Show Menu
Cheatography
  1. Home >
  2. Cheat Sheets >

NMAP Cheat Sheet (DRAFT) by

Common NMAP Commands

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Download ZeNMAP

Host Notation

IP
152.12­0.2.200
Hostname
IDNS3.d­ot.gov
Subnet
152.12­0.2.0/24
IP Range
152.12­0.2.5-20

Common Options

-T3
Normal Speed
-T4
Fast Speed
-A
OS and Version detection
-O
OS detection
-v
Verbose
-sV
Probe open ports to determine servic­e/v­ersion info
-sn
Ping Scan
-p <port range>
Only scan specified ports
--script=
Run a specified script
-iL [filename]
Input file of hosts/IPs
-oN [filename]
Save as text file
-oX [filename]
Save as XML file

Common Scripts

ssl-en­um-­ciphers
Display SSL cipher
smb-pr­otocols
Display SMB protocol
ssl-he­art­bleed
Display heartbleed

Preset Profiles

Intense
nmap -T4 -A-v
Quick Scan Plus
nmap -sV -T4 -O -F --vers­ion­-light
Ping Scan
nmap -sn

References

  

FAQ

How do tell who at DOT runs a server?
Run 
nmap -sV -T4 -O -A
and look for a hostname
Check the hostname for a mode
Check Solarwinds for the 
Suppor­t_M­anager
property
Check the patch list to see if ITSS manages it
Is a host running SMB v1?
Run 
nmap --scri­pt=­smb­-pr­otocols

Check for anything below version 2.0
Is a host using low security SSL?
Run 
nmap --scri­pt=­ssl­-en­um-­ciphers

Check for any warnings about SWEET3­2/RC4/ low Diffie­-Helman key exchanges

Example #1

NCATS report for a server comes in

Summary:
NCCIC NCATS Cyber Hygiene reported a system vulner­ability

Source IP: 
204.68.195.16

Host Name: 
docket­sin­fo.d­ot.gov


1) Run 
nmap -sV -T4 -A -v docket­sin­fo.d­ot.gov

2) Note the hostname in the 3389 and 10000 port results, and the 
smb-os­-di­scovery
script
3) determine that this is an OST server that is not on the ITSS patch list
4) most likely an OST (Non-ITSS) managed server

Example #2

NCATS report for a server comes in

Summary:
NCCIC NCATS Cyber Hygiene reported a system vulner­ability

Source IP: 204.68.194.45
Destin­ation IP: 64.69.57.0 /24
Host Name: 204.68.194.45 DOTDMZ­WAS­018­VG.e­xt.do­t.gov


1) Run 
nmap -sV -T4 -A -v DOTDMZ­WAS­018­VG.e­xt.do­t.gov

2) Note the hostname in the 443 port scan
3) Find this server in the ITSS patch list
4) Determine that this is an ITSS manager server.