Show Menu
Cheatography
  1. Home >
  2. Software >

Enumeration Cheat Sheet by

Nmap In-Depth Cheat Sheet

Alive Hosts

NMAP
nmap -sn -n 172.16.0.1\24 | grep "­Nma­p" | cut -d " " -f 5 > alives

NIX
bash/sh
for x in {1..25­4..1­};do ping -c 1 172.16.0.$x | grep "64 b" | cut -d" " -f4 >> alive.h­osts; done

WIN
cmd.exe
for /L %i in (10,1,254) do @ (for /L %x in (10,1,254) do @ ping -n 1 -w 172.16.%i.%x 2>nul | find "­Rep­ly" && echo 172.16.%i.%x >> alive.h­osts)

powers­hel­l.exe
Foreach($x in 1..255­){T­est­-Co­nne­ction 172.16.0.$x}

NMAP

Alives Generation
nmap -sn -n | grep "­Nma­p" | awk $6 > alives.hosts

nmap -sn -n -oN scan.nmap && awk $6 scan.nmap > alives.hosts

Very Minimal Footprint with Fragme­ntation & Decoys
nmap -sS --max-­retries 0 --scan­-delay 3 --os-limit --max-­os-­tries 1 -T0 -n -Pn -iL target­s.txt -vv -f -D RND:10 --ttl 32

Conscious Footprint
nmap -sS -sN -p1,2-9,39 -Pn -n -T2 -f 192.16­8.0.1\24

Aggressive Everything
nmap -A -p- 0.0.0.0\0

XML Web Presen­tation
nmap -sT -p- 192.16­8.1.5 -oX webpre­sen­tat­ion.xml --webxml

NMAP Flags/Args

-sn
 
Alive hosts discovery1A
 
-sU
 
UDP Scan
 
-Pn
 
Assume host is alive
 
-sT
 
Full TCP Handshake Scan
 
-n
 
Don't resolve IP addresses
 
-sS
 
TCP SYN Scan
 
-R
 
Always resolve IP addresses
 
-sA
 
TCP ACK Scan
 
-F
 
Fast amount of ports Scan
 
-sC
 
Nmap Scripts
 
-p-
 
All ports 1-65355
 
-sN
 
TCP NULL Scan
 
-T[1-5]
 
Timing speed very slow (1) to very fast (5)
 
-sF
 
TCP FIN Scan
 
--scan­-delay [int]
 
Time between probes
 
-sV
 
Service Enumer­ation
 
-f
 
Fragment Packets (IDS/FW evasion)
 
-O
 
OS Type Enumer­ation
 
-D
 
Decoy hosts traffic
 
RND:10
 
10 Random source hosts for '-D'
 
-PS
 
TCP SYN Ping2A
 
-PA
 
TCP ACK Ping2A
 
-PU
 
UDP Ping3A
 
-PE
 
ICMP Echo Request
 
-PP
 
ICMP Timestamp Query4A
 
-PM
 
ICMP Address Mask Query5A
 
-A
 
Aggressive Scan6A
 
--ttl
 
Set Time-T­o-Live for packets
 
--vers­ion­-light
 
Versioning intensity: 2
 
--vers­ion-all
 
Version intensity: 9
 
--iflist
 
List interfaces (ifconfig)
 
--trac­eroute
 
Trace route to destin­ation
 
--stats every [int]
 
Time between writing to stdout
 
--scri­pt-­upd­atedb
 
Update script db
 
--data­-length [int]
 
Use with -sU, size of UDP payload
 
--open
 
Return only open ports
 
--syst­em-dns
 
Resolve hostnames with localhost
 
--dns-­servers
 
Specify name server addresses for resolu­tions
 
--resume [file]
 
Scan to resume from output file
 
--appe­nd-­output
 
Append to output file
 
--ip-o­ptions
 
Specify raw IP frame hex options
 
Example
 
--ip-o­ptions  \x01\x­07­\x04­\x0­0*3­6\x01
 
-sW
 
TCP Window Scan
 
-sM
 
TCP Maimon Scan
 
-sX
 
TCP Xmas Scan (all flags)
 
--scan­flags URGACK
 
Set TCP Flags
 
1A. Sends ICMP Echo Req, SYN:443, ACK:80, ICMP Timestamp Req

2A. Destin­ation port 80, may specify alternate port with the '-p' flag.

3A. Destin­ation port 40125, may specify alternate port with the '-p' flag.

4A. Expects ICMP Code 14 reply, indicates host is available.

5A. Expects ICMP Code 18 reply, indicates host is available.

6A. Includes, OS detection, version scans, script scans, and tracer­oute.
                               
 

Metadata

  • Languages:
  • Published: 11th September, 2020
  • Rated: 0 out of 5 stars based on 1 ratings

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Windows Terminal Cheat Sheet
          Windows Terminal Cheat Sheet

          More Cheat Sheets by djf

          IoT Reversing Field Manual Cheat Sheet