Nmap

Cheat Sheet

Posted on February 25, 2017 as Cheat Sheets. 8 minutes read.

What is Nmap?

Nmap, short for network mapper, is an open source security tool for network exploration, security scanning and auditing. It was originally written by Gordon Lyon AKA Fyodor, firstly published in September 1997 in a Phrack Magazine, with included source code.

It uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are running, OS detection, what type of packet filters/firewalls are in use, and many others.

Nmap has even made appearance in a few movies, including The Matrix Reloaded, where Trinity needing to hack the city power grid, she whips out Nmap, uses it to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 exploit from 2001. Of course there are more films, such as The Bourne Ultimatum, Girl With the Dragon Tattoo, Live Free or Die Hard, or even computer game called Hacknet.

Matrix-Reloaded

Table of Contents

Fast Start

Firstly I'll discuss a few commands, that are essential for me.

1. nmap -sP 192.168.0.1/24

This command, also known as "ping scan", tells Nmap to send an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80 and ICMP timestamp request to all hosts in the specified subnet. Then, Nmap will return a list of IP's that have responded.

This command does not require root, however while used with root account, Nmap will send additional ARP requests.

2. nmap 192.168.0.1/24

Default scan, that will look for open ports. Nmap will try and attempt a TCP SYN connection to 1000 most common ports, as well as an ICMP echo request to determine if a host is up. In addition, DNS lookup will be performed, possibly giving us some useful information. No root required.

3. nmap -T4 -F 192.168.0.100

Fast scan, that will look at 100 most common ports. No root required.

4. nmap -sS -sU -Pn -p- 192.168.0.100

TCP SYN and UDP scan is rather unobtrusive and stealthy. -Pn flag will also skip the ping scan, assuming that all hosts are up (very useful when there is a firewall preventing ICMP replies). In addition -p- will scan all 65535 ports.

5. nmap -v -sS -A -T4 192.168.0.100

This command will run TCP SYN scan, with OS and version detection + traceroute, T4 timing and, in addition, will print verbose output.

Target Selection

Parameter Description
192.168.0.1 Scan a single IPV4
AABB:CCDD::FF%eth0 Scan a single IPV6
192.168.0.1-15 Scan a range of IP's
192.168.0.1/24 Scan a subnet
www.hostname.com Scan a hostname
-iL list.txt Scan targets from text file

Port Selection

Parameter Description
-p 22 192.168.0.1 Scan a single port
-p 1-100 192.168.0.1 Scan a range of ports
-F 192.168.0.1 Scan 100 most common ports
-p- 192.168.0.1 Scan all 65535 ports
-p U:PORT 192.168.0.1 Scan UDP ports, ex U:53,U:110
-r 192.168.0.1 Do not randomize ports

Probing Options

Parameter Description
-pN Assume all hosts are up
-PB Default probe
-PS/PA/PU/PY[portlist] TCP SYN/ACK, UDP or SCTP ports probing
-PE/PP/PM ICMP Echo, Timestamp, and Netmask probing

Timing Options

Parameter Description
-T0 Paranoid Very slow, used for IDS evasion
-T1 Sneaky Quite slow, used for IDS evasion
-T2 Polite Runs around 10 times slower than normal, used to save bandwidth
-T3 Normal A dynamic timing model based on target responsiveness
-T4 Aggresive Assumes a fast and reliable network
-T5 Insane Fastest option, will likely overwhelm targets or miss open ports
--scan-delay
--max-scan-delay TIME
Adjust delay between probes
--host-timeout TIME Give up on target after specified time
--min-hostgroup
--max-hostgroup TIME
Parallel host scan group sizes
--min-parallelism
--max-parallelism TIME
Probe parallelization
--min-rtt-timeout
--max-rtt-timeout
--initial-rtt-timeout TIME
Specifies probe round trip time
--max-retries TRIES Caps number of port scan probe retransmissions
--min-rate NUMBER Send packets no slower than NUMBER per second
--max-rate NUMBER Send packets no faster than NUMBER per second

Scan Techniques

Parameter Description
-sS TCP SYN Scan
-sN TCP NULL Scan
-sU UDP Scan
-sF Fin Scan
-sF ACK Scan
-sW Windows Scan
-sT Connect Scan
-sX Xmas Scan
-sM Maimon Scan

Service Version Detection

Parameter Description
-sV Version Scan
--version-intensity "intensity" Set intensity from 0 (light) to 9 (try all probes)
--version-light Intensity 2
--version-all Intensity 9
--version-trace Show detailed version scan activity

OS Detection

Parameter Description
-O Enable OS Detection
--osscan-limit Limit OS detection to only promising targets
--osscan-guess Guess OS more aggressively

Firewalls IDS Evasion and Spoofing

Parameter Description
-S IP Spoof IP address
--spoof-mac MAC Spoof MAC address
--data-length NUM Append random data to packets
-g PORT
--source-port PORT
Use given port number
-D decoy1,decoy2,ME Cloak a scan with decoys
--badsum Send packets with a fake TCP/UDP/SCTP checksum
--ttl VALUE Set IP time to live field

Nmap Scripting

Firstly, let's discuss different categories of scripting in Nmap.

Auth - utilize credentials or bypass authentication on target hosts.

broadcast - discover hosts not includedon command line by broadcasting on local network.

brute - attempt to guess passwords on target systems, for avariety of protocols, including http, SNMP, IAX, MySQL, VNC,etc.

default - scripts run automatically when -sC or-A are used.

discovery - try to learn more information about target hosts through public sources of information, SNMP, directory services, and more.

dos - may cause denial of service conditions in target hosts.

exploit - attempt to exploit target systems.

external - interact with third partysystems not included intarget list.

fuzzer - send unexpected input in network protocol fields.

intrusive - may crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion.

malware - look for signs of malware infection on the target hosts.

safe - designed not to impact target in a negative fashion.

version - measure the version of software or protocol spoken by target hosts.

vul - measure whether target systems have a known vulnerability

Parameter Description
-sC Run default scripts
--script="category" Enter here script category or script-file
--script-updatedb Update script database
--script-help="category" Show help for category

Output Options

Parameter Description
-oN Standard Nmap output
-oG Greppable format
-oX XML format
-oA NAME Generate Nmap, greppable, and XML output files using name for files

Miscellaneous

Parameter Description
-n Disable reverse IP address lookups
-6 Use IPv6 only
-A Use scan types including OS detection, version detection, script scanning in default category, and traceroute
--reason Display reason Nmap thinks port is open, closed, or filtered

Last words and references

Firstly, I can recommend this great piece of information Nmap Network Scanning Digital Version, which covers a lot of topics in this amazing tool. In addition I will keep this cheat sheet as update as possible, with new content coming as soon as I'll learn more, so stay updated!

Keep learning and stay safe!

~ W3ndige