Nmap Cheat Sheet
Introduction
Nmap is a free and open-source network scanner that is often used during penetration tests to discover hosts and services on a computer network by sending packets and analyzing the responses.
The tool provides a number of features top help identifying services and their versions, testing for known vulnerabilities, bruteforcing credentials, detecting operating system information and much more.
General Nmap Syntax
The general syntax that Nmap uses is the following:
nmap [flags] host(s)Flags can then be used to specify the ports and hosts to be scanned, types of scans to enumerate services or operating systems, timing and performance options, NSE scripts etc.
Specifying Ports
Nmap has ways to specify the target ports. The ports to be scanned can be specified with the following flags:
| Flag | Description |
|---|---|
| -p | Specify a single port, multiple ports (separated by a comma) or a port range (for example 20-25) can prepend U: or T: to specify UDP or TCP. A service name can also be specified, for example ftp, http, smb etc. |
| -p- | Scan all possible ports (1 through to 65535). |
| -F | Fast port scan (100 ports). |
| –top-ports | Scan most common X ports. |
Specifying Hosts
Nmap has ways to specify the target hosts. The hosts to be scanned can be specified with the following flags:
| Flag | Description |
|---|---|
| N/A | Specify a single IP address, multiple IP addresses (separated by a comma) or an IP address range (for example 192.168.1.1-192.168.1.5). A domain can also be specified, for example google.com. /24, /32 etc can be used to scan the whole network. |
| -iL | Scan a list of IP addresses from a text file, one per line. |
| -iR | Scan X number of random hosts. |
| –exclude | Exclude a host or hosts from the scan. |
Enumerating Services and Versions
Nmap has the ability to scan applications to identify their service and version, which can be useful to find known vulnerabilities:
| Flag | Description |
|---|---|
| -sV | Enables version detection for the service. |
| -sV –version-intensity | Specify version detection intensity (0 through to 9), it increases its accuracy. |
| -sV –version-light | Enable light mode for better performance but worse accuracy. |
| -A | Enables additional advanced and aggressive options: OS detection, version detection, script scanning, and traceroute. |
Identifying Operating System & Version
Nmap has the ability to identify a target’s operating system and its version, due to its TCP/IP stack fingerprinting:
| Flag | Description |
|---|---|
| -O | Enables operating system detection. |
| -O –osscan-limit | Skips operating system enumeration if at least one open and one closed port is not found, as this makes it unreliable. |
| -O –osscan-guess/–fuzzy | If unable to find an exact match, provide near matches, more aggressive. |
| -O –max-os-tries | Set the maximum number of OS detection tries (default is 5), faster and safer but less likely to identify OS information. |
| -A | Enables additional advanced and aggressive options: OS detection, version detection, script scanning, and traceroute. |
Specifying Scan Type
Several types of scans can be performed against a scan, which can be useful depending on the target operating sytem or service:
| Flag | Description |
|---|---|
| -sS | TCP SYN port scan (Default scan type), it can be performed quickly, it is safe and fairly accurate. |
| -sT | TCP connect port scan (Default when SYN scan is not available), more accurate but slower and less safe. |
| -sU | UDP port scan, used to scan services that run on UDP, slower to probe than TCP. |
| -sY | SCTP INIT scan, equivalent to a TCP connect scan but runs on SCTP, which is a new protocol that combines the features of TCP and UDP. |
| -sN; -sF; -sX | TCP NULL, FIN, and Xmas scans, these exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. |
| -sA | TCP ACK port scan, it never determines open ports, it is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. |
| -sW | TCP Window port scan, exactly the same as the ACK scan but it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than printing unfiltered when a RST is returned. |
| -sM | TCP Maimon port scan, exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. |
| –scanflags | For advanced users, it allows you to design your own scan by specifying arbitrary TCP flags, it can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier. Combine any combination of URG, ACK, PSH, RST, SYN, and FIN. |
| -sZ | SCTP COOKIE ECHO scan, a more advanced SCTP scan, it takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port scan than an INIT scan, it is also more safe to run although cannot differentiate between open and filtered ports. |
| -sI | Idle scan, advanced scan method that allows for a truly blind TCP port scan of the target (sending no packets from your real IP address). A unique side-channel attack exploits predictable IP fragmentation ID sequence generation on a zombie host to glean information about the open ports on the target. |
| -sO | IP protocol scan, it allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. |
| -b | FTP bounce scan, support for FTP connections allows a user to connect to an FTP server, then ask that files be sent to a third-party server. Most servers have ceased supporting it, as it can cause an FTP server to port scan other hosts, by asking it to send a file to each interesting port of a target host in turn, the error message will tell whether the port is open or not. |
Performing Host Discovery
Nmap has several flags that can be used to customise the techniques used for host discovery:
| Flag | Description |
|---|---|
| -sL | Do not perform a scan onlt list the targets, perforn reverse DNS resolution. |
| -sn | Disable port scanning, only perform host discovery. |
| -Pn | Disable host discovery, only perform port scan. |
| -PS | TCP SYN Ping, send an empty TCP packet with the SYN flag set. The default destination port is 80. |
| -PA | TCP ACK ping, quite similar to the SYN ping but sends a packet with the TCP ACK flag set instead. |
| -PU | Sends a UDP packet to the given ports. For most ports, the packet will be empty, though for a few a protocol-specific payload will be sent that is more likely to get a response. |
| -PY | Sends an SCTP packet containing a minimal INIT chunk. The default destination port is 80. |
| -PE; -PP; -PM | Sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts, often blocked by firewalls. |
| -PO | Sends IP packets with the specified protocol number set in their IP header, default is to send multiple IP packets for ICMP, IGMP, and IP-in-IP. |
| -PR | Perform ARP discovery, if a response is received Nmap doesn’t need to worry about the IP-based ping packets since it already knows the host is up. This makes ARP scan much faster and more reliable than IP-based scans. Done by default when scanning local networks. |
| -n | Do not perform DNS resolution. |
Configuring Performance & Firewall Evasion Options
Nmap has ways to increase the delay between packets or change the way they are sent to manage scan performance and potentially evade firewall and intrusion detection/prevention systems:
| Flag | Description |
|---|---|
| -T0-5 | Used to specify templates that will dictate the interval to be used to send the packets and therefore how aggressive you wish the scan to be, Paranoid (0), Sneaky (1), Polite (2), Normal (3), Aggressive (4) and Insane (5). |
| -f | Causes the requested scan to use tiny fragmented IP packets, to make it harder for packet filters, intrusion detection systems, and other similar systems to detect it. The –mtu option to specify the offset size for the fragments. By default it splits the packet into 8-byte chunks, –mtu can be used to specify the offset. |
| -D | Decoy scan, it makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. |
| -S | Used to specify the IP address of the interface you wish to send packets through, if Nmap cannot determine your IP address. The -e option and -Pn are generally required for this sort of usage. |
| –source-port; -g | Allows to spoof the source port, by sending packets from a specified port where possible. |
| –spoof-mac | Used to specify a MAC address for all of the raw ethernet frames Nmap sends. |
| –ip-options | Used to specify IP options in the packet header to determine or manipulate the network route to target hosts, must be specifeid in HEX format. |
| –proxies | Used to relay connections through HTTP/SOCKS4 proxies. |
| –data-length | Appends the given number of random bytes to most of the packets it sends as opposed to the standard 40-byte TCP packets and 28-byte ICMP echo requests, slower but slightly less conspicuous. |
Manipulating Output
The output produced by Nmap scans can be manipulated in order to be presented in an organized and comprehensible fashion or to easily perform further scans with it:
| Flag | Description |
|---|---|
| -oN | Generate normal output. |
| -oX | Generate XML output, Nmap includes a document type definition (DTD) which allows XML parsers to validate Nmap XML output. Primarily intended for programmatic use. |
| -oS | Generate script kiddie output, post-processed to better suit the l33t HaXXorZ who previously looked down on Nmap due to its consistent capitalization and spelling. |
| -oG | Generate grepable output, now deprecated. The XML output format is far more powerful, and is extensible to support new Nmap features as they are released. Originally used to grep against it or perform further scans. |
| -oA | Generate output for normal, XML, and grepable formats at once. |
| –stylesheet | Generate XSL. stylesheet output for viewing or translating XML output to HTML, presents much better than other options. |
| –append-output | Keep the existing content of the file and append the new results, rather than overwriting it. |
| –resume | Specify a normal or grepable Nmap output to resume a previously interrupted scan. |
| -v | Increase the verbosity level, printing more information about the scan in progress. Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a scan will take more than a few minutes. Use it twice or more for even greater verbosity. |
| -d | Increase debugging level to understand better what Nmap is doing, mostly intended for developers. Use it twice or more for even more information. |
| –reason | Show the reason each port is set to a specific state and the reason each host is up or down. This option displays the type of the packet that determined a port’s or host’s state. |
| –stats-every | Periodically print a timing status message after each interval of time. The time can be specified in seconds (s), minutes (m) or hours (h). |
| –packet-trace | print a summary of every packet sent or received, often used for debugging, but also valuable for new users to understand what Nmap is doing. |
| –open | Only show open ports in the scan output, i.e. skil closed, filtered or closed|filtered ports. |
| –iflist | Print the interface list and system routes, useful for to debug routing problems or device mischaracterization. |
| –log-errors | Add Nmap errors that are normally displayed when performing a scan to the output file. |
Using the Nmap Scripting Engine (NSE)
| Flag | Description |
|---|---|
| -sC; –script default | Performs a script scan using the default set of scripts. Usually considered safe although some of these scripts are considered intrusive and should not be run without permission. |
| –script | Specify a script or a number of scripts (separated by a comma) to run, wildcards can also be used. |
| –script-args | Used to provide arguments to NSE scripts when required, they need to be a comma-separated list of name=value pairs, they may be strings not containing whitespace or the characters ‘{‘, ‘}’, ‘=’, or ‘,’. |
| –script-trace | Used to print all incoming and outgoing communication performed by a script, which includes the communication protocol, the source, the target and the transmitted data. |
| “safe”, “not intrusive”, “default” | Used in combination with –script to specify the category of scripts to be used. Can be concatenated using “and” or “or”. |
| –datadir | Used in combination with –script to specify the directory to search for scripts, as opposed to the default one. |
| –script-updatedb | Update the script database found in scripts/script.db which is used by Nmap to determine the available default scripts and categories. Only necessary NSE scripts were added or removed from the default scripts directory or their categories were changed. |
Useful Nmap Commands
The below are some common Nmap commands that could come in handy when enumerating hosts:
| Command | Description |
|---|---|
| nmap -sn X.X.X.X/24 | Perform host discover against the whole network. |
| nmap -sC -sV -oA X.X.X.X | Perform a SYN scan with version detection and default scripts against a host. |
| nmap -sC -sV -oA –top-ports 100 X.X.X.X | Same as above but against the top 100 ports |
| nmap -sU X.X.X.X | Perform an UDP scan against a given host. |
| nmap -O X.X.X.X | Perform operating system detection against a host. |
| nmap -Pn –script vuln 192.168.1.105 | Perform a scan for known CVEs |
| nmap -p 139,445 –script smb-enum* X.X.X.X | Perform SMB enumeration against a host, to identify open shares, SMBV version and more. |
| nmap -p 139,445 –script smb-vuln* X.X.X.X | Perform a scan to identify known vulnerabilities in SMB. |
| nmap -p 53 –script dns-zone-transfer.nse –script-args dns-zone-transfer.domain=<domain> | Perform a DNS zone transfer against a host |
| nmap -p 21 –script ftp-brute userdb=users.txt,passdb=passwords.txt X.X.X.X | Perform an FTP credential bruteforce |
| nmap -p 80 –script http-form-brute userdb=users.txt,passdb=passwords.txt X.X.X.X | Perform an HTTP credential bruteforce |
| nmap –p 80 –script http-wordpress-brute –script-args ‘userdb=users.txt,passdb=passwords.txt,http-wordpress-brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true’ X.X.X.X | Perform a WordPress credential bruteforce |
| nmap -p 80 –script mysql-brute userdb=users.txt,passdb=passwords.txt X.X.X.X | Perform an SQL credential bruteforce |
| nmap -p 111 –script nfs* X.X.X.X | Perform NFS enumeration |
| nmap -p 25 –script smtp-enum-users X.X.X.X | Enumerate SMTP users |
| nmap -p 25 –script smtp-commands X.X.X.X | Enumerate available SMTP commands |
| nmap -p 25 –script smtp-vuln* X.X.X.X | Perform a scan to identify known vulnerabilities in SMTP. |
| nmap -sU -p 161 –script snmp* X.X.X.X | Enumerate SNMP information such as interfaces, netstat, processes etc. |
| nmap -p 80 –script ssh-brute userdb=users.txt,passdb=passwords.txt X.X.X.X | Perform an SSH credential bruteforce |
| nmap -p 80 –script telnet-brute userdb=users.txt,passdb=passwords.txt X.X.X.X | Perform a Telnet credential bruteforce |
| nmap -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt X.X.X.X | Perform an MSSQL credential bruteforce |
| nmap -p 5900 –script vnc-brute X.X.X.X | Perform a VNC credential bruteforce |
| nmap -p 443 –script ssl* X.X.X.X | Enumerate for SSL general information, misconfigurations and vulnerabilities |
| nmap -p 80 -max-parallelism 800 -Pn –script http-slowloris –script-args http-slowloris.runforever=true X.X.X.X | Perform DDOS attack |
Conclusion
Knowing how to use Nmap is essential for any good penetration tester, due to its ease of use, flexibility, high performance and accuracy. It also includes the NSE (Nmap Scripting Engine), which allows users to write simple scripts to automate a wide variety of networking tasks. Users can either rely on the standard set of scripts that come with Nmap, or write their own to perform certain tasks.
