NMap command cheat sheet
General commands
- -sn: Disables port scan.
- -v: Enables the verbose output (include all hosts and ports in the output).
- -sV: Detects service versions.
- -A: Enables aggressive scan. The aggressive scan option supports OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (--traceroute). You should not use -A against target networks without permission.
- -p: Specifies the port to be scanned.
- -O: OS detection.
ARP ping scan
UDP ping scan
A UDP response means that the host is active. If the target host is offline or unreachable, various error messages such as “host/network unreachable” or “TTL exceeded” could be returned.
ICMP ECHO ping scan
The ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the target host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if the ICMP is passing through a firewall.
Alternative to ICMP ECHO ping scan: ICMP Timestamp and Address Mask Ping Scan
ICMP timestamp ping scan
ICMP address mask ping scan
TCP ACK Ping Scan
This technique sends empty TCP ACK packets to the target host; an RST response means that the host is active.
IP Protocol Ping Scan
This technique sends different probe packets of different IP protocols to the target host, any response from any probe indicates that a host is active.
TCP connect/full open scan
Stealth scan/TCP half-open scan
This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.
Xmas scan
Sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.
TCP Maimon scan
FIN/ACK probe is sent to the target; if there is no response, then the port is Open|Filtered, but if the RST packet is sent as a response, then the port is closed.
ACK flag probe scan
Sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.
UDP scan
Uses UDP protocol instead of the TCP. There is no three-way handshake for the UDP scan. It sends UDP packets to the target host; no response means that the port is open. If the port is closed, an ICMP port unreachable message is received.
IDLE/IPID Header Scan / Zombie Scan
A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.
Reference: https://nmap.org/book/idlescan.html
SCTP COOKIE ECHO Scan
A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.
Ping Sweep Scan
Discover the available hosts and their IP and MAC addresses, but no information about the ports.
Display the open ports and services running
-T4: Specifies setting time template (0-5). -A: Specifies setting ACK flag.smb-os-discovery
Attempts to determine the OS, computer name, domain, workgroup, and current time over the SMB protocol
NetBIOS enumeration
Http enum - enumerate the applications, directories, and files in a web server
hostmap-bfk
nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- [Target IP Address/Range of IP addresses]
Http trace
Uses the TRACE method by sending an HTTP TRACE request that shows if the method is enabled or not
Http frontpage login
Http passwd
nmap --script http-passwd --script-args http-passwd.root =/ [Target IP Address/Range of IP addresses]
Check whether Web Application Firewall is configured on the target host or domain
Bypassing firewall/IDS
Fragment packets
Send fragmented probe packets to the intended target, which re-assembles it after receiving all the fragments.
Source port manipulation
Manipulating actual port numbers with common port numbers to evade IDS/firewall (sometimes, firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc.).
Set number of Maximum Transmission Unit (MTU)
This technique evades the filtering and detection mechanism enabled in the target machine.
Decoy
Generating or manually specifying IP addresses of the decoys to evade IDS/firewall. Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IP addresses.
-D: performs a decoy scan. RND: generates a random and non-reserved IP addresses.
Send the binary data as payload
Send string data as payload
Append the number of random data bytes to most of the packets sent without any protocol-specific payloads
Scan in random order
Send the packets with bad or bogus TCP/UPD checksums
Send the packets with bad or bogus TCP/UPD checksums
Scanning for vulneabilities
Identify the IPv6 capabilities of a device
nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX [NAME] [Target IP Address/Range of IP addresses]
Check for open TCP and UDP services and ports
Scan for a specific IP address
Scanning ICS/SCADA systems
Identifying HMI systems
Identifyng open ports and services
nmap -Pn -sT --scan-delay 1d --mac-parallelism 1 -p [port list] [Target IP address/Range of IP addresses]