NMAP Cheat Sheet

Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. Mainly, red hat teams (Ethical hackers) are using NMAP for port scanning and network footprinting. And I’ll try to make a comprehensive and practical NMAP cheat sheet to use easily.

In this cheat sheet, you will find a series of practical example commands for running Nmap and getting the most of this powerful tool.

I’ll try to add the most important and practical commands that are commonly used. but to dig deeper you need to check NMAP documentation.

You can also check a simple NMAP tutorial NMAP for Port Scanning.

NMAP Help

~# nmap -h

help function will describe every function and its purpose.

Nmap Target Selection

Scan a single IPnmap 192.168.1.1
Scan a hostnmap www.scanme.org
Scan a range of IPsnmap 192.168.1.1-20
Scan a subnetnmap 192.168.1.0/24
Scan targets from a text filenmap -iL list-of-ips.txt

The above commands are using the default scan. Which limiting the scan to only the standard 1000 ports.

NMAP Port Scan Types

Scan using TCP connectnmap -sT 192.168.2.1
Scan using TCP SYN scan (default)nmap -sS 192.168.2.1
Scan UDP portsnmap -sU -p 22,161,162 192.168.2.1
Scan Using TCP connect with further detailsnmap -sV 192.168.2.1
Scan selected ports – ignore discoverynmap -Pn -F 192.168.2.1

NMAP port Selection

Scan a single Portnmap -p 22 192.168.2.1
Scan a range of portsnmap -p 1-100 192.168.2.1
Scan 100 most common ports (Fast)nmap -F 192.168.2.1
Scan all 65535 portsnmap -p- 192.168.2.1

Service and OS Detection

Detect OS and Servicesnmap -A 192.168.2.1
Standard service detectionnmap -sV 192.168.2.1
More aggressive Service Detectionnmap -sV –version-intensity 5 192.168.2.1
Lighter banner grabbing detectionnmap -sV –version-intensity 0 192.168.2.1

Aggressive service detection is often helpful if there are services running on unusual ports. But it’ll take a much longer time than light detection.

NMAP Output Formats

Save default output to filenmap -oN outputfile.txt 192.168.2.1
Save results as XMLnmap -oX outputfile.xml 192.168.2.1
Save results in a format for grepnmap -oG outputfile.txt 192.168.2.1
Save in all formatsnmap -oA outputfile 192.168.2.1

NSE Scripts

NSE stands for NMAP scripting engine. NMAP contains hundreds of scripts that run to check for a specific issue or vulnerability. NMAP Scripts

Script Examples

 root@kali:~# nmap -sC scanme.nmap.org Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 17:46 EET Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.23s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 995 closed ports PORT      STATE    SERVICE 22/tcp    open     ssh | ssh-hostkey:  |   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA) |   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA) |   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA) |_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519) 25/tcp    filtered smtp 80/tcp    open     http |_http-title: Go ahead and ScanMe! 9929/tcp  open     nping-echo 31337/tcp open     Eliteap done: 1 IP address (1 host up) scanned in 39.01 seconds

This command runs the most common/default scripts to test your target.

root@kali:~# nmap --script http-headers scanme.nmap.org Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 17:59 EET Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.23s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 995 closed ports PORT      STATE    SERVICE 22/tcp    open     ssh 25/tcp    filtered smtp 80/tcp    open     http<The important part is below>------------------- | http-headers:  |   Date: Mon, 30 Dec 2019 22:37:17 GMT |   Server: Apache/2.4.7 (Ubuntu) |   Accept-Ranges: bytes |   Vary: Accept-Encoding |   Connection: close |   Content-Type: text/html |    |_  (Request type: HEAD)------------------------- 9929/tcp  open     nping-echo 31337/tcp open     Elite

This command tests https headers.

A good amount of information can be gathered in the HTTP Headers check from a web server. Cookie strings, web application technologies, and other data can be gathered from the HTTP Header. This information can be used when troubleshooting or when planning an attack against the webserver.

Thank you for reading!

Leave a Comment