NMAP CHEAT SHEET


Target Specification

192. 168. 100. 1-50  IP Range
192. 168. 100. 1/24  CIDR Spec.
-iL Filename         IP Addr File 
-iR                  Random Targets
--exclude            Exclude IP
--exclude-file       Exclude List 

Scan Techniques

-sS   TCP SYN Scan
-sT   TCP Connect Scan
-sF   FIN Scan
-sA   ACK Scan
-sW   Window Scan
-sM   Mailman Scan

Host Discovery
-sL                 List Targets
-sn                 Host up/down(No Scan)
-Pn                 Scan (No ping)
-PS <port list>     TCP SYN Ping
-PA <port list>     TCP ACK Ping
-PU <port list>     UDP Ping
-PY <port list>     SCTP INIT Ping
-PE; -PP; -PM       ICMP Ping
-PO <protocol list> Protocol Ping
-PR                 ARP Ping
--disable-arp-ping  No ARP Ping
--traceroute        Trace path

Port Scanning

-p-                    Scan All Ports
-sU                    Scan UDP Ports
-r                     Don’t Randomise Ports
-sF                    FIN Scan
-sX                    X-Mas Scan
-sN                    NULL Scan
-sZ                    SCTP Cookie Echo Scan
-b <ftp Host>          FTP Bounce
--top-ports 'value'    Scans Top Ports

Protocol Scan

-sO    IP Protocol Scan

OS/service/version Detection

-O                   Detect OS
-sv                  Version 
--osscan-guess       Guess OS
--max-os-tries       Max Tries
--version-intensity  0 To 9 
--version-light      Intensity 2
--version-all        Try Every Single Probe
--version-trace      Detailed Version Scan

Timing/performance
-T(0-5)                 5 Is The Fastest
-F                      Fast Scan, Fewer Ports
--max-retries "num"     Retransmissions
--host-timeout "time"   Give Up After "time"
--scan-delay "Time"     Delay Probes

Firewall/IDS/IPS Evasion And Spoofing

-sI <zombie Host> <port>      Idle Scan
-D IP                         Decoy Hosts
-f                            Fragment Packets
-S <IP_address>               Spoof Source Address
-e <interface>                use Specified Interface
-g Port_number                Spoof Source Port
--source-port <port>          spoof Source Port 
--data <hex String>           Add Custom Binary To Packets
--data-string <string>        Add Custom String To Packets
--data-length <number>        Add Random Data To Packets
--ttl <value>                 Set IP Time-to-live Field
--randomize-hosts             Randomize Target Host Order
--spoof-mac <MAC/Prefix>      Spoof Mac Address 
--proxies <Proxy list>        Connect Via Proxies
--badsum                      Packets With Bogus Checksums                     
Output

-v                  verbose (-vv)
-oN                 Normal Output
-oG                 Grepable Output
-oX                 XML Output
--reason            Filterd/Closed/Open Reason
--open              Only Show Open Ports
--packet-trace      Show All Packets Sent/Received
--iflist            Print Interfaces And Routes
--log-errors        Log Errors/warnings To Output 
--append-output     Append To Output File
--resume            Resume An Aborted Scan
--stylesheet        Transform XML to HTML
--webxml            Portable XML


Misc Nmap Options

-6                   Enable IPV6 Scanning
-A                   OS, Version, Script, Traceroute
-V                   Show Nmap Version Number
-h                   Help 
--privileged         Assume That The User Is Fully Privileged
--unprivileged       Assume The User Lacks Raw Socket                              Privileges
--send-eth/IP        Send Using Raw Ethernet Frames Or                            IP Packets

Custom Scan 

--scanflags (custom Tcp Scan)

Script Scan

-sC                            Same As --script
--script <Script Name> <IP>    smb-check-vulns-nse 192.168.1.1
--script-args                  --script-args=unsafe=1 
-script-args-file <filename>   Add args From A File
--script-trace                 Show All Data Sent And Received
--script-updatedb              update Script Database
--script-help="Script"         show Help About Scripts

Examples:

Nmap -sv -v                   -p 139,445 10. 0. 1. 0/24
Nmap -su --script Nbstat.Nse  -p 137     10. 0. 1. 12
Nmap --script-args=unsafe=1 --script Smb-check-vulns.Nse -p 445 10. 0. 0. 1


Scaning Techniques

-sP(Ping Scan)
  • Used To Find Out Whether The Host Is Up or Down.

-sS (TCP SYN Scan)(Half-Open)

  • It Is Fast & Stealthy
  • Never Completes TCP Handshake.
  • Differentiates Between The Open, Closed & Filtered Ports. 
  • Target Computer Won't be able to Create Any Log       Of The Interaction Because No Session Was Initiated. 

-sT (TCP Connect Scan)(Handshake)
  • Completes TCP Handshake.
  • Target Machines Are More Likely To Log The Connection.
  • Ids Will Catch, Some Unix System Will Add It To Syslog. 

-sU (UDP Scan)(Slow)
  • We Send The Target A UDP Probe And It Fires Back An ICMP Unreachable Packet Means Port Is Closed. 
  • If Nothing Comes Back Means It Has Either Received The Packet Or Quietly Dropped It Which Means The Port Is Either Open Or Filtered Respectively. 
  • Positive response is received when the corresponding port is open. 

-sF (FIN Scan) (End of Connection)
  • Packet Is Sent To Each TCP Port With The –FIN Bit Set To On. 
  • The Fin Bit Indicates The Ending Of A TCP Session. 
  • RST Response Indicates The Port Being Closed. 
  • No Response Indicates That The Port Is Listening. 
  • Keep In Mind, However, That Windows PCs Do Not Comply With RFC 793; Therefore, They Do Not Provide Accurate Results With This Type Of Scan.

-sX (Xmas Scan)(Mixed)
  • URG— Indicates That The Data Is Urgent And Should Be Processed Immediately.
  • PSH— Forces Data To A Buffer.
  • FIN— Used When Finishing A TCP Session.
  • TCP Connection Should Not Be Made With All Three Of These Flags Set.
  • If The Port Is Open Then The Packets Will Be Ignored. 
  • RST Response Indicates The Port Being Closed.

-sN (Null Scan)
  • Used To Identify Listening TCP Ports. 
  • It Is A Series Of TCP Packets That Contain A Sequence Number Of 0 And No Set Flags. 
  • Target Responds With An RST Packet If The Port Is Closed. 
  • If The Port Is Open, The Host Ignores The Packet, And No Response Arrives. 
  • Because The Null Scan Does Not Contain Any Set Flags, It Can Sometimes Penetrate Firewalls And Edge Routers That Filter Incoming Packets With Particular Flags. 

Source Nmap.org

No comments:

Post a Comment

Popular Posts