0% found this document useful (0 votes)
136 views1 page

Nmap5 Cheatsheet Eng v1

This document provides information on Nmap scanning techniques and options for performing network discovery and port scanning. It lists arguments for specifying targets, performing host discovery through ping scans, detecting operating systems and service versions, using various port scanning techniques, adding timing and performance controls, enabling firewall and IDS evasion, increasing verbosity and debugging, outputting results, and providing examples of common Nmap scans.

Uploaded by

marcusburghardt
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
136 views1 page

Nmap5 Cheatsheet Eng v1

This document provides information on Nmap scanning techniques and options for performing network discovery and port scanning. It lists arguments for specifying targets, performing host discovery through ping scans, detecting operating systems and service versions, using various port scanning techniques, adding timing and performance controls, enabling firewall and IDS evasion, increasing verbosity and debugging, outputting results, and providing examples of common Nmap scans.

Uploaded by

marcusburghardt
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Target specification Service and version detection

IP address, hostnames, networks, etc -sV: version detection --all-ports dont exclude ports
Example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 --version-all try every single probe
-iL file input from list -iR n choose random targets, 0 never ending --version-trace trace version scan activity
--exclude --excludefile file exclude host or list from file
-O enable OS detection --fuzzy guess OS detection
--max-os-tries set the maximum number of tries against a target
Host discovery

SecurityByDefault.com
-PS n tcp syn ping -PA n tcp ack ping -PU n udp ping
-PM netmask req -PP timestamp req -PE echo req Firewall/IDS evasion
-sL list scan -PO protocol ping -PN no ping -f fragment packets -D d1,d2 cloak scan with decoys
-n no DNS -R DNS resolution for all targets -S ip spoof source address –g source spoof source port
--traceroute: trace path to host (for topology map) --randomize-hosts order --spoof-mac mac change the src mac
-sP ping same as –PP –PM –PS443 –PA80
Verbosity and debugging options
-v Increase verbosity level --reason host and port reason
Port scanning techniques -d (1-9) set debugging level --packet-trace trace packets
-sS tcp syn scan -sT tcp connect scan -sU udp scan
-sY sctp init scan -sZ sctp cookie echo -sO ip protocol
-sW tcp window -sN –sF -sX null, fin, xmas –sA tcp ack
Interactive options
v/V increase/decrease verbosity level
d/D increase/decrease debugging level
Port specification and scan order p/P turn on/off packet tracing
-p n-m range -p- all ports -p n,m,z individual
-p U:n-m,z T:n,m U for udp T for tcp -F fast, common 100 Miscellaneous options
--top-ports n scan the highest-ratio ports -r don’t randomize --resume file resume aborted scan (from oN or oG output)
-6 enable ipv6 scanning
-A agressive same as -O -sV -sC --traceroute
Timing and performance
-T0 paranoid -T1 sneaky -T2 polite
-T3 normal -T4 aggresive -T5 insane
Scripts
-sC perform scan with default scripts --script file run script (or all)
--min-hostgroup --max-hostgroup
--script-args n=v provide arguments
--min-rate --max-rate
--script-trace print incoming and outgoing communication
--min-parallelism --max-parallelism
--min-rtt-timeout --max-rtt-timeout --initial-rtt-timeout Output
--max-retries --host-timeout --scan-delay -oN normal -oX xml -oG grepable –oA all outputs

Examples
Quick scan nmap -T4 -F
Fast scan (port80) nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 --max_retries 0 -n -P0 -p80
Pingscan nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4
Slow comprehensive nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all
Quick traceroute: nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute

You might also like