nmap Cheat Sheet See-Security Technologies nmap Cheat Sheet Built by Yuval (tisf) Nativ from See-Security's Hacking efined Experts program $his nmap cheat sheet is uniting a fe% other cheat sheets Basic Scanning Techniques • Scan a single target nmap [target] • Scan multiple targets nmap [target1,target2,etc] • Scan a list of targets nmap -iL [list.txt] • Scan a range of hosts nmap [range of IP addresses] • Scan an entire subnet nmap [IP address/cdir] • Scan ran!om hosts nmap -iR [number] • "#clu!ing targets from a scan nmap [targets] –exclude [targets] • "#clu!ing targets using a list nmap [targets] –excludefile [list.txt] • Perform an aggressive scan nmap -A [target] • Scan an '&v( target nmap -6 [target] Discovery Options • Perform a ping scan only nmap -sP [target] • on)t ping nmap -PN [target] • $CP SYN Ping nmap -PS [target] • $CP *C+ ping nmap -PA [target] • , P ping nmap -PU [target] • SC$P 'nit &ing nmap -PY [target] • 'C-P echo ping nmap -PE [target] • 'C-P $imestamp ping nmap -PP [target] • 'C-P ad!ress mask ping nmap -PM [target] • 'P protocol ping nmap -PO [target] • ARP ping nmap -PR [target] • $raceroute nmap –traceroute [target] • /orce reverse NS resolution nmap -R [target] • isable reverse NS resolution nmap -n [target] • Alternative NS lookup nmap –system-dns [target] • -anually specify NS servers nmap –dns-servers [servers] [target] • Create a host list nmap -sL [targets] nmap Cheat Sheet See-Security Technologies Firewall Evasion Techniques • /ragment packets nmap -f [target] • Specify a specific -$, nmap –mtu [MTU] [target] • ,se a !ecoy nmap -D RND: [number] [target] • '!le zombie scan nmap -sI [zombie] [target] • -anually specify a source port nmap –source-port [port] [target] • *ppen! ran!om !ata nmap –data-length [size] [target] • Ran!omize target scan or!er nmap –randomize-hosts [target] • Spoof -*C *!!ress nmap –spoof-mac [MAC|0|vendor] [target] • Sen! bad checksums nmap –badsum [target] Version Detection • 1perating system !etection nmap -O [target] • *ttempt to guess an unkno%n nmap -O –osscan-guess [target] • Service version !etection nmap -sV [target] • $roubleshooting version scans nmap -sV –version-trace [target] • Perform a RPC scan nmap -sR [target] Output Options • Save output to a te#t file nmap -oN [scan.txt] [target] • Save output to a #ml file nmap -oX [scan.xml] [target] • 2repable output nmap -oG [scan.txt] [target] • Output all supporte! file types nmap -oA [path/filename] [target] • Perio!ically !isplay statistics nmap –stats-every [time] [target] • 344t output nmap -oS [scan.txt] [target] Ndiff • Comparison using N!iff ndiff [scan1.xml] [scan2.xml] • N!iff verbose mo!e ndiff -v [scan1.xml] [scan2.xml] • 5-6 output mo!e ndiff –xml [scan1.xm] [scan2.xml] nmap Cheat Sheet See-Security Technologies Nmap Scripting Engine • "#ecute in!ivi!ual scripts nmap –script [script.nse] [target] • "#ecute multiple scripts nmap –script [expression] [target] • "#ecute scripts by category nmap –script [cat] [target] • "#ecute multiple scripts categories nmap –script [cat1,cat2, etc] • $roubleshoot scripts nmap –script [script] –script-trace [target] • ,p!ate the script !atabase nmap –script-updatedb • Script categories ◦ all ◦ auth ◦ !efault ◦ !iscovery ◦ e#ternal ◦ intrusive ◦ mal%are ◦ safe ◦ vuln References • See-Security's main page • Hacking Defined.org • See-Security's Facebook Page • nmap Professional Discovery Guide • nmap's Official Web Page .