Show Menu
Cheatography
  1. Home >
  2. Programming >

Network Recon Cheat Sheet by

Basic guide to network reconnaissance commands

Nmap Base Syntax

# nmap [Scan Type] [Options] {targets}

Target Specif­ication

Single IPv4: 192.1­68.1.1
Single IPv6: AAAA::FF
FQDN: host.l­ocal
IPv4 Range: 192.1­68.1.2­7-78
CIDR Block: 192.1­68.1.0/16
File: -iL target­s.txt

Host Discovery Options

-sL
list hosts and reverse DNS
-sn
discovery probes only
-Pn
skip discovery stage
-n
disable reverse DNS resolution
-R
force reverse DNS resolution
--dns-servers <list>

Scan Options

TCP Scan Types
-sS
SYN
-sT
Connect
-sN
NULL
-sF
FIN
-sX
Xmas (FIN, PSH, URG)
-sA
ACK
-sW
Window
-sM
FIN/ACK
-sI <zombie host>
use zombie
--sca­nflags [flags]
URG/A­CK/­PSH­/RS­T/S­YN/FIN
UDP Scan
-sU
UDP
SCTP Scan Types
-sY
INIT
-sZ
COOKIE ECHO
Protocol Scan
-sO
IP Protocol Scan

-p - Port Options

Exclude ports
--exclude ports <port ranges­>
Protocol specif­ication
T21-25 - TCP ports 21 to 25
U53,111,137 - UDP ports 53, 111, 137
S22 - SCTP port 22
P - IP Protocol
Fast port scan
-F - scan top 100 ports (default 1000)
Sequential port scan
-r - sequential scan (default random)
Ports in nmap-s­ervices file
[1-65­535] - ports in nmap-services
--port-ratio - ports with greater ratio
--top-ports <n> - n highest ratio

-o - OS Detection Options

--oss­can­-limit
only live machines
--fuzzy
low-pr­oba­bility guesses
 

Output Options

-v|vv­|vvv
verbosity
-d<0-­9>
debugging
--reason
explain port and host states
File Outputs
-oN <fi­le>
normal
oX <fi­le>
XML
-oS <fi­le>
script kiddie
-oG <fi­le>
grepable
-oA <ba­sen­ame­>
all

Scripting Engine Options

Use default scripts
-sC
--script=default
Run scripts (indiv­idual or list)
--script
   <filename> - script filename
   <category> - category of scripts
   <directory> - scripts in directory
   <expression> - boolean expression
   [,...] - continue comma separated list
Script arguments
--script-args
   <n1>=<v1>
   <n2>={<n3>=<v3>}
   <n4>={<v4>,<v5>}
Load script args from a file
--scr­ipt­-ar­gs-file <fi­len­ame­>
Debug inform­ation
--scr­ipt­-trace
Update script database
--scr­ipt­-up­datedb

-sV - Version Detection Options

send less common probes (default 7)
--version intensity <0-­9>
light version scanning (intensity 2)
--version light
full version scanning (intensity 9)
--ver­sio­n-all
debug inform­ation
--ver­sio­n-t­race

Miscel­laneous Options

-6
IPv6
-A
Aggressive -O -sV -sC --trac­ero­ute
-T
   paranoid|0
   sneaky|1
   polite|2
   normal|3
   aggressive|4
   insane|5
Timing options
slowest scan
slower scan
slow scan
default
faster scan
fastest scan
Runtime Commands
v|V
+|- verbosity
d|D
+|- debugging
p|P
on|off packet tracing
 

DNS Enumer­ation

dnsr­econ
--domain
domain to target
--range
IP range for reverse lookup
--nam­e_s­erver
DNS server
--dic­tionary <fi­le>
dictionary of targets
--type
    std
    goo
    axfr
    tld
type of enumeration
    standard
    Google sub-domains
    test for zone transfers
    test against IANA TLDs
-w
deep whois analysis
--csv
export to CSV
dnsenum
--dns­server <se­rve­r>
target dns server
--subfile <fi­le>
output file

Service Enumer­ation

Useful command lines
nmap -v -p <po­rts> -oG <fi­le> <ad­dress range>
ls -l /usr/s­har­e/n­map­/sc­rip­ts/­<pr­oto­col­>*
SMB
TCP 139,445
nbt­scan
 ­ ­ ­ -r
use port 137
 ­ ­ ­ ­<a­ddress range>
targets
enu­m4l­inux
 ­ ­ ­ -a
all simple enumer­ation
 ­ ­ ­ -u user -p pass
authen­ticated
SMTP
TCP 25, 110
nc -nv <ad­dre­ss> 25
 ­ ­ ­ ­VRFY
verify address
 ­ ­ ­ ­EXPN
query mail list
SNMP
UDP 161
one­six­tyo­ne
 ­ ­ ­ -c <fi­le>
community strings
 ­ ­ ­ -i <fi­le>
targets
 ­ ­ ­ -o <fi­le>
output file
snm­pwalk [opt] agent [OID]
 ­ ­ ­ -c <st­rin­g>
community string
 ­ ­ ­ ­-v­{1|­2c|3}
version
snmpcheck
    -t <address>
    -c
    -w
enumer­ation tool
    target
    community string
    detect write access
SQL
TCP 1433,3306
sql­map
 ­ ­ ­ ­--­url­="ur­l"
target
 ­ ­ ­ ­--­dbm­s=<­DBM­S>
force dbms
 ­ ­ ­ -a
retrieve all
 ­ ­ ­ ­--­dump
dump data
 ­ ­ ­ ­--­os-­shell
retrieve shell
 ­ ­ ­ ­--­crawl <de­pth­>
crawl site
   

Help Us Go Positive!

We offset our carbon usage with Ecologi. Click the link below to help us!

We offset our carbon footprint via Ecologi
 

Metadata

  • Languages:
  • Published: 11th February, 2016
  • Last Updated: 13th May, 2016
  • Rated: 4 stars based on 1 ratings

Favourited By

MarineMustang berte codeluu

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Oracle SQL Injection Cheat Sheet
          Reverse Shell Cheat Sheet