NMAP Cheat Sheet
Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. Mainly, red hat teams (Ethical hackers) are using NMAP for port scanning and network footprinting. And I’ll try to make a comprehensive and practical NMAP cheat sheet to use easily.
In this cheat sheet, you will find a series of practical example commands for running Nmap and getting the most of this powerful tool.
I’ll try to add the most important and practical commands that are commonly used. but to dig deeper you need to check NMAP documentation.
You can also check a simple NMAP tutorial NMAP for Port Scanning.
NMAP Help
~# nmap -h
help function will describe every function and its purpose.
Nmap Target Selection
Scan a single IP | nmap 192.168.1.1 |
Scan a host | nmap www.scanme.org |
Scan a range of IPs | nmap 192.168.1.1-20 |
Scan a subnet | nmap 192.168.1.0/24 |
Scan targets from a text file | nmap -iL list-of-ips.txt |
The above commands are using the default scan. Which limiting the scan to only the standard 1000 ports.
NMAP Port Scan Types
Scan using TCP connect | nmap -sT 192.168.2.1 |
Scan using TCP SYN scan (default) | nmap -sS 192.168.2.1 |
Scan UDP ports | nmap -sU -p 22,161,162 192.168.2.1 |
Scan Using TCP connect with further details | nmap -sV 192.168.2.1 |
Scan selected ports – ignore discovery | nmap -Pn -F 192.168.2.1 |
NMAP port Selection
Scan a single Port | nmap -p 22 192.168.2.1 |
Scan a range of ports | nmap -p 1-100 192.168.2.1 |
Scan 100 most common ports (Fast) | nmap -F 192.168.2.1 |
Scan all 65535 ports | nmap -p- 192.168.2.1 |
Service and OS Detection
Detect OS and Services | nmap -A 192.168.2.1 |
Standard service detection | nmap -sV 192.168.2.1 |
More aggressive Service Detection | nmap -sV –version-intensity 5 192.168.2.1 |
Lighter banner grabbing detection | nmap -sV –version-intensity 0 192.168.2.1 |
Aggressive service detection is often helpful if there are services running on unusual ports. But it’ll take a much longer time than light detection.
NMAP Output Formats
Save default output to file | nmap -oN outputfile.txt 192.168.2.1 |
Save results as XML | nmap -oX outputfile.xml 192.168.2.1 |
Save results in a format for grep | nmap -oG outputfile.txt 192.168.2.1 |
Save in all formats | nmap -oA outputfile 192.168.2.1 |
NSE Scripts
NSE stands for NMAP scripting engine. NMAP contains hundreds of scripts that run to check for a specific issue or vulnerability. NMAP Scripts
Script Examples
root@kali:~# nmap -sC scanme.nmap.org Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 17:46 EET Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.23s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA) | 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA) | 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA) |_ 256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519) 25/tcp filtered smtp 80/tcp open http |_http-title: Go ahead and ScanMe! 9929/tcp open nping-echo 31337/tcp open Eliteap done: 1 IP address (1 host up) scanned in 39.01 seconds
This command runs the most common/default scripts to test your target.
root@kali:~# nmap --script http-headers scanme.nmap.org Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 17:59 EET Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.23s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 80/tcp open http<The important part is below>------------------- | http-headers: | Date: Mon, 30 Dec 2019 22:37:17 GMT | Server: Apache/2.4.7 (Ubuntu) | Accept-Ranges: bytes | Vary: Accept-Encoding | Connection: close | Content-Type: text/html | |_ (Request type: HEAD)------------------------- 9929/tcp open nping-echo 31337/tcp open Elite
This command tests https headers.
A good amount of information can be gathered in the HTTP Headers check from a web server. Cookie strings, web application technologies, and other data can be gathered from the HTTP Header. This information can be used when troubleshooting or when planning an attack against the webserver.
Thank you for reading!