Hack Tool Repository

login | register

Categories Platforms Tools List Links News

Add to Google

Article: Nmap 5 cheat sheet and howto

This site is no longer maintained and kept for archiving purposes.

Index

Basic Scanning Techniques
Discovery Options
Advanced Scanning Functions
Port Scanning Options
Version Detection
Timing Options
Firewall Evasion Techniques
Output Options
Troubleshooting and Debugging
Nmap Scripting Engine
Ndiff

Basic Scanning Techniques

Goal	command	example
Scan a Single Target	nmap [target]	nmap 192.168.1.1
Scan Multiple Targets	nmap [target1, target2, etc]	nmap 192.168.1.1, 192.168.1.2
Scan a List of Targets	nmap -iL [list.txt]	nmap -iL targets.txt
Scan a Range of Hosts	nmap [range of ip addresses]	nmap 192.168.1.1-10
Scan an Entire Subnet	nmap [ip address/cdir]	nmap 192.168.1.1/24
Scan Random Hosts	nmap -iR [number]	nmap -iR 0
Excluding Targets from a Scan	nmap [targets] --exclude [targets]	nmap 192.168.1.1/24 --exclude 192.168.1.0, 192.168.1.255
Excluding Targets Using a List	nmap [targets] --excludefile [list.txt]	nmap 192.168.1.1/24 --excludefile notargets.txt
Perform an Aggressive Scan	nmap -A [target]	nmap -A 192.168.1.1
Scan an IPv6 Target	nmap -6 [target]	nmap -6 3ffe:6a88:85a3:08d3:1319:8a2e:0370:7344

Discovery Options

Goal	command	example
Perform a Ping Only Scan	nmap -sP [target]	nmap -sP 192.168.1.1
Don’t Ping	nmap -PN [target]	nmap -PN 192.168.1.1
TCP SYN Ping	nmap -PS [target]	nmap -PS 192.168.1.1
TCP ACK Ping	nmap -PA [target]	nmap -PA 192.168.1.1
UDP Ping	nmap -PU [target]	nmap -PU 192.168.1.1
SCTP INIT Ping	nmap -PY [target]	nmap -PY 192.168.1.1
ICMP Echo Ping	nmap -PE [target]	nmap -PE 192.168.1.1
ICMP Timestamp Ping	nmap -PP [target]	nmap -PP 192.168.1.1
ICMP Address Mask Ping	nmap -PM [target]	nmap -PM 192.168.1.1
IP Protocol Ping	nmap -PO [target]	nmap -PO 192.168.1.1
ARP Ping	nmap -PR [target]	nmap -PR 192.168.1.1
Traceroute	nmap --traceroute [target]	nmap --traceroute 192.168.1.1
Force Reverse DNS Resolution	nmap -R [target]	nmap -R 192.168.1.1
Disable Reverse DNS Resolution	nmap -n [target]	nmap -n 192.168.1.1
Alternative DNS Lookup	nmap --system-dns [target]	nmap --system-dns 192.168.1.1
Manually Specify DNS Server(s)	nmap --dns-servers [servers] [target]	nmap --dns-servers 194.109.9.99 192.168.1.1
Create a Host List	nmap -sL [targets]	nmap -sL 192.168.1.1/24

Advanced Scanning Options

Goal	command	example
TCP SYN Scan	nmap -sS [target]	nmap -sS 192.168.1.1
TCP Connect Scan	nmap -sT [target]	nmap -sT 192.168.1.1
UDP Scan	nmap -sU [target]	nmap -sU 192.168.1.1
TCP NULL Scan	nmap -sN [target]	nmap -sN 192.168.1.1
TCP FIN Scan	nmap -sF [target]	nmap -sF 192.168.1.1
Xmas Scan	nmap -sX [target]	nmap -sX 192.168.1.1
TCP ACK Scan	nmap -sA [target]	nmap -sA 192.168.1.1
Custom TCP Scan	nmap --scanflags [flags] [target]	nmap --scanflags SYNFIN 192.168.1.1
IP Protocol Scan	nmap -sO [target]	nmap -sO 192.168.1.1
Send Raw Ethernet Packets	nmap --send-eth [target]	nmap --send-eth 192.168.1.1
Send IP Packets	nmap --send-ip [target]	nmap --send-ip 192.168.1.1

Port Scanning Options

Goal	command	example
Perform a Fast Scan	nmap -F [target]	nmap -F 192.168.1.1
Scan Specific Ports	nmap -p [port(s)] [target]	nmap -p 21-25,80,139,8080 192.168.1.1
Scan Ports by Name	nmap -p [port name(s)] [target]	nmap -p ftp,http* 192.168.1.1
Scan Ports by Protocol	nmap -sU -sT -p U:[ports],T:[ports] [target]	nmap -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
Scan All Ports	nmap -p '*' [target]	nmap -p '*' 192.168.1.1
Scan Top Ports	nmap --top-ports [number] [target]	nmap --top-ports 10 192.168.1.1
Perform a Sequential Port Scan	nmap -r [target]	nmap -r 192.168.1.1

Version Detection

Goal	command	example
Operating System Detection	nmap -O [target]	nmap -O 192.168.1.1
Submit TCP/IP Fingerprints	www.nmap.org/submit/
Attempt to Guess an Unknown OS	nmap -O --osscan-guess [target]	nmap -O --osscan-guess 192.168.1.1
Service Version Detection	nmap -sV [target]	nmap -sV 192.168.1.1
Troubleshooting Version Scans	nmap -sV --version-trace [target]	nmap -sV --version-trace 192.168.1.1
Perform a RPC Scan	nmap -sR [target]	nmap -sR 192.168.1.1

Timing Options

Goal	command	example
Timing Templates	nmap -T[0-5] [target]	nmap -T3 192.168.1.1
Set the Packet TTL	nmap --ttl [time] [target]	nmap --ttl 64 192.168.1.1
Minimum # of Parallel Operations	nmap --min-parallelism [number] [target]	nmap --min-parallelism 10 192.168.1.1
Maximum # of Parallel Operations	nmap --max-parallelism [number] [target]	nmap --max-parallelism 1 192.168.1.1
Minimum Host Group Size	nmap --min-hostgroup [number] [targets]	nmap --min-hostgroup 50 192.168.1.1
Maximum Host Group Size	nmap --max-hostgroup [number] [targets]	nmap --max-hostgroup 1 192.168.1.1
Maximum RTT Timeout	nmap --initial-rtt-timeout [time] [target]	nmap --initial-rtt-timeout 100ms 192.168.1.1
Initial RTT Timeout	nmap --max-rtt-timeout [TTL] [target]	nmap --max-rtt-timeout 100ms 192.168.1.1
Maximum Retries	nmap --max-retries [number] [target]	nmap --max-retries 10 192.168.1.1
Host Timeout	nmap --host-timeout [time] [target]	nmap --host-timeout 30m 192.168.1.1
Minimum Scan Delay	nmap --scan-delay [time] [target]	nmap --scan-delay 1s 192.168.1.1
Maximum Scan Delay	nmap --max-scan-delay [time] [target]	nmap --max-scan-delay 10s 192.168.1.1
Minimum Packet Rate	nmap --min-rate [number] [target]	nmap --min-rate 50 192.168.1.1
Maximum Packet Rate	nmap --max-rate [number] [target]	nmap --max-rate 100 192.168.1.1
Defeat Reset Rate Limits	nmap --defeat-rst-ratelimit [target]	nmap --defeat-rst-ratelimit 192.168.1.1

Firewall Evasion Techniques

Goal	command	example
Fragment Packets	nmap -f [target]	nmap -f 192.168.1.1
Specify a Specific MTU	nmap --mtu [MTU] [target]	nmap --mtu 32 192.168.1.1
Use a Decoy	nmap -D RND:[number] [target]	nmap -D RND:10 192.168.1.1
Idle Zombie Scan	nmap -sI [zombie] [target]	nmap -sI 192.168.1.23 192.168.1.1
Manually Specify a Source Port	nmap --source-port [port] [target]	nmap --source-port 1025 192.168.1.1
Append Random Data	nmap --data-length [size] [target]	nmap --data-length 20 192.168.1.1
Randomize Target Scan Order	nmap --randomize-hosts [target]	nmap --randomize-hosts 192.168.1.1-20
Spoof MAC Address	nmap --spoof-mac [MAC\|0\|vendor] [target]	nmap --spoof-mac Cisco 192.168.1.1
Send Bad Checksums	nmap --badsum [target]	nmap --badsum 192.168.1.1

Output Options

Goal	command	example
Save Output to a Text File	nmap -oN [scan.txt] [target]	nmap -oN output.txt 192.168.1.1
Save Output to a XML File	nmap -oX [scan.xml] [target]	nmap -oX output.xml 192.168.1.1
Grepable Output	nmap -oG [scan.txt] [targets]	nmap -oG output.txt 192.168.1.1
Output All Supported File Types	nmap -oA [path/filename] [target]	nmap -oA ./output 192.168.1.1
Periodically Display Statistics	nmap --stats-every [time] [target]	nmap --stats-every 10s 192.168.1.1
133t Output	nmap -oS [scan.txt] [target]	nmap -oS output.txt 192.168.1.1

Troubleshooting and Debugging

Goal	command	example
Getting Help	nmap -h	nmap -h
Display Nmap Version	nmap -V	nmap -V
Verbose Output	nmap -v [target]	nmap -v 192.168.1.1
Debugging	nmap -d [target]	nmap -d 192.168.1.1
Display Port State Reason	nmap --reason [target]	nmap --reason 192.168.1.1
Only Display Open Ports	nmap --open [target]	nmap --open 192.168.1.1
Trace Packets	nmap --packet-trace [target]	nmap --packet-trace 192.168.1.1
Display Host Networking	nmap --iflist	nmap --iflist
Specify a Network Interface	nmap -e [interface] [target]	nmap -e eth0 192.168.1.1

Nmap Scripting Engine

Goal	command	example
Execute Individual Scripts	nmap --script [script.nse] [target]	nmap --script banner.nse 192.168.1.1
Execute Multiple Scripts	nmap --script [expression] [target]	nmap --script 'http-*' 192.168.1.1
Script Categories	all, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Category	nmap --script [category] [target]	nmap --script 'not intrusive' 192.168.1.1
Execute Multiple Script Categories	nmap --script [category1,category2,etc]	nmap --script 'default or safe' 192.168.1.1
Troubleshoot Scripts	nmap --script [script] --script-trace [target]	nmap --script banner.nse --script-trace 192.168.1.1
Update the Script Database	nmap --script-updatedb	nmap --script-updatedb

Ndiff

Goal	command	example
Comparison Using Ndiff	ndiff [scan1.xml] [scan2.xml]	ndiff scan_output1.xml scan_output2.xml
Ndiff Verbose Mode	ndiff -v [scan1.xml] [scan2.xml]	ndiff -v scan_output1.xml scan_output2.xml
XML Output Mode	ndiff --xml [scan1.xml] [scan2.xml]	ndiff --xml scan_output1.xml scan_output2.xml

Hits:

2462

Added:

2010-12-28 13:06:21

Updated:

2010-12-28 13:12:02

About Us | Site Map | Contact Us | ©2012 Olderchurch Security Consultancy