Cheatography
https://cheatography.com
Basic guide to network reconnaissance commands
Nmap Base Syntax
# nmap [Scan Type] [Options] {targets}
|
Target Specification
Single IPv4: 192.168.1.1
|
|
|
IPv4 Range: 192.168.1.27-78
|
CIDR Block: 192.168.1.0/16
|
|
Host Discovery Options
|
list hosts and reverse DNS |
|
discovery probes only |
|
skip discovery stage |
|
disable reverse DNS resolution |
|
force reverse DNS resolution |
|
Scan Options
TCP Scan Types |
|
SYN |
|
Connect |
|
NULL |
|
FIN |
|
Xmas (FIN, PSH, URG) |
|
ACK |
|
Window |
|
FIN/ACK |
|
use zombie |
|
URG/ACK/PSH/RST/SYN/FIN
|
UDP Scan |
|
UDP |
SCTP Scan Types |
|
INIT |
|
COOKIE ECHO |
Protocol Scan |
|
IP Protocol Scan |
-p - Port Options
|
Exclude ports --exclude ports <port ranges>
|
|
Protocol specification T21-25
- TCP ports 21 to 25 U53,111,137
- UDP ports 53, 111, 137 S22
- SCTP port 22 P
- IP Protocol |
|
Fast port scan -F
- scan top 100 ports (default 1000) |
|
Sequential port scan -r
- sequential scan (default random) |
|
Ports in nmap-services file [1-65535]
- ports in nmap-services --port-ratio
- ports with greater ratio --top-ports <n>
- n highest ratio |
-o - OS Detection Options
|
only live machines |
|
low-probability guesses |
|
|
Output Options
|
verbosity |
|
debugging |
|
explain port and host states |
File Outputs |
|
normal |
|
XML |
|
script kiddie |
|
grepable |
|
all |
Scripting Engine Options
|
Use default scripts
|
|
Run scripts (individual or list) --script
<filename>
- script filename <category>
- category of scripts <directory>
- scripts in directory <expression>
- boolean expression [,...]
- continue comma separated list |
|
Script arguments --script-args
<n1>=<v1>
<n2>={<n3>=<v3>}
<n4>={<v4>,<v5>}
|
|
Load script args from a file --script-args-file <filename>
|
|
Debug information
|
|
Update script database
|
-sV - Version Detection Options
|
send less common probes (default 7) --version intensity <0-9>
|
|
light version scanning (intensity 2)
|
|
full version scanning (intensity 9)
|
|
debug information
|
Miscellaneous Options
|
IPv6 |
|
Aggressive -O -sV -sC --traceroute
|
-T
paranoid|0
sneaky|1
polite|2
normal|3
aggressive|4
insane|5
|
Timing options
slowest scan
slower scan
slow scan
default
faster scan
fastest scan |
Runtime Commands |
|
+|- verbosity |
|
+|- debugging |
|
on|off packet tracing |
|
|
DNS Enumeration
dnsrecon |
|
domain to target |
|
IP range for reverse lookup |
|
DNS server |
|
dictionary of targets |
|
type of enumeration
standard
Google sub-domains
test for zone transfers
test against IANA TLDs |
|
deep whois analysis |
|
export to CSV |
dnsenum |
|
target dns server |
|
output file |
Service Enumeration
Useful command lines |
nmap -v -p <ports> -oG <file> <address range>
|
ls -l /usr/share/nmap/scripts/<protocol>*
|
SMB |
TCP 139,445 |
|
|
use port 137 |
|
targets |
|
|
all simple enumeration |
|
authenticated |
SMTP |
TCP 25, 110 |
|
|
verify address |
|
query mail list |
SNMP |
UDP 161 |
|
|
community strings |
|
targets |
|
output file |
snmpwalk [opt] agent [OID]
|
|
community string |
|
version |
snmpcheck
-t <address>
-c
-w
|
enumeration tool
target
community string
detect write access |
SQL |
TCP 1433,3306 |
|
|
target |
|
force dbms |
|
retrieve all |
|
dump data |
|
retrieve shell |
|
crawl site |
|
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets