Nmap Cheat Sheet

Aditya Chauhan
6 min readApr 27, 2021

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. Nmap uses raw IP packets in novel ways to determine:

• what hosts are available on the network

• what services (application name and version) those hosts are offering

• what operating systems (and OS versions) they are running

• what type of packet filters/firewalls are in use, and dozens of other characteristics.

Installation:

• In Kali Linux, NMAP is one of the default tools provided by the OS.

• For the other operating systems , click here https://nmap.org/download.html to download and install the latest version of NMAP.

Syntax:

nmap [ <Scan Type> …] [ <Options> ] { <target specification> }

#Ex:-

nmap –sS –A –T4 192.168.43.250

-sS TCP SYN scan,-A Enable OS and version detection , script scanning, and traceroute

-T4 Faster execution 192.168.43.250 Target IP

Target specification

• Nmap targets can be Hostnames, IP Addresses, Subnets, or the entire Network

• Nmap supports CIDR-style addressing.

Example :- shows the scanning of a single host by its IP address.

Example :- Mapping entire network using CIDR notation

nmap -F 192.168.0.0/24

-F Fast scan

192.168.0.0/24 Scans all the hosts in the IP range 192.168.0.1 to 192.168.0.255

Target specification

• When a hostname is given as a target, it is resolved via the Domain Name System

scan a host nmap www.exmapl.com

scan targets from a text file — nmap -iL list-of-ips.txt

• Can also specify a comma-separated list of numbers or ranges for each octet. For example, 192.168.0–255.1–254 or 192.168.0,1,2,34,56.1–254

• IPv6 addresses can be specified by their fully qualified IPv6 address or hostname or with CIDR notation for subnets

• The following options are also available to control target selection:

-iL <inputfilename> (Input from list)

-iR <num hosts> (Choose random targets)

— exclude <host1>[,<host2>[,…]] (Exclude hosts/networks)

— excludefile <exclude_file> (Exclude list from file)

Host Discovery

• Scanning every port of every single IP address is slow and usually an unnecessary process

• Host discovery (also called ping scan) goes well beyond the simple ICMP echo request

• Nmap offers a wide variety of options for customizing the host discovery

• If no host discovery options are given, nmap sends the following :

1. ICMP echo request,

2. A TCP SYN packet to port 443

3. A TCP ACK packet to port 80,and

4. an ICMP timestamp request.

Example :- Performing a List Scan

nmap -sL 192.168.0.0/24

Simply lists each host to be scanned, of the network(s) specified, without sending any packets to the target hosts.

Example :- Performing a No Port scan

nmap -sn 192.168.0.0/24

This is often known as a “ping scan”, but can also request the traceroute and NSE host scripts.

-sn

• ICMP echo request

• TCP SYN packet to port 443

• A TCP ACK packet to port 80

• ICMP timestamp request

Example:- Performing a No Ping scan

nmap -Pn 192.168.0.0/24

Proper host discovery is skipped, but instead Nmap continues to perform requested functions as if each target IP is active.

• TCP SYN Ping

-PS <port list>

Send an empty TCP packet with the SYN flag set. The default destination port is 80.

• TCP ACK Ping

-PA <port list>

Send an empty TCP packet with the ACK flag set. The default destination port is 80.

• UDP Ping

-PU <port list>

Sends a UDP packet to the given ports

• IP Protocol Ping

-PA <protocol list>

Sends IP packets with the specified protocol number set in their IP header.

• ICMP Ping Types

-PE; -PP; -PM

Can be used for echo reply, timestamp reply or address mask reply, respectively.

Port Scanning

Nmap began as an efficient port scanner and that remains its core functionality till date. The simple command nmap <target> scans 1,000 TCP ports on the host <target>.

Example:- Only scan specific ports

nmap -p 80 192.168.0.1

This option specifies which ports you want to scan and overrides the default. Can be a single port or a range of ports

-sn 80

scans only port 80

Example :- Exclude the specified ports from scanning

nmap — exclude-ports 80 192.168.0.1

This option specifies which ports you do want Nmap to exclude from scanning.

— exclude-ports 80

scans all the ports except port 80 Example:- Fast (limited port) scan nmap -F 192.168.0.1

Specifies that you wish to scan fewer ports than the default. Number of ports scanned is reduced to 100.

-F scans the 100 ports already specified.

Example :- Scan top ports

nmap — top-ports 10 192.168.0.1

Scans the <n> highest-ratio ports found in nmap-services file.

— top-ports 10

scans and displays the top 10 ports- both closed and open.

Example:- Scan using TCP connect

nmap -sT 192.168.1.1

Example :- Scan using TCP SYN scan (default)

nmap -sS 192.168.1.1

Example :- Scan UDP ports

nmap -sU -p 123,161,162 192.168.1.1

Service and Version detection

Example:- service detection

nmap -sV 192.168.0.1

Detects the version of each and every service running on the scanned host(s).

OS detection

Example :- Enable OS detection

nmap -O 192.168.0.1

Nmap sends a series of TCP and UDP packets to the remote host and examines every bit in the responses to determine the OS.

Example:- Detect OS and service

nmap -A 192.168.0.1

more aggressive service detection

nmap -sV –version-intensity 5 192.168.0.1

lighter banner grabbing detection

nmam -sV –-version-intensity 0 192.168.0.1

Firewall/IDS Evasion and Spoofing

• Scan using Fragment Packets

nmap -f <target>

Causes the requested scan to use tiny fragmented IP packets to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect.

• Cloak a scan with decoys

-D <decoy1>[,<decoy2>]

Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.

• Spoof source port number

— source-port <port number>

Nmap will send packets from the specified port where possible. Most scanning operations that use raw sockets, including SYN and UDP scans, support the option completely

Timing

Example :- Setting a timing

nmap -T4 192.168.0.1

Nmap offers six timing templates. You can specify them with the -T option and their number (0–5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5).

Output

Example :- Output to a file

nmap — oN nmap_output.txt 192.168.0.1

Requests that normal output be directed to the given filename. Normal output saved to the text file — namp_output.txt

Example :- XML Output to a file

nmap — oX nmap_output.xml 192.168.0.1

Requests that XML output be directed to the given filename.XML output saved to the text file — namp_output.txt

Verbosity

Example :- Increase Verbosity level

nmap -v 192.168.0.1

Increases the verbosity level, causing Nmap to print more information about the scan in progress.

Intense scan

Example :- Perform an intense scan

nmap -A -v -T4 192.168.0.1

The -A option enables additional advanced and aggressive options — OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute ( — traceroute)

Digging deeper with NSE scripts scan using default safe scripts nmap -sV 192.168.0.1

get help for a script

nmap –script-help=ssl-heartbleed

scan using a specific NSF script

nmap -sV -p 443 script=ssl-heartbleed.nse 192.168.0.1an

scan with a set of scripts

nmap -sV –script=smb* 192.168.0.1

— script-help=$scriptname will display help for the individual scripts.

A scan to search for DDOS reflection UDP services

Scan for UDP DDOS reflectors

nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns- recursion,snmp-sysdescr 192.168.0.0/24

HTTP Service Information

Gather page titles from HTTP services nmap –script=http-title 192.168.0.0./24 get HTTP headers of web services

nmap –script=http-headers 192.168.0.0/24

find web apps from known paths

nmap –script=http-eum 192.168.0.0/24

Detect Heartbleed SSL Vulnerability

Heartbleed testing

nmap -sV -p 443 — script=ssl-heartbleed 192.168.1.0/24

ip address information

find information about ip address

nmap — script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24

SIMPLE STEPS TO ANONYMOUSLY SCAN A REMOTE WEBSITE USING NMAP

1. Install nmap

2. install tor

sudo apt-get install tor

3. install proxychains

sudo apt-get install proxychains

4. start scanning anonymously

sudo proxychains nmap -sT www.exmaple.com

-sT full TCP connection scan

TOR — Anonymizing overlay network for TCP

proxychains -redirect connections through proxy servers

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher