Cheatography
https://cheatography.com
Nmap In-Depth Cheat Sheet
Alive HostsNMAP
nmap -sn -n 172.16.0.1\24 | grep "Nmap" | cut -d " " -f 5 > alives
NIX
bash/sh
for x in {1..254..1};do ping -c 1 172.16.0.$x | grep "64 b" | cut -d" " -f4 >> alive.hosts; done
WIN
cmd.exe
for /L %i in (10,1,254) do @ (for /L %x in (10,1,254) do @ ping -n 1 -w 172.16.%i.%x 2>nul | find "Reply" && echo 172.16.%i.%x >> alive.hosts)
powershell.exe
Foreach($x in 1..255){Test-Connection 172.16.0.$x} |
NMAPAlives Generation
nmap -sn -n | grep "Nmap" | awk $6 > alives.hosts
nmap -sn -n -oN scan.nmap && awk $6 scan.nmap > alives.hosts
Very Minimal Footprint with Fragmentation & Decoys
nmap -sS --max-retries 0 --scan-delay 3 --os-limit --max-os-tries 1 -T0 -n -Pn -iL targets.txt -vv -f -D RND:10 --ttl 32
Conscious Footprint
nmap -sS -sN -p1,2-9,39 -Pn -n -T2 -f 192.168.0.1\24
Aggressive Everything
nmap -A -p- 0.0.0.0\0
XML Web Presentation
nmap -sT -p- 192.168.1.5 -oX webpresentation.xml --webxml |
NMAP Flags/Args-sn
| Alive hosts discovery1A
| -sU
| UDP Scan
| -Pn
| Assume host is alive
| -sT
| Full TCP Handshake Scan
| -n
| Don't resolve IP addresses
| -sS
| TCP SYN Scan
| -R
| Always resolve IP addresses
| -sA
| TCP ACK Scan
| -F
| Fast amount of ports Scan
| -sC
| Nmap Scripts
| -p-
| All ports 1-65355
| -sN
| TCP NULL Scan
| -T[1-5]
| Timing speed very slow (1) to very fast (5)
| -sF
| TCP FIN Scan
| --scan-delay [int]
| Time between probes
| -sV
| Service Enumeration
| -f
| Fragment Packets (IDS/FW evasion)
| -O
| OS Type Enumeration
| -D
| Decoy hosts traffic
| RND:10
| 10 Random source hosts for '-D'
| -PS
| TCP SYN Ping2A
| -PA
| TCP ACK Ping2A
| -PU
| UDP Ping3A
| -PE
| ICMP Echo Request
| -PP
| ICMP Timestamp Query4A
| -PM
| ICMP Address Mask Query5A
| -A
| Aggressive Scan6A
| --ttl
| Set Time-To-Live for packets
| --version-light
| Versioning intensity: 2
| --version-all
| Version intensity: 9
| --iflist
| List interfaces (ifconfig)
| --traceroute
| Trace route to destination
| --stats every [int]
| Time between writing to stdout
| --script-updatedb
| Update script db
| --data-length [int]
| Use with -sU, size of UDP payload
| --open
| Return only open ports
| --system-dns
| Resolve hostnames with localhost
| --dns-servers
| Specify name server addresses for resolutions
| --resume [file]
| Scan to resume from output file
| --append-output
| Append to output file
| --ip-options
| Specify raw IP frame hex options
| Example
| --ip-options \x01\x07\x04\x00*36\x01
| -sW
| TCP Window Scan
| -sM
| TCP Maimon Scan
| -sX
| TCP Xmas Scan (all flags)
| --scanflags URGACK
| Set TCP Flags
|
1A. Sends ICMP Echo Req, SYN:443, ACK:80, ICMP Timestamp Req
2A. Destination port 80, may specify alternate port with the '-p' flag.
3A. Destination port 40125, may specify alternate port with the '-p' flag.
4A. Expects ICMP Code 14 reply, indicates host is available.
5A. Expects ICMP Code 18 reply, indicates host is available.
6A. Includes, OS detection, version scans, script scans, and traceroute.
|
Created By
Metadata
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets
More Cheat Sheets by djf