Show Menu
Cheatography

Enumeration Cheat Sheet by

Nmap In-Depth Cheat Sheet

Alive Hosts

NMAP
nmap -sn -n 172.16.0.1\24 | grep "­Nma­p" | cut -d " " -f 5 > alives
NIX
bash/sh
for x in {1..25­4..1­};do ping -c 1 172.16.0.$x | grep "64 b" | cut -d" " -f4 >> alive.h­osts; done
WIN
cmd.exe
for /L %i in (10,1,254) do @ (for /L %x in (10,1,254) do @ ping -n 1 -w 172.16.%i.%x 2>nul | find "­Rep­ly" && echo 172.16.%i.%x >> alive.h­osts)
powers­hel­l.exe
Forea­ch($x in 1..255­){T­est­-Co­nne­ction 172.16.0.$x}

NMAP

Alives Generation
nmap -sn -n | grep "­Nma­p" | awk $6 > alives.hosts
nmap -sn -n -oN scan.nmap && awk $6 scan.nmap > alives.hosts
Very Minimal Footprint with Fragme­ntation & Decoys
nmap -sS --max-­retries 0 --scan­-delay 3 --os-limit --max-­os-­tries 1 -T0 -n -Pn -iL target­s.txt -vv -f -D RND:10 --ttl 32
Conscious Footprint
nmap -sS -sN -p1,2-9,39 -Pn -n -T2 -f 192.16­8.0.1\24
Aggressive Everything
nmap -A -p- 0.0.0.0\0
XML Web Presen­tation
nmap -sT -p- 192.16­8.1.5 -oX webpre­sen­tat­ion.xml --webxml

NMAP Flags/Args

-sn
Alive hosts discov­ery­1A
-sU
UDP Scan
-Pn
Assume host is alive
-sT
Full TCP Handshake Scan
-n
Don't resolve IP addresses
-sS
TCP SYN Scan
-R
Always resolve IP addresses
-sA
TCP ACK Scan
-F
Fast amount of ports Scan
-sC
Nmap Scripts
-p-
All ports 1-65355
-sN
TCP NULL Scan
-T[1-5]
Timing speed very slow (1) to very fast (5)
-sF
TCP FIN Scan
--sca­n-delay [int]
Time between probes
-sV
Service Enumer­ation
-f
Fragment Packets (IDS/FW evasion)
-O
OS Type Enumer­ation
-D
Decoy hosts traffic
RND:10
10 Random source hosts for '-D'
-PS
TCP SYN Ping2A
-PA
TCP ACK Ping2A
-PU
UDP Ping3A
-PE
ICMP Echo Request
-PP
ICMP Timestamp Query4A
-PM
ICMP Address Mask Query5A
-A
Aggre­ssive Scan6A
--ttl
Set Time-T­o-Live for packets
--ver­sio­n-l­ight
Versi­oning intensity: 2
--ver­sio­n-all
Version intensity: 9
--iflist
List interfaces (ifcon­fig)
--tra­cer­oute
Trace route to destin­ation
--stats every [int]
Time between writing to stdout
--scr­ipt­-up­datedb
Update script db
--dat­a-l­ength [int]
Use with -sU, size of UDP payload
--open
Return only open ports
--sys­tem­-dns
Resolve hostnames with localhost
--dns­-se­rvers
Specify name server addresses for resolu­tions
--resume [file]
Scan to resume from output file
--app­end­-ou­tput
Append to output file
--ip-­opt­ions
Specify raw IP frame hex options
Example
--ip-­options \x01\x­07­\x04­\x0­0*3­6\x01
-sW
TCP Window Scan
-sM
TCP Maimon Scan
-sX
TCP Xmas Scan (all flags)
--sca­nflags URGACK
Set TCP Flags
1A. Sends ICMP Echo Req, SYN:443, ACK:80, ICMP Timestamp Req
2A. Destin­ation port 80, may specify alternate port with the '-p' flag.
3A. Destin­ation port 40125, may specify alternate port with the '-p' flag.
4A. Expects ICMP Code 14 reply, indicates host is availa­ble.
5A. Expects ICMP Code 18 reply, indicates host is availa­ble.
6A. Includes, OS detection, version scans, script scans, and tracer­oute.
                               
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Linux Command Line Cheat Sheet
          Windows Terminal Cheat Sheet

          More Cheat Sheets by djf

          IoT Reversing Field Manual Cheat Sheet