Show Menu
Cheatography

Network Recon Cheat Sheet by

Basic guide to network reconnaissance commands

Nmap Base Syntax

# nmap [Scan Type] [Options] {targets}

Target Specif­ication

Single IPv4:
192.16­8.1.1
Single IPv6:
AAAA::FF
FQDN:
host.local
IPv4 Range:
192.16­8.1.27-78
CIDR Block:
192.16­8.1.0/16
File:
-iL target­s.txt

Host Discovery Options

-sL
list hosts and reverse DNS
-sn
discovery probes only
-Pn
skip discovery stage
-n
disable reverse DNS resolution
-R
force reverse DNS resolution
--dns-servers <list>

Scan Options

TCP Scan Types
-sS
SYN
-sT
Connect
-sN
NULL
-sF
FIN
-sX
Xmas (FIN, PSH, URG)
-sA
ACK
-sW
Window
-sM
FIN/ACK
-sI <zombie host>
use zombie
--scan­flags [flags]
URG/AC­K/P­SH/­RST­/SY­N/FIN
UDP Scan
-sU
UDP
SCTP Scan Types
-sY
INIT
-sZ
COOKIE ECHO
Protocol Scan
-sO
IP Protocol Scan

-p - Port Options

Exclude ports
--exclude ports <port ranges>
Protocol specif­ication
T21-25
- TCP ports 21 to 25
U53,11­1,137
- UDP ports 53, 111, 137
S22
- SCTP port 22
P
- IP Protocol
Fast port scan
-F
- scan top 100 ports (default 1000)
Sequential port scan
-r
- sequential scan (default random)
Ports in nmap-s­ervices file
[1-65535]
- ports in nmap-services
--port­-ratio
- ports with greater ratio
--top-­ports <n>
- n highest ratio

-o - OS Detection Options

--ossc­an-­limit
only live machines
--fuzzy
low-pr­oba­bility guesses
 

Output Options

-v|vv|vvv
verbosity
-d<­0-9>
debugging
--reason
explain port and host states
File Outputs
-oN <fi­le>
normal
oX <fi­le>
XML
-oS <fi­le>
script kiddie
-oG <fi­le>
grepable
-oA <ba­sen­ame>
all

Scripting Engine Options

Use default scripts
-sC

--scri­pt=­default
Run scripts (indiv­idual or list)
--script

   
<fi­len­ame>
- script filename
   
<ca­teg­ory>
- category of scripts
   
<di­rec­tor­y>
- scripts in directory
   
<ex­pre­ssi­on>
- boolean expression
   
[,...]
- continue comma separated list
Script arguments
--scri­pt-args

   
<n1­>=<­v1>

   
<n2­>={­<n3­>=<­v3>}

   
<n4­>={­<v4­>,<­v5>}
Load script args from a file
--scri­pt-­arg­s-file <fi­len­ame>
Debug inform­ation
--scri­pt-­trace
Update script database
--scri­pt-­upd­atedb

-sV - Version Detection Options

send less common probes (default 7)
--version intensity <0-­9>
light version scanning (intensity 2)
--version light
full version scanning (intensity 9)
--vers­ion-all
debug inform­ation
--vers­ion­-trace

Miscel­laneous Options

-6
IPv6
-A
Aggressive
-O -sV -sC --trac­eroute
-T

   
paranoid|0

   
sneaky|1

   
polite|2

   
normal|3

   
aggres­sive|4

   
insane|5
Timing options
slowest scan
slower scan
slow scan
default
faster scan
fastest scan
Runtime Commands
v|V
+|- verbosity
d|D
+|- debugging
p|P
on|off packet tracing
 

DNS Enumer­ation

dnsrecon
--domain
domain to target
--range
IP range for reverse lookup
--name­_server
DNS server
--dict­ionary <fi­le>
dictionary of targets
--type

    
std

    
goo

    
axfr

    
tld
type of enumeration
    standard
    Google sub-domains
    test for zone transfers
    test against IANA TLDs
-w
deep whois analysis
--csv
export to CSV
dnsenum
--dnss­erver <se­rve­r>
target dns server
--subfile <fi­le>
output file

Service Enumer­ation

Useful command lines
nmap -v -p <po­rts> -oG <fi­le> <ad­dress range>
ls -l /usr/s­har­e/n­map­/sc­rip­ts/­<pr­oto­col­>*
SMB
TCP 139,445
nbtscan
 ­ ­ ­ 
-r
use port 137
 ­ ­ ­ 
<ad­dress range>
targets
enum4linux
 ­ ­ ­ 
-a
all simple enumer­ation
 ­ ­ ­ 
-u user -p pass
authen­ticated
SMTP
TCP 25, 110
nc -nv <ad­dre­ss> 25
 ­ ­ ­ 
VRFY
verify address
 ­ ­ ­ 
EXPN
query mail list
SNMP
UDP 161
onesix­tyone
 ­ ­ ­ 
-c <fi­le>
community strings
 ­ ­ ­ 
-i <fi­le>
targets
 ­ ­ ­ 
-o <fi­le>
output file
snmpwalk [opt] agent [OID]
 ­ ­ ­ 
-c <st­rin­g>
community string
 ­ ­ ­ 
-v{1|2c|3}
version
snmpcheck

    
-t <ad­dre­ss>

    
-c

    
-w
enumer­ation tool
    target
    community string
    detect write access
SQL
TCP 1433,3306
sqlmap
 ­ ­ ­ 
--url=­"­url­"
target
 ­ ­ ­ 
--dbms­=<D­BMS>
force dbms
 ­ ­ ­ 
-a
retrieve all
 ­ ­ ­ 
--dump
dump data
 ­ ­ ­ 
--os-shell
retrieve shell
 ­ ­ ­ 
--crawl <de­pth>
crawl site
   
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Oracle SQL Injection Cheat Sheet
          Linux Every Day Commands Cheat Sheet