tsleite/Nmap-Cheat-Sheet

Nmap-Cheat-Sheet

• Nmap Target Selection

Scan a single IP	               nmap 192.168.1.1
Scan a host	                     nmap www.testhostname.com
Scan a range of IPs	             nmap 192.168.1.1-20
Scan a subnet	                   nmap 192.168.1.0/24
Scan targets from a text file	   nmap -iL list-of-ips.txt

• Nmap Port Selection

Scan a single Port	                    nmap -p 22 192.168.1.1
Scan a range of ports                   nmap -p 1-100 192.168.1.1
Scan 100 most common ports (Fast)	      nmap -F 192.168.1.1
Scan all 65535 ports	                  nmap -p- 192.168.1.1

• Nmap Port Scan types

Scan using TCP connect	                  nmap -sT 192.168.1.1
Scan using TCP SYN scan (default)	        nmap -sS 192.168.1.1
Scan UDP ports	                          nmap -sU -p 123,161,162 192.168.1.1
Scan selected ports - ignore discovery	  nmap -Pn -F 192.168.1.1

• Service and OS Detection

Detect OS and Services	           nmap -A 192.168.1.1
Standard service detection	       nmap -sV 192.168.1.1
More aggressive Service Detection	 nmap -sV --version-intensity 5 192.168.1.1
Lighter banner grabbing detection	 nmap -sV --version-intensity 0 192.168.1.1

• Nmap Output Formats

Save default output to file	       nmap -oN outputfile.txt 192.168.1.1
Save results as XML	               nmap -oX outputfile.xml 192.168.1.1
Save results in a format for grep	 nmap -oG outputfile.txt 192.168.1.1
Save in all formats	               nmap -oA outputfile 192.168.1.1

• Digging deeper with NSE Scripts

Scan using default safe scripts	   nmap -sV -sC 192.168.1.1
Get help for a script	             nmap --script-help=ssl-heartbleed
Scan using a specific NSE script	 nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
Scan with a set of scripts	       nmap -sV --script=smb* 192.168.1.1

• A scan to search for DDOS reflection UDP services

Scan for UDP DDOS reflectors	    nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.1.0/24

• HTTP Service Information

Gather page titles from HTTP services	   nmap --script=http-title 192.168.1.0/24
Get HTTP headers of web services	       nmap --script=http-headers 192.168.1.0/24
Find web apps from known paths	         nmap --script=http-enum 192.168.1.0/24

• Detect Heartbleed SSL Vulnerability

Heartbleed Testing	      nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24

• IP Address information

Find Information about IP address	nmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24

• Scan port services from 1 to 65535

nmap -sV -p 1-65535 192.168.1.1/24