NMAP Cheat Sheet

Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. Mainly, red hat teams (Ethical hackers) are using NMAP for port scanning and network footprinting. And I’ll try to make a comprehensive and practical NMAP cheat sheet to use easily.

In this cheat sheet, you will find a series of practical example commands for running Nmap and getting the most of this powerful tool.

I’ll try to add the most important and practical commands that are commonly used. but to dig deeper you need to check NMAP documentation.

You can also check a simple NMAP tutorial NMAP for Port Scanning.

NMAP Help

~# nmap -h

help function will describe every function and its purpose.

Nmap Target Selection

Scan a single IPnmap 192.168.1.1
Scan a hostnmap www.scanme.org
Scan a range of IPsnmap 192.168.1.1-20
Scan a subnetnmap 192.168.1.0/24
Scan targets from a text filenmap -iL list-of-ips.txt

The above commands are using the default scan. Which limiting the scan to only the standard 1000 ports.

NMAP Port Scan Types

Scan using TCP connectnmap -sT 192.168.2.1
Scan using TCP SYN scan (default)nmap -sS 192.168.2.1
Scan UDP portsnmap -sU -p 22,161,162 192.168.2.1
Scan Using TCP connect with further detailsnmap -sV 192.168.2.1
Scan selected ports – ignore discoverynmap -Pn -F 192.168.2.1

NMAP port Selection

Scan a single Portnmap -p 22 192.168.2.1
Scan a range of portsnmap -p 1-100 192.168.2.1
Scan 100 most common ports (Fast)nmap -F 192.168.2.1
Scan all 65535 portsnmap -p- 192.168.2.1

Service and OS Detection

Detect OS and Servicesnmap -A 192.168.2.1
Standard service detectionnmap -sV 192.168.2.1
More aggressive Service Detectionnmap -sV –version-intensity 5 192.168.2.1
Lighter banner grabbing detectionnmap -sV –version-intensity 0 192.168.2.1

Aggressive service detection is often helpful if there are services running on unusual ports. But it’ll take a much longer time than light detection.

NMAP Output Formats

Save default output to filenmap -oN outputfile.txt 192.168.2.1
Save results as XMLnmap -oX outputfile.xml 192.168.2.1
Save results in a format for grepnmap -oG outputfile.txt 192.168.2.1
Save in all formatsnmap -oA outputfile 192.168.2.1

NSE Scripts

NSE stands for NMAP scripting engine. NMAP contains hundreds of scripts that run to check for a specific issue or vulnerability. NMAP Scripts

Script Examples

 root@kali:~# nmap -sC scanme.nmap.org
 Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 17:46 EET
 Nmap scan report for scanme.nmap.org (45.33.32.156)
 Host is up (0.23s latency).
 Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
 Not shown: 995 closed ports
 PORT      STATE    SERVICE
 22/tcp    open     ssh
 | ssh-hostkey: 
 |   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
 |   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
 |   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
 |_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
 25/tcp    filtered smtp
 80/tcp    open     http
 |_http-title: Go ahead and ScanMe!
 9929/tcp  open     nping-echo
 31337/tcp open     Elite
ap done: 1 IP address (1 host up) scanned in 39.01 seconds

This command runs the most common/default scripts to test your target.

root@kali:~# nmap --script http-headers scanme.nmap.org
 Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 17:59 EET
 Nmap scan report for scanme.nmap.org (45.33.32.156)
 Host is up (0.23s latency).
 Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
 Not shown: 995 closed ports
 PORT      STATE    SERVICE
 22/tcp    open     ssh
 25/tcp    filtered smtp
 80/tcp    open     http
<The important part is below>
-------------------
 | http-headers: 
 |   Date: Mon, 30 Dec 2019 22:37:17 GMT
 |   Server: Apache/2.4.7 (Ubuntu)
 |   Accept-Ranges: bytes
 |   Vary: Accept-Encoding
 |   Connection: close
 |   Content-Type: text/html
 |   
 |_  (Request type: HEAD)
-------------------------
 9929/tcp  open     nping-echo
 31337/tcp open     Elite

This command tests https headers.

A good amount of information can be gathered in the HTTP Headers check from a web server. Cookie strings, web application technologies, and other data can be gathered from the HTTP Header. This information can be used when troubleshooting or when planning an attack against the webserver.

Thank you for reading!

Leave a Comment