
13 Dec 2014
Arr0way
Tools
Security
Nmap (network
mapper), the god of
port scanners used
for network
discovery and the
basis for most
Hardening
WalkThroughs
CHEAT SHEETS
Reverse Shell
Cheat Sheet
Target Specification
nbtscan Cheat
Host Discovery
Sheet
Scan Techniques
enum4linux Cheat
Sheet
Nmap Cheat
penetration
Script Scan
Sheet
OS Detection
maintained by
Fyodor AKA
security
enumeration
during the initial
stages of
Gordon Lyon.
Nmap displays
1 of 18
Table of Contents
Nmap Examples
Nmap scan from file
Linux Commands
Cheat Sheet
More
WALKTHROUGHS
Tr0ll 2
Walkthrough
exposed services
Tr0ll 1
Walkthrough
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
More
TECHNIQUES
SSH &
Meterpreter
Pivoting
Techniques
More
TOOLS
Linux Local
Enumeration
Nmap in a nutshell
Host discovery
Script
More
SECURITY
HARDENING
Security Harden
More
/DEV/URANDOM
CentOS 7
MacBook - Post
Install Config +
Apps
More
Nmap Examples
OTHER BLOG
MacBook - Post
Install Config +
Apps
2 of 18
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
Ping scans the
network,
listing
machines that
respond to
HowTo Install
Quassel on
Ubuntu
HowTo Install
KeepNote on OSX
Mavericks
ping.
Full TCP port
scan using
with service
version
detection nmap -p 1-65535 -sV -sS -T4 target
usually my
first scan, I
find T4 more
accurate than
T5 and still
"pretty quick".
Prints
verbose
output, runs
stealth syn
scan, T4
timing, OS
and version
detection +
traceroute
and scripts
against target
services.
Prints
3 of 18
verbose
output, runs
stealth syn
scan, T5
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
timing, OS
and version
detection +
traceroute
and scripts
against target
services.
Prints
verbose
output, runs
stealth syn
scan, T5
timing, OS
and version
detection.
Prints
verbose
output, runs
stealth syn
scan, T4
timing, OS
and version
detection +
full port range
scan.
Prints
verbose
output, runs
stealth syn
scan, T5
timing, OS
and version
detection +
full port range
4 of 18
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
scan.
DESCRIPTION
Scans a list of IP
DESCRIPTION
Outputs
"grepable"
output to a
file, in this
example
Netbios
servers.
E.g, The
output file
could be
grepped for
"Open".
5 of 18
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
Export nmap
output to
nmap -sS -sV -T5 10.0.1.99 --webxml -oX | xsltproc --output file.html -
HTML report.
DESCRIPTION
Find all
Netbios
servers on
subnet
Nmap display
Netbios name
Nmap check if
Netbios
servers are
vulnerable to
MS08-067
6 of 18
DESCRIPTION
Scans for http
servers on
port 80 and
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
pipes into
Nikto for
scanning.
Scans for
http/https
servers on
Nmap Cheatsheet
Target Specification
Nmap allows hostnames, IP addresses, subnets.
Example blah.highon.coffee, nmap.org/24,
192.168.0.1; 10.0.0-255.1-254
COMMAND
DESCRIPTION
-iL
-iR
--exclude
--excludefile
host1[,host2][,host3],... : Exclude
hosts/networks
exclude_file: Exclude list from file
Host Discovery
7 of 18
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
-sL
-sn
-Pn
-PS/PA/PU/PY[portlist]
-PE/PP/PM
-PO[protocol list]
IP Protocol Ping
-n/-R
Never do DNS
resolution/Always resolve
[default: sometimes]
Scan Techniques
COMMAND
-sS
8 of 18
DESCRIPTION
-sT
-sA
ACK scan
-sW
-sM
Window scan
Maimon scan
-sU
UDP Scan
-sN
-sF
FIN scan
-sX
Xmas scan
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
--scanflags
Idle scan
-sY
-sZ
COOKIE-ECHO scan
-sO
IP protocol scan
FTP bounce scan
DESCRIPTION
Specify ports, e.g. -p80,443 or
-p1-65535
-p
-p U:PORT
-F
-r
--top-ports "number"
--port-ratio "ratio"
9 of 18
DESCRIPTION
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
Probe open ports to
determine
-sV
service/version info
--version-intensity "level"
--version-light
--version-all
--version-trace
Script Scan
COMMAND
-sC
DESCRIPTION
equivalent to
--script=default
"Lua scripts" is a
--script="Lua scripts"
comma separated
list of directories,
script-files or
script-categories
provide
--script-args=n1=v1,[n2=v2,...]
arguments to
scripts
-script-args-file=filename
10 of 18
provide NSE
script args in a file
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
Show all data sent
and received
--script-trace
Update script
--script-updatedb
database
Show help about
--script-help="Lua scripts"
scripts
OS Detection
COMMAND
DESCRIPTION
Enable OS Detection
-O
--osscan-limit
--osscan-guess
-T 0-5
DESCRIPTION
Set timing template higher is faster (less
accurate)
11 of 18
--min-hostgroup SIZE
--max-hostgroup SIZE
group sizes
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
--min-parallelism NUMPROBES
--max-parallelism NUMPROBES
--min-rtt-timeout TIME
--max-rtt-timeout TIME
--initial-rtt-timeout TIME
DESCRIPTION
Probe parallelization
--host-timeout TIME
--scan-delay TIME
--max-scan-delay TIME
scan probe
retransmissions
Give up on target
after this long
Adjust delay between
probes
Send packets no
--min-rate NUMBER
slower than
NUMBER per second
Send packets no
--max-rate NUMBER
DESCRIPTION
Fragment packets
(optionally w/given
MTU)
-D decoy1,decoy2,ME
-S IP-ADDRESS
12 of 18
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
DESCRIPTION
address
Use specified
interface
-e IFACE
-g PORTNUM
--source-port PORTNUM
Relay connections
through HTTP /
SOCKS4 proxies
--proxies url1,[url2],...
Append random
data to sent
--data-length NUM
packets
Send packets with
specified ip options
--ip-options OPTIONS
--ttl VALUE
field
--spoof-mac ADDR/PREFIX/VENDOR
--badsum
13 of 18
DESCRIPTION
-oN
Output Normal
-oX
Output to XML
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
-oS
-oG
-oA BASENAME
-v
-d
--reason
--open
--packet-trace
--iflist
--log-errors
--append-output
--resume FILENAME
--stylesheet PATH/URL
14 of 18
DESCRIPTION
Script Kiddie / 1337 speak...
sigh
Output greppable - easy to
grep nmap output
Output in the three major
formats at once
Increase verbosity level use
-vv or more for greater effect
Increase debugging level use
-dd or more for greater effect
Display the reason a port is in
a particular state
Only show open or possibly
open ports
Show all packets sent /
received
Print host interfaces and
routes for debugging
Log errors/warnings to the
normal-format output file
Append to rather than clobber
specified output files
Resume an aborted scan
XSL stylesheet to transform
XML output to HTML
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
COMMAND
--webxml
DESCRIPTION
Reference stylesheet from
Nmap.Org for more portable
XML
--no-stylesheet
DESCRIPTION
Enable IPv6 scanning
Enable OS detection, version
-A
--datedir DIRNAME
--send-eth
--send-ip
--privileged
--unprivileged
-V
-h
15 of 18
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
Enumerating Netbios
The following example enumerates Netbios on the
target networks, the same process can be applied to
other services by modifying ports / NSE scripts.
Detect all exposed Netbios servers on the subnet.
Nmap find exposed Netbios servers
root:~# nmap -sV -v -p 139,445 10.0.1.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
Service detection performed. Please report any incorrect results
at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74
seconds
16 of 18
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
17 of 18
7/17/15, 10:01 AM
https://highon.coffee/blog/nmap-cheat-sheet/
18 of 18
Proudly hosted by
7/17/15, 10:01 AM