NMap command cheat sheet

General commands

ARP ping scan

nmap -sn -PR [Target IP Address/Range of IP addresses]

UDP ping scan

A UDP response means that the host is active. If the target host is offline or unreachable, various error messages such as “host/network unreachable” or “TTL exceeded” could be returned.

nmap -sn -PU [Target IP Address/Range of IP addresses]

ICMP ECHO ping scan

The ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the target host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if the ICMP is passing through a firewall.

nmap -sn -PE [Target IP Address/Range of IP addresses]

Alternative to ICMP ECHO ping scan: ICMP Timestamp and Address Mask Ping Scan

ICMP timestamp ping scan

nmap -sn -PP [Target IP Address/Range of IP addresses]

ICMP address mask ping scan

nmap -sn -PM [Target IP Address/Range of IP addresses]

TCP ACK Ping Scan

This technique sends empty TCP ACK packets to the target host; an RST response means that the host is active.

nmap -sn -PA [Target IP Address/Range of IP addresses]

IP Protocol Ping Scan

This technique sends different probe packets of different IP protocols to the target host, any response from any probe indicates that a host is active.

nmap -sn -PO [Target IP Address/Range of IP addresses]

TCP connect/full open scan

nmap -sT -v [Target IP Address/Range of IP addresses]

Stealth scan/TCP half-open scan

This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.

nmap -sS -v [Target IP Address/Range of IP addresses]

Xmas scan

Sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.

nmap -sX -v [Target IP Address/Range of IP addresses]

TCP Maimon scan

FIN/ACK probe is sent to the target; if there is no response, then the port is Open|Filtered, but if the RST packet is sent as a response, then the port is closed.

nmap -sM -v [Target IP Address/Range of IP addresses]

ACK flag probe scan

Sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.

nmap -sA -v [Target IP Address/Range of IP addresses]

UDP scan

Uses UDP protocol instead of the TCP. There is no three-way handshake for the UDP scan. It sends UDP packets to the target host; no response means that the port is open. If the port is closed, an ICMP port unreachable message is received.

nmap -sU -v [Target IP Address/Range of IP addresses]

IDLE/IPID Header Scan / Zombie Scan

A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.

nmap -sI -v [Target IP Address/Range of IP addresses]

Reference: https://nmap.org/book/idlescan.html

A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.

nmap -sZ -v [Target IP Address/Range of IP addresses]

Ping Sweep Scan

Discover the available hosts and their IP and MAC addresses, but no information about the ports.

nmap -sP [Target IP Address/Range of IP addresses]

Display the open ports and services running

nmap -T4 -A -v [Target IP Address/Range of IP addresses]
-T4: Specifies setting time template (0-5). -A: Specifies setting ACK flag.

smb-os-discovery

Attempts to determine the OS, computer name, domain, workgroup, and current time over the SMB protocol

nmap --script smb-os-discovery.nse [Target IP Address/Range of IP addresses]

NetBIOS enumeration

nmap -sV -v --script nbstat.nse [Target IP Address/Range of IP addresses]

Http enum - enumerate the applications, directories, and files in a web server

nmap -sV --script http-enum [Target IP Address/Range of IP addresses]

hostmap-bfk

nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- [Target IP Address/Range of IP addresses]

Http trace

Uses the TRACE method by sending an HTTP TRACE request that shows if the method is enabled or not

nmap --script http-trace -d [Target IP Address/Range of IP addresses]

Http frontpage login

nmap [Target IP Address/Range of IP addresses] -p 80 --script = http-frontpage-login

Http passwd

nmap --script http-passwd --script-args http-passwd.root =/ [Target IP Address/Range of IP addresses]

Check whether Web Application Firewall is configured on the target host or domain

nmap -p80 --script http-waf-detect [Target IP Address/Range of IP addresses]

Bypassing firewall/IDS

Fragment packets

Send fragmented probe packets to the intended target, which re-assembles it after receiving all the fragments.

nmap -f [Target IP Address/Range of IP addresses]

Source port manipulation

Manipulating actual port numbers with common port numbers to evade IDS/firewall (sometimes, firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc.).

nmap -g 80 [Target IP Address/Range of IP addresses]

Set number of Maximum Transmission Unit (MTU)

This technique evades the filtering and detection mechanism enabled in the target machine.

nmap -mtu 8 [Target IP Address/Range of IP addresses]

Decoy

Generating or manually specifying IP addresses of the decoys to evade IDS/firewall. Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IP addresses.

-D: performs a decoy scan. RND: generates a random and non-reserved IP addresses.

nmap -D RND:10 [Target IP Address/Range of IP addresses]

Send the binary data as payload

nmap [Target IP Address/Range of IP addresses] --data 0xdeadbeef

Send string data as payload

nmap [Target IP Address/Range of IP addresses] --data-string "dummy string"

Append the number of random data bytes to most of the packets sent without any protocol-specific payloads

nmap --data-length 5 [Target IP Address/Range of IP addresses]

Scan in random order

nmap --randomize-hosts [Target IP Address/Range of IP addresses]

Send the packets with bad or bogus TCP/UPD checksums

nmap --badsum [Target IP Address/Range of IP addresses]

Send the packets with bad or bogus TCP/UPD checksums

nmap --badsum [Target IP Address/Range of IP addresses]

Scanning for vulneabilities

Identify the IPv6 capabilities of a device

nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX [NAME] [Target IP Address/Range of IP addresses]

Check for open TCP and UDP services and ports

nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX [NAME] [Target IP Address/Range of IP addresses]

Scan for a specific IP address

nmap -n -Pn -sS -pT:0-65535 -v -A -oX [Target IP Address/Range of IP addresses]

Scanning ICS/SCADA systems

Identifying HMI systems

nmap -Pn -sT -p 46824 [Target IP address/Range of IP addresses]

Identifyng open ports and services

nmap -Pn -sT --scan-delay 1d --mac-parallelism 1 -p [port list] [Target IP address/Range of IP addresses]

Scanning siemens SIMATIC S7 PLCs

nmap -Pn -sT -p 102 --script s7-info [Target IP address/Range of IP addresses]

Scanning ethernet/IP devices

nmap -Pn -sU -p 44818 --script enip-info [Target IP address/Range of IP addresses]

Scanning modbus devices

nmap -Pn -sT -p 502 --script modbus-discover [Target IP address/Range of IP addresses]

Scanning BACnet devices

nmap -Pn -sU -p 47808 --script bacnet-info [Target IP address/Range of IP addresses]

Scanning Niagara Fox devices

nmap -Pn -sT -p 1911,4911 --script fox-info [Target IP address/Range of IP addresses]

Scanning Omron PLC devices

nmap -Pn -sT -p 9600 --script omron-info [Target IP address/Range of IP addresses]

Scanning PCWorx devices

nmap -Pn -sT -p 1962 --script pcworx-info [Target IP address/Range of IP addresses]

Scanning ProConOS devices

nmap -Pn -sT -p 20547 --script proconos-info [Target IP address/Range of IP addresses]

Protection

Promiscuous detection

nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]

Discovers IPs

nmap -v -sn 192.168.10.1-254

Run a TCP Scan on all the ports

remove -p- to not scan all the ports

nmap -sT -p- -Pn 192.168.10.1-254

Run a SYN Scan (SYN is the default mode)

nmap -sS -p- -Pn 192.168.10.1-254

Run a UDP Scan, replace -sT with -sU

-p- and -Pn has been removed because UDP scans are very slow

nmap -sUV 192.168.10.1-254

Run a XMAS Scan

nmap -sX -p- -Pn 192.168.10.1-254

Run a NULL Scan

nmap -sN -p- -Pn 192.168.10.1-254

Replace the range to a specific IP to scan all the ports of one IP

Nmap script banner

nmap --script banner 192.168.10.11

Nmap script vuln

nmap --script vuln 192.168.10.11