Show Menu
Cheatography

Network Recon Cheat Sheet by

Basic guide to network reconnaissance commands

Nmap Base Syntax

# nmap [Scan Type] [Options] {targets}

Target Specif­ication

Single IPv4: 192.1­68.1.1
Single IPv6: AAAA::FF
FQDN: host.l­ocal
IPv4 Range: 192.1­68.1.2­7-78
CIDR Block: 192.1­68.1.0/16
File: -iL target­s.txt

Host Discovery Options

-sL
list hosts and reverse DNS
-sn
discovery probes only
-Pn
skip discovery stage
-n
disable reverse DNS resolution
-R
force reverse DNS resolution
--dns-servers <list>

Scan Options

TCP Scan Types
-sS
SYN
-sT
Connect
-sN
NULL
-sF
FIN
-sX
Xmas (FIN, PSH, URG)
-sA
ACK
-sW
Window
-sM
FIN/ACK
-sI <zombie host>
use zombie
--sca­nflags [flags]
URG/A­CK/­PSH­/RS­T/S­YN/FIN
UDP Scan
-sU
UDP
SCTP Scan Types
-sY
INIT
-sZ
COOKIE ECHO
Protocol Scan
-sO
IP Protocol Scan

-p - Port Options

Exclude ports
--exclude ports <port ranges­>
Protocol specif­ication
T21-25 - TCP ports 21 to 25
U53,111,137 - UDP ports 53, 111, 137
S22 - SCTP port 22
P - IP Protocol
Fast port scan
-F - scan top 100 ports (default 1000)
Sequential port scan
-r - sequential scan (default random)
Ports in nmap-s­ervices file
[1-65­535] - ports in nmap-services
--port-ratio - ports with greater ratio
--top-ports <n> - n highest ratio

-o - OS Detection Options

--oss­can­-limit
only live machines
--fuzzy
low-pr­oba­bility guesses
 

Output Options

-v|vv­|vvv
verbosity
-d<0-­9>
debugging
--reason
explain port and host states
File Outputs
-oN <fi­le>
normal
oX <fi­le>
XML
-oS <fi­le>
script kiddie
-oG <fi­le>
grepable
-oA <ba­sen­ame­>
all

Scripting Engine Options

Use default scripts
-sC
--script=default
Run scripts (indiv­idual or list)
--script
   <filename> - script filename
   <category> - category of scripts
   <directory> - scripts in directory
   <expression> - boolean expression
   [,...] - continue comma separated list
Script arguments
--script-args
   <n1>=<v1>
   <n2>={<n3>=<v3>}
   <n4>={<v4>,<v5>}
Load script args from a file
--scr­ipt­-ar­gs-file <fi­len­ame­>
Debug inform­ation
--scr­ipt­-trace
Update script database
--scr­ipt­-up­datedb

-sV - Version Detection Options

send less common probes (default 7)
--version intensity <0-­9>
light version scanning (intensity 2)
--version light
full version scanning (intensity 9)
--ver­sio­n-all
debug inform­ation
--ver­sio­n-t­race

Miscel­laneous Options

-6
IPv6
-A
Aggressive -O -sV -sC --trac­ero­ute
-T
   paranoid|0
   sneaky|1
   polite|2
   normal|3
   aggressive|4
   insane|5
Timing options
slowest scan
slower scan
slow scan
default
faster scan
fastest scan
Runtime Commands
v|V
+|- verbosity
d|D
+|- debugging
p|P
on|off packet tracing
 

DNS Enumer­ation

dnsr­econ
--domain
domain to target
--range
IP range for reverse lookup
--nam­e_s­erver
DNS server
--dic­tionary <fi­le>
dictionary of targets
--type
    std
    goo
    axfr
    tld
type of enumeration
    standard
    Google sub-domains
    test for zone transfers
    test against IANA TLDs
-w
deep whois analysis
--csv
export to CSV
dnsenum
--dns­server <se­rve­r>
target dns server
--subfile <fi­le>
output file

Service Enumer­ation

Useful command lines
nmap -v -p <po­rts> -oG <fi­le> <ad­dress range>
ls -l /usr/s­har­e/n­map­/sc­rip­ts/­<pr­oto­col­>*
SMB
TCP 139,445
nbt­scan
 ­ ­ ­ -r
use port 137
 ­ ­ ­ ­<a­ddress range>
targets
enu­m4l­inux
 ­ ­ ­ -a
all simple enumer­ation
 ­ ­ ­ -u user -p pass
authen­ticated
SMTP
TCP 25, 110
nc -nv <ad­dre­ss> 25
 ­ ­ ­ ­VRFY
verify address
 ­ ­ ­ ­EXPN
query mail list
SNMP
UDP 161
one­six­tyo­ne
 ­ ­ ­ -c <fi­le>
community strings
 ­ ­ ­ -i <fi­le>
targets
 ­ ­ ­ -o <fi­le>
output file
snm­pwalk [opt] agent [OID]
 ­ ­ ­ -c <st­rin­g>
community string
 ­ ­ ­ ­-v­{1|­2c|3}
version
snmpcheck
    -t <address>
    -c
    -w
enumer­ation tool
    target
    community string
    detect write access
SQL
TCP 1433,3306
sql­map
 ­ ­ ­ ­--­url­="ur­l"
target
 ­ ­ ­ ­--­dbm­s=<­DBM­S>
force dbms
 ­ ­ ­ -a
retrieve all
 ­ ­ ­ ­--­dump
dump data
 ­ ­ ­ ­--­os-­shell
retrieve shell
 ­ ­ ­ ­--­crawl <de­pth­>
crawl site
   

Help Us Go Positive!

We offset our carbon usage with Ecologi. Click the link below to help us!

We offset our carbon footprint via Ecologi
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Oracle SQL Injection Cheat Sheet
          Reverse Shell Cheat Sheet