Nmap Cheat Sheet For Penetration Testing Ankit Chaubey, 7, June 20229, June 2022 TABLE OF CONTENTS1 What is Nmap?1.0.0.1 Agressive scan timings are faster, but could yeild inaccurate results!1.0.1 Nmap scan from file1.0.2 Nmap Scan all Ports1.0.3 Nmap output formats1.0.4 Nmap Netbios Examples1.0.4.1 –script-args=unsafe=1 has the potential to crash servers / services1.0.5 Nmap Nikto Scan1.1 Nmap Cheatsheet1.1.1 Target Specification1.1.2 Host Discovery1.1.3 Scan Techniques1.1.4 Port Specification and Scan Order1.1.5 Service Version Detection1.1.6 Script Scan1.1.7 OS Detection1.1.8 Timing and Performance1.1.9 Firewalls IDS Evasion and Spoofing1.1.10 Nmap Output Options1.1.11 Misc Nmap Options2 Nmap Scan Optimisation2.1 Nmap Rate2.2 Parallelism2.3 Host Group Sizes2.4 Host Timeout2.5 Scan Delay2.6 Disable DNS Lookups2.6.1 Nmap Black List Detection?2.7 Optimising Portscans for Targets2.8 Complete Nmap tutorial2.9 About The Author2.9.1 Ankit Chaubey2.10 RelatedWhat is Nmap?Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime…moreCommandDescriptionnmap -sP 10.0.0.0/24Ping scans the network, listing machines that respond to ping.nmap -p 1-65535 -sV -sS -T4 targetFull TCP port scan using with service version detection – usually my first scan, I find T4 more accurate than T5 and still “pretty quick”.nmap -v -sS -A -T4 targetPrints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.nmap -v -sS -A -T5 targetPrints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.nmap -v -sV -O -sS -T5 targetPrints verbose output, runs stealth syn scan, T5 timing, OS and version detection.nmap -v -p 1-65535 -sV -O -sS -T4 targetPrints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.nmap -v -p 1-65535 -sV -O -sS -T5 targetPrints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan.Agressive scan timings are faster, but could yeild inaccurate results!T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.Nmap scan from fileCommandDescriptionnmap -iL ip-addresses.txtScans a list of IP addresses, you can add options before / after.Nmap Scan all PortsCommandDescriptionnmap -p- targetNmap scan all ports, TCP ports.Nmap output formatsCommandDescriptionnmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24Outputs “grepable” output to a file, in this example Netbios servers. E.g, The output file could be grepped for “Open”.nmap -sS -sV -T5 10.0.1.99 --webxml -oX -| xsltproc --output file.html -Export nmap output to HTML report.Nmap Netbios ExamplesCommandDescriptionnmap -sV -v -p 139,445 10.0.0.1/24Find all Netbios servers on subnetnmap -sU --script nbstat.nse -p 137 targetNmap display Netbios namenmap --script-args=unsafe=1 --scriptsmb-check-vulns.nse -p 445 targetNmap check if Netbios servers are vulnerable to MS08-067–script-args=unsafe=1 has the potential to crash servers / servicesBecareful when running this command.Nmap Nikto ScanCommandDescriptionnmap -p80 10.0.1.0/24 -oG - | nikto.pl -h -Scans for http servers on port 80 and pipes into Nikto for scanning.nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h -Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning.Nmap CheatsheetTarget SpecificationNmap allows hostnames, IP addresses, subnets.Example blah.highon.coffee, nmap.org/24, 192.168.0.1; 10.0.0-255.1-254CommandDescription-iLinputfilename: Input from list of hosts/networks-iRnum hosts: Choose random targets--excludehost1[,host2][,host3],… : Exclude hosts/networks--excludefileexclude_file: Exclude list from fileHost DiscoveryCommandDescription-sLList Scan – simply list targets to scan-snNmap ping scan / sweep – runs a nmap network scan, with port scanning disabled-PnTreat all hosts as online — skip host discovery-PS/PA/PU/PY[portlist]TCP SYN/ACK, UDP or SCTP discovery to given ports. Allows you to specify a specific port nmap uses to verify a host is up e.g., -PS22 (by default nmap sends to a bunch of common ports, this allows you to be specific)-PE/PP/PMICMP echo, timestamp, and netmask request discovery probes-PO[protocol list]IP Protocol Ping-n/-RNever do DNS resolution/Always resolve [default: sometimes]Scan TechniquesCommandDescription-sS-sT-sA-sW-sMTCP SYN scanConnect scanACK scanWindow scanMaimon scan-sUUDP Scan-sN-sF-sXTCP Null scanFIN scanXmas scan--scanflagsCustomize TCP scan flags-sI zombie host[:probeport]Idle scan-sY-sZSCTP INIT scanCOOKIE-ECHO scan-sOIP protocol scan-b "FTP relay host"FTP bounce scanPort Specification and Scan OrderCommandDescription-pSpecify ports, e.g. -p80,443 or -p1-65535-p U:PORTScan UDP ports with Nmap, e.g. -p U:53-FFast mode, scans fewer ports than the default scan-rScan ports consecutively – don’t randomize--top-ports "number"Scan “number” most common ports--port-ratio "ratio"Scan ports more common than “ratio”Service Version DetectionCommandDescription-sVProbe open ports to determine service/version info--version-intensity "level"Set from 0 (light) to 9 (try all probes)--version-lightLimit to most likely probes (intensity 2)--version-allTry every single probe (intensity 9)--version-traceShow detailed version scan activity (for debugging)Script ScanCommandDescription-sCequivalent to –script=default--script="Lua scripts"“Lua scripts” is a comma separated list of directories, script-files or script-categories--script-args=n1=v1,[n2=v2,...]provide arguments to scripts-script-args-file=filenameprovide NSE script args in a file--script-traceShow all data sent and received--script-updatedbUpdate script database--script-help="Lua scripts"Show help about scriptsOS DetectionCommandDescription-OEnable OS Detection--osscan-limitLimit OS detection to promising targets--osscan-guessGuess OS more aggressivelyTiming and PerformanceOptions which take TIME are in seconds, or append ‘ms’ (milliseconds), ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).CommandDescription-T 0-5Set timing template – higher is faster (less accurate)--min-hostgroup SIZE--max-hostgroup SIZEParallel host scan group sizes--min-parallelism NUMPROBES--max-parallelism NUMPROBESProbe parallelization--min-rtt-timeout TIME--max-rtt-timeout TIME--initial-rtt-timeout TIMESpecifies probe round trip time--max-retries TRIESCaps number of port scan probe retransmissions--host-timeout TIMEGive up on target after this long--scan-delay TIME--max-scan-delay TIMEAdjust delay between probes--min-rate NUMBERSend packets no slower than NUMBER per second--max-rate NUMBERSend packets no faster than NUMBER per secondFirewalls IDS Evasion and SpoofingCommandDescription-f; --mtu VALUEFragment packets (optionally w/given MTU)-D decoy1,decoy2,MECloak a scan with decoys-S IP-ADDRESSSpoof source address-e IFACEUse specified interface-g PORTNUM--source-port PORTNUMUse given port number--proxies url1,[url2],...Relay connections through HTTP / SOCKS4 proxies--data-length NUMAppend random data to sent packets--ip-options OPTIONSSend packets with specified ip options--ttl VALUESet IP time to live field--spoof-mac ADDR/PREFIX/VENDORSpoof NMAP MAC address--badsumSend packets with a bogus TCP/UDP/SCTP checksumNmap Output OptionsCommandDescription-oNOutput Normal-oXOutput to XML-oSScript Kiddie / 1337 speak… sigh-oGOutput greppable – easy to grep nmap output-oA BASENAMEOutput in the three major formats at once-vIncrease verbosity level use -vv or more for greater effect-dIncrease debugging level use -dd or more for greater effect--reasonDisplay the reason a port is in a particular state--openOnly show open or possibly open ports--packet-traceShow all packets sent / received--iflistPrint host interfaces and routes for debugging--log-errorsLog errors/warnings to the normal-format output file--append-outputAppend to rather than clobber specified output files--resume FILENAMEResume an aborted scan--stylesheet PATH/URLXSL stylesheet to transform XML output to HTML--webxmlReference stylesheet from Nmap.Org for more portable XML--no-stylesheetPrevent associating of XSL stylesheet w/XML outputMisc Nmap OptionsCommandDescription-6Enable IPv6 scanning-AEnable OS detection, version detection, script scanning, and traceroute--datedir DIRNAMESpecify custom Nmap data file location--send-eth--send-ipSend using raw ethernet frames or IP packets--privilegedAssume that the user is fully privileged--unprivilegedAssume the user lacks raw socket privileges-VShow nmap version number-hShow nmap help screenNmap Scan OptimisationNmap RateTo speed up your scan increase the rate, be aware that setting a high rate value will result in a less accurate scan.--max-rate --min-rate ParallelismThe maximum or minimum amount of parallel tasks.TIP: If you have an basic IDS / portscan detection blocking your scans you could lower the –min-parallelism in an attempt to reduce the number of concurrent connections--min-parallelism --max-parallelism Host Group SizesThe number of hosts scanned at the same time, Note: if you are writing output to a file e.g., -oA you will need to wait for the host group to complete scanning before the nmap output will be written to the file. Therefore if you get a lagging host you will may end up waiting a while for the output file, which brings us on to… host timeout.--min-hostgroup --max-hostgroup Host TimeoutNmap allows you to specify the timeout, which is the length of time it waits before giving up on the target. Be careful setting this super low, as you may end up with inaccurate results.The following example would giveup after 50 seconds.--host-timeout 50 Scan DelayAn extremely useful option to defeat basic port scan detection (SOHO devices and some IDS) that essentially monitor and block X amount of connects per second (syn flood etc).--scan-delay 5s For example if you know you can get away with 2 req/sec without getting blacklisted then you could use:--scan-delay 1.2 added 200ms for a bufferDisable DNS LookupsAssuming you do not want domain names being looked up, use the -n flag to dissable resolution and speed up the scan.Nmap Black List Detection?It ussally takes and extemely long time to completeDroppped probes nmap will increase the timeout, but it’s likely you are already black listedTo confirm, recheck a port that you know was open beforeAs far as I know there is no way of detecting for black listing within nmap natively.Optimising Portscans for TargetsOnce you have identified a target firewall / IDS you can look up the default settings for the portscan black list by reading the manual and use the nmap command switches above to obtain the best performance without getting black listed.Complete Nmap tutorial About The Author Ankit Chaubey See author's postsRelated Hacking Linux Tech Cheat SheetComplete Nmap Cheat SheetNmapWhat is Nmap?
Android How to Find Out Who Viewed My Instagram Account (2022) 8, October 20228, October 2022Instagram is a popular photo sharing app that allows users to post photos and videos to share with friends and followers. It also lets people view other profiles and follow those they like. While there are millions of regular Instagram users who post stuff regularly, There are also thousands of… Read More
Reveals Best Anonymous Browser To Protect Online Privacy In 2022 18, November 202218, November 2022When it comes to browsing the internet, we all want the safest experience. But with so many websites using tracking technology and advertising companies prying into users’ personal information, it can be challenging to find a safe space where you don’t end up exposing personal information or privacy risks. Fortunately,… Read More
Tech How To Disable Or Remove Youtube Shorts Permanently in 2023 20, August 20226, July 2023YouTube Shorts is a pretty big deal. Google didn’t just add any old thing to YouTube- they added something that would revolutionize the way people use the site. And it did. In a very short amount of time, YouTube Shorts has amassed a huge following all its own. People love… Read More