Scribd
Upload
116 views3 pages

Vuln Web

Init

Uploaded by

sandra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
116 views3 pages

Vuln Web

Init

Uploaded by

sandra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

https://scadahacker.

com/library/Documents/Cheat_Sheets/Hacking%20-%20NMap%20Quick
%20Reference%20Guide.pdf

Professor Messer’’s Quick Reference Guide to


NMAP
########### ### ##########################
PING OPTIONS
SCAN OPTION SUMMARY
Command Requires Scan Name Syntax Privileged
Access
Identifies TCP Ports
Identifies UDP Ports
TCP SYN Scan -sS YES YES NO
TCP connect() Scan -sT NO YES NO
FIN Stealth Scan -sF YES YES NO
Xmas Tree Stealth Scan -sX YES YES NO
Null Stealth Scan -sN YES YES NO
Ping Scan -sP NO NO NO
Version Detection -sV NO NO NO
UDP Scan -sU YES NO YES
IP Protocol Scan -sO YES NO NO
ACK Scan -sA YES YES NO
Window Scan -sW YES YES NO
RPC Scan -sR NO NO NO
List Scan -sL NO NO NO
Idlescan -sI YES YES NO
FTP Bounce Attack -b NO YES NO
ICMP Echo Request Ping -PE, -PI
TCP ACK Ping -PA[portlist], -PT[portlist]
TCP SYN Ping -PS[portlist]
UDP Ping -PU[portlist]
ICMP Timestamp Ping -PP
ICMP Address Mask Ping -PM
Don’’t Ping -P0, -PN, -PD
Require Reverse -R
Disable Reverse DNS -n
Specify DNS Servers --dns-servers
Verbose Mode --verbose, -v
Version Trace --version-trace
Packet Trace --packet-trace
Debug Mode --debug, -d
Interactive Mode --interactive
Noninteractive Mode --noninteractive
HOST AND PORT OPTIONS
REAL-TIME INFORMATION OPTIONS
OPERATING SYSTEM FINGERPRINTING
VERSION DETECTION
RUN-TIME INTERACTIONS
LOGGING OPTIONS
MISCELLANEOUS OPTIONS
OS Fingerprinting -O
Limit System Scanning --osscan-limit
More Guessing Flexibility --osscan-guess, --fuzzy
Additional, Advanced, and Aggressive -A
Exclude Targets --exclude <host1 [,host2],...>
Exclude Targets in File --excludefile <exclude_file>
Read Targets from File -iL <inputfilename>
Pick Random Numbers for Targets -iR <num_hosts>
Randomize Hosts --randomize_hosts, -rH
No Random Ports -r
Source Port --source-port <portnumber>
Specify Protocol or Port Numbers -p <port_range>
Fast Scan Mode -F
Create Decoys -D <decoy1 [,decoy2][,ME],...>
Source Address -S <IP_address>
Interface -e <interface>
List Interfaces --iflist
Version Scan -sV
Don’’t Exclude Any Ports --allports
Set Version Intensity --version-intensity
Enable Version Scanning Light --version-light
Enable Version Scan All --version-all
Display Run-Time Help
?
Increase / Decrease Verbosity
v/V
Increase / Decrease Debugging
d/D
Increase / Decrease Packet Tracing
p/P
Any Other Key
Print Status
TUNING AND TIMING OPTIONS
Time to Live
--ttl
Use Fragmented IP Packets
-f, -ff
Maximum Transmission Unit
--mtu <databytes>
Data Length
--data-length <databytes>
Host Timeout
--host-timeout <milliseconds>
Initial Round Trip Timeout
--initial-rtt-timeout <milliseconds>
Minimum Round Trip Timeout
--min-rtt-timeout <milliseconds>
Maximum Round Trip Timeout
--max-rtt-timeout <milliseconds>
Maximum Parallel Hosts per Scan
--max-hostgroup <number>
Quick Reference Screen
--help, -h
Minimum Parallel Hosts per Scan
--min-hostgroup <number>
Nmap Version
--version, -V
Maximum Parallel Port Scans
--max-parallelism <number>
Data Directory
--datadir <directory_name>
Quash Argument Vector
-q
Minimum Parallel Port Scans
--min-parallelism <number>
Define Custom Scan Flags
--scanflags <flagval>
Minimum Delay Between Probes
--scan-delay <milliseconds>
(Uriel) Maimon Scan
-sM
Maximum Delay Between Probes
--max-scan-delay
IPv6 Support
-6
Timing Policies
--timing, -T<0|1|2|3|4|5>
Send Bad TCP or UDP Checksum
--badsum
SNC-201 Copyright © 2007 Professor Messer, LLC, All Rights Reserved
Normal Format -oN <logfilename>
XML Format -oX <logfilename>
Grepable Format -oG <logfilename>
All Formats -oA <basefilename>
Script Kiddie Format -oS <logfilename>
Resume Scan --resume <logfilename>
Append Output --append-output
http://www.ProfessorMesser.com

TCP SYN SCAN (-sS)


########### ### ##########################
TCP connect() SCAN (-sT) TCP FIN SCAN (-sF)
Professor Messer’’s Quick Reference Guide to
NMAP Identifying Open Ports with Nmap
TCP XMAS TREE SCAN (-sX) TCP NULL SCAN (-sN) TCP PING SCAN (-sP)
VERSION DETECTION SCAN (-sV) UDP SCAN (-sU) IP PROTOCOL SCAN (-sO)
Version scan identifies open ports with a TCP SYN scan...
...and then queries the port with a customized signature.
TCP ACK SCAN (-sA) TCP WINDOW SCAN (-sW)
IDLESCAN (-sI <zombie host:[probeport]>)
Step 1: Nmap sends a SYN/ACK to the zombie workstation to induce a RST in return.
This RST frame contains the initial IPID that nmap will remember for later.
Step 2: Nmap sends a SYN frame to the destination address, but nmap spoofs the IP
address to make it seem as if the SYN frame was sent from the zombie workstation.
Step 3: Nmap repeats the original SYN/ACK probe of the zom- bie station. If the
IPID has incremented, then the port that was spoofed in the original SYN frame is
open on the destination device.
FTP BOUNCE ATTACK (-b <ftp_relay_host>)
A closed port will result with the FTP server informing the source station that
the FTP server can’’t build the connection.
An open port completes the transfer over the specified connection.
http://www.ProfessorMesser.com SNC-201 Copyright © 2007 Professor Messer, LLC, All
Rights Reserved

You might also like