Scribd
Upload
57 views6 pages

Ethical Hacking and Countermeasures Nmap Cheat Sheet

Nmap is a versatile security scanner used for network exploration and hacking, enabling users to discover hosts and services on a network. The document provides a comprehensive cheat sheet detailing Nmap commands, options, scan types, and techniques for effective network scanning. It also includes information on firewall evasion, OS detection, and performance tuning to optimize scanning processes.

Uploaded by

Kartikey Bameta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
57 views6 pages

Ethical Hacking and Countermeasures Nmap Cheat Sheet

Nmap is a versatile security scanner used for network exploration and hacking, enabling users to discover hosts and services on a network. The document provides a comprehensive cheat sheet detailing Nmap commands, options, scan types, and techniques for effective network scanning. It also includes information on firewall evasion, OS detection, and performance tuning to optimize scanning processes.

Uploaded by

Kartikey Bameta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Ethical Hacking and Countermeasures

Nmap Cheat Sheet


Certified Ethical Hacker

Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org

Syntax Scan Techniques

TCP SYN/Connect()/ACK/Window/Maimon -p<port1>-<port2> Port range


1.Nmap Options -sS/sT/sA/sW/sM
nmap [Scan Type...] scans
[Options] {Target 2.Nmap Port Scan types Scan port using name
3.Nmap Commands UDP Scan -P "*" nmap -p "*" �p <Target IP>
specification} -sU nmap -sU -v <Target IP>
UDP port scan -pU:53,U:110,T20-445 Mix TCP and UDP
nmap <Target IP> -sU
--top-ports <number> Scan <number> most common ports

Nmap Options -sN/sF/sX TCP Null, FIN, and Xmas scans


--port-ratio <ratio> Scan ports more common than
Option (Switch/ Syntax) Description <ra�o>
TCP ACK scan Leaving off ini�al port in range makes Nmap
Target Specification scanflags=value –sA nmap –scanflags=value –sA <Target IP>
Description scan start at port 1
nmap <Target IP> -p-65535
-iL <inputfilename> Input from list of hosts/networks TCP scan flags -p-65535 Leaving off ini�al port in range makes the scan
–scanflags nmap –-scanflags <Target IP> start at port 1
Choose random targets/ Scan random nmap -p-65535 <Target IP>
-iR <num hosts> hosts nmap -iR [number] Ping scan
-Sp
nmap -Sp <Target IP> Leaving off end port in range makes Nmap scan
--exclude through port 65535
<host1[,host2][,host3],...> Exclude single or multiple hosts/networks --scanflags <flags> Customize TCP scan flags -p0-
nmap <Target IP> -p0-
Idle zombie scan nmap -p0- <Target IP>
--excludefile <exclude_file> Exclude list from file -sI <zombie host[:probeport]> nmap –sI zombie <Target IP>
SCTP INIT scan
nmap -sY -v <Target IP>
-sY/sZ SCTP COOKIE-ECHO scan Service/Version Detection
nmap -sZ -v <Target IP>
Host Discovery Probe open ports to determine service/version
List Scan - simply lists targets sV info
IP protocol scan
-sL nmap <Target IP>-3 -sL -sO nmap <Target IP> -sV
nmap –sO <Target IP>
Ping Scan - disable port scan for discovering --version-intensity <level> Set from 0 (light) to 9 (try all probes)
-sn hostnmap <Target IP>/24 -sn -b <FTP relay host> FTP bounce scan
Treat all hosts as online -- skip host discovery --version-light Limit to most likely probes (intensity 2)
-Pn nmap <Target IP>-5 -Pn –send-eth
Send raw ethernet packets
nmap –send-eth <Target IP>
-PS/PA/PU/PY[portlist] TCP SYN/ACK, UDP or SCTP INIT discovery to Send IP packets --version-all Try every single probe (intensity 9)
given ports –send-ip nmap –send-ip <Target IP>
--version-trace Show detailed version scan ac�vity (for
-PE/PP/PM ICMP echo, timestamp, and netmask request debugging)
discovery probes

-PP Use ICMP timestamp request Port Specification and Scan Order
Script Scan
Only scan specified range ports
-p <port ranges> nmap -p 1-100 <Target IP>
-PO[protocol list] IP Protocol Ping
e.g. -p80,443 or -p1–65535
Port scans all 1-65535 ports --script=<ScriptName>| Run individual or group of scripts
Never do DNS resolution/Always resolve -p- <ScriptCategory>|<ScriptDir>...
[default: sometimes] nmap <Target IP> -p-
-n/-R nmap –n <Target IP> Port scan from specified protocols
-p <protocol> --script=<Lua scripts> <Lua scripts> is a comma separated list of
nmap –R <Target IP> nmap -smtp,h�ps <Target IP> directories, script-files or script-categories
Fast mode - Scan less ports than the default
scan (scan 100 most common ports) --script-trace Show all data sent and received
-F nmap <Target IP> -F
--dns-servers Immediate mode, display things as we find Update the script database.
<serv1[,serv2],...> them --script-updatedb nmap –script-updatedb
A string representing the intended sequence -r Scan ports consecu�vely – do not randomize
--system-dns
ignorance level
Randomize target host order --script-help “Lua scripts” = Show help about scripts
Path to a file where flat text will be dumped –randomize-hosts nmap –randomize-hosts <Target IP>
--traceroute
that normally would go to the users terminal
Numeric value represen�ng the number of -p<port1>,<port2>,... Port list
-PR seconds to wait before declaring the scan over

www.eccouncil.org/ceh Over 50% Of Professionals Received Promo�ons a�er C|EH 01


Ethical Hacking and Countermeasures
Nmap Cheat Sheet
Certified Ethical Hacker

Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org

Syntax Firewall/IDS Evasion and Spoofing

--stylesheet <path/URL> XSL stylesheet to transform XML output to


1.Nmap Options -f; --mtu <val> Fragment packets (op�onally w/given MTU) HTML
nmap [Scan Type...]
[Options] {Target 2.Nmap Port Scan types Reference stylesheet from Nmap.Org for more
3.Nmap Commands --webxml
specification} -D <decoy1,decoy2[,ME],...> Cloak a scan with decoys
portable XML
revent associa�ng of XSL stylesheet w/XML
--no-stylesheet
-S <IP_Address> Spoof source address output
Periodically display sta�s�cs
–stats-every [time]
nmap –stats-every [�me] <Target IP>
Nmap Options -e <iface> Use given port number

Option (Switch/ Syntax) Description


Append random data to send packets
-g/--source-port <portnum> nmap –data-length [size] <Target IP>
OS Detection
Description Miscellaneous Options
Enable OS detection/ OS Discovery using
-O Nmap and Unicornscan/ Remote OS
--data-length <num> Send packets with specified IP
Detection using TCP/IP stack op�ons Nmap help screen
fingerprinting -h nmap -h
nmap -O <Target IP> Set IP �me-to-live field
--ip-options <options>
IPv6 Scanning by using -6 op�on in Zenmap
-6
--osscan-limit Limit OS detection to promising targets Spoof your MAC address nmap -6 scanme.nmap.org
--ttl <val> Enable IPv6 scanning
nmap –spoof-mac [MAC|0|vendor] <Target IP>
--osscan-guess Guess OS more aggressively nmap -6 2607:f0d0:1002:51::4
--spoof-mac <mac Idle zombie scan OS discovery using IPv6 fingerprin�ng method
Set the maximum number x of OS address/prefix/vendor name> nmap –sI zombie <Target IP> nmap -6 -O <Target IP>
--max-os-tries detection tries against a target Enables OS detec�on, version detec�on, script
Send packets with a bogus TCP/UDP/SCTP
--badsum -A scanning, and traceroute, also known as
checksum
Aggressive scan
Relay connec�ons through HTTP/SOCKS4
--proxies url1,[url2],...
proxies -n Disable reverse IP address lookups
Timing and Performance

-T<0-5> Set timing template (higher is faster) --datadir <dirname> Specify custom Nmap data file loca�on
Set the packet TTL OUTPUT
–ttl [time] nmap –ttl [time] <Target IP>
Send using raw ethernet frames or IP
nmap <Target IP>/24 -sn Output scan in normal, XML, s|<rIpt kIddi3, --send-eth/--send-ip
and Grepable format, respec�vely, to the packets
--min-hostgroup/max-hostgroup -oN/-oX/-oS/-oG <file>
<size>
Parallel host scan group sizes given filename
--privileged Assume that the user is fully privileged
--min-parallelism/max-paralleli -oA <basename> Output in the three major formats at once
sm <numprobes> Probe parallelization
Increase verbosity level (use -vv or more for Display Nmap version
-v greater effect) -V nmap -V
--min-rtt-timeout/max-rtt-timeo
ut/initial-rtt-timeout <time> Specifies probe round trip time nmap -v <Target IP>
Increase debugging level (use -dd or more for --unprivileged Assume the user lacks raw socket privileges
Caps number of port scan probe greater effect)
--max-retries <tries> -d nmap -d <Target IPs>
retransmissions
--reason Display the reason a port is in a par�cular state
--host-timeout <time> Give up on target after this long
Only show open (or possibly open) ports
--open nmap –open <Target IP>
--scan-delay/--max-scan-delay
<time> Adjust delay between probes
Show all packets sent and received
--packet-trace
nmap –packet-trace <Target IP>
Send packets no slower than <number> per Print host interfaces and routes (for debugging)
--min-rate <number> --iflist
second nmap –iflist
Log errors/warnings to the normal-format
Send packets no faster than <number> per --log-errors
--max-rate <number> output file
second
Append to rather than clobber specified
--append-output
Defeat reset rate limits output files
–defeat-rst-ratelimit nmap –defeat-rst-ratelimit <Target IP>
--resume <filename> Resume an aborted scan

www.eccouncil.org/ceh 97% Of Professionals Stated That Skills Acquired in C|EH Helped Safeguard Their Organizaons 02
Ethical Hacking and Countermeasures
Nmap Cheat Sheet
Certified Ethical Hacker

Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org

Syntax Command Description Command Description


nmap -Pn -sT -p 1911,4911
nmap -p- <Target IP> --script fox-info <Target IP> Scan Niagara Fox Devices
nmap [Scan Type...] 1.Nmap Options Scan all ports
[Options] {Target 2.Nmap Port Scan types nmap -Pn -sT -p 20547 --script
3.Nmap Commands proconos-info <Target IP> Scan ProConOS Devices
specification} nmap -p http,ftp <Target IP> Port scan from service name
nmap -Pn -sT -p 9600 --script
omron-info <Target IP> Scan Omron PLC Devices
nmap -F <Target IP> Fast port scan (100 ports)
nmap -Pn -sU -p 9600 --script
Scan Omron PLC Devices
omron-info <Target IP>
2.Nmap Port Scan types nmap -f <Target IP> Scan fragmented IP packets
nmap -Pn -sT -p 1962 --script
pcworx-info <Target IP> Scan PCWorx Devices
Command Description
nmap --mtu x <Target IP> Set own offset size x
Description
nmap -sT <Target IP> Connect Scan (Default without root nmap --top-ports x <Target IP> Scan the top x ports
privileges)/ Scan using TCP connect
nmap -sV--version-intensity 5 Aggressive service discovery
<Target IP>
nmap -sS <Target IP> Scan using TCP SYN scan (default) nmap -sV -–version-intensity 0
Light banner grabbing
<Target IP>
nmap -Su <Target IP> UDP Scan
nmap -sV--version-light <Target Enable light mode, lower possibility of
IP> correctness
nmap -sA <Target IP> ACK Scan
Enable intensity level 9. Higher possibility of
nmap -sV--version-all <Target IP>
correctness
nmap -Sw <Target IP> Window Scan
nmap -O--osscan-limit <Target IP> Limit OS detec�on to promising targets
nmap -sM <Target IP> Maimon Scan

nmap -sL <Target IP> No Scan, list targets only nmap -O--osscan-guess <Target IP> Guess OS detec�on results

nmap -sL -v <Target IP> List scan nmap -O --max-os-tries x <Target Set maximum number of OS detec�on tries
IP> against a target
nmap -Pn <Target IP> nmap -sU -p 123,161,162 <Target
Disable host discovery, port scanning Scan UDP ports
IP>

nmap -PSx <Target IP> SYN Discovery on port x, port 80 by default Scan selected ports - ignore discovery
nmap -Pn -F <Target IP>

nmap -PUx <Target IP> UDP discovery on port x, port 40125 by default nmap -Pn -sT --scan-delay 1s
--max-parallelism 1 -p <Port Iden�fy open ports and services
List> <Target IP>
nmap -PAx <Target IP> ACK discovery on port x, port 80 by default
nmap -Pn -sT -p 46824 <Target Iden�fy HMI systems
IP>

nmap -PR <Target IP>/24 ARP discovery on local network


nmap -Pn -sT -p 102 --script Scan Siemens SIMATIC S7 PLCs
s7-info <Target IP>
--mnmap -n <Target IP> Never do DNS resolution
nmap -Pn -sT -p 502 --script Scan Modbus Devices
modbus-discover <Target IP>
nmap -p x <Target IP> Scan for port x
nmap -sU -p 500 <Target IP> Check the status of isakmp over port 500

nmap -p 21-50 <Target IP> Port Range nmap -Pn -sU -p 47808 --script
bacnet-info <Target IP> ScanBACnet Devices
nmap -Pn -sU -p 44818 --script
nmap -p U:53,T:21-25,80 Scan multiple TCP and UDP ports enip-info <Target IP> Scan Ethernet/IP Devices

www.eccouncil.org/ceh 97% Of Professionals Found C|EH Labs to Accurately Mimic Real-World Cyber Threats 03
Ethical Hacking and Countermeasures
Nmap Cheat Sheet
Certified Ethical Hacker

Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org

Syntax Command Description Command Description


nmap -p80 --script
nmap -sX -v <Target IP> http-waf-detect Check if web server is protected by WAF/IPS
nmap [Scan Type...] 1.Nmap Options Xmas Scan
2.Nmap Port Scan types --script-args=”http-wafdetect.
[Options] {Target uri=/testphp.vulnweb.com/artists.
specification} 3.Nmap Commands
nmap -sM -v <Target IP> TCP Maimon Scan php,http-wafdetect.
detectBodyChanges”
www.modsecurity.org
nmap -sA -v <Target IP> TCP Connect/ Full Open Scan
nmap --script http-enum -p80
<host> Enumerate common web applica�ons
3. Nmap Commands nmap –badsum <Target IP> Sending Bad Checksums
nmap -p80 --script
Command Description http-robots.txt <host> Obtain robots.txt
nmap --script
smb-os-discovery.nse <Target IP> OS Discovery using Nmap Script Engine nmap -p80 --script http-test.txt
Obtain test.txt
nmap -p 1-65535 -T4 -A -v <host>
Description
<Target IP> Perform intense scan on all TCP ports nmap
nmap -sV -T4 -O -F --script=asn-query,whois,ip-geolo IP address Informa�on
–version-light <Target IP> Perform quick scan plus
cation-maxmind <Target IP/
nmap -p ports <Target IP> Run Nmap to identify IoT devices using
insecure HTTP ports for transmitting data nmap -sV -T4 -O -F Wi-Fi vulnerability scanning on wireless nmap --script=http-title
–version-light scanme.nmap.org networks <Target IP/ Subnet> Gather page titles from HTTP services
nmap -T4 -A -v -Pn <Target IP> Perform Intense scan with no ping nmap -sV –O –p <Target IP> NSE scripts to enumerate informa�on about the nmap --script=http-headers
nmap -sV --script http-enum target website/ web servers <Target IP/ Subnet> Get HTTP headers of web services
nmap -T4-A-v-PE-PS-PA Ports URL Footprint Web Infrastructure: Service <Target IP>
Discovery nmap target IP address -p 80 nmap --script=http-enum <Target
IP/ Subnet> Find web apps from known paths
--script = http-frontpage-login
nmap -sn <Target IP> Perform ping scan nmap --script http-passwd
nmap -n -Pn -sSU
--script-args http-passwd.root Perform complete scan of the IoT device that
-pT:0-65535,U:0-65535 -v -A -oX checks for both TCP and UDP services and
nmap -sn <Target IP/Subnet> Disable port scanning, host discovery only <Name><Target IP> ports
nmap -sV --script http-enum Analyze Web Applica�ons: Iden�fy exposed
<Target domain> Files and Directories of the target webserver nmap -sS -T4 -A -f -v <Target Packet Fragmentation/ SYN/FIN scan using
nmap -sn -PR <Target IP> ARP Ping Scan
IP> Nmap
nmap -iL list-of-ips.txt Scan targets from a text file Source Port Manipulation/ Use given source port
nmap -sn -PU <Target IP> UDP Ping Scan nmap -g 80 <Target IP>
number
nmap --script=sniffer-detect nmap –sU –A –PN –n
[Target IP Address/Range of IP Command to detect NIC in promiscuous mode –pU:19,53,123,161
nmap -sn -PE <Target IP> ICMP ECHO Ping Scan Scan for UDP DDOS reflectors
addresses] –script=ntp-monlist,dns-recursi
on,snmp-sysdescr <Target IP/
nmap <Target IP> --data Create Custom Packets by Appending Custom network>
nmap -sn -PE <IP range> ICMP ECHO Ping Sweep Oxdeadbeef Binary Data nmap -6 -n -Pn -sSU
nmap <Target IP> --data-string Create Custom Packets by Appending -pT:0-65535,U:0-65535 -v -A -oX Identify the IPv6 capabilities of a device
nnmap –sn –PP <Target IP> ICMP Timestamp Ping Scan “ph34r my |33t skills” Custom String <Name><Target IP>

nmap <Target IP> --data-string 5 Create Custom Packets by Appending Perform intense scan
Random Data nmap -T4 -A -v <Target IP>
nmap –sn –PM <Target IP> ICMP Address Mask Ping Scan
Perform a check on the status of ISAKMP Identify vulnerable services on service port by
nmap –sU –p 500 <Target IP> nmap -T4 -A <Target IP/Subnet> attackers by using RPC Enumeration
over port 500
nmap –sn –PS <Target IP> TCP SYN Ping Scan
nmap -p 23 <Target Domain> Telnet Enumeration
nmap -sR <Target IP/network> Iden�fy the RPC service running on the network
nmap –sn –PA <Target IP> TCP ACK Ping Scan
nmap -p 23 --script Enumerate information from remote Microsoft
telnet-ntlm-info <Target IP> Telnet services with NTLM authentication
IP Protocol Ping Scan nmap --script hostmap <host> Discover virtual domains with hostmap enabled
nmap –sn –PO <Target IP>
Detect a vulnerable server that uses the TRACE nmap -p 23 –script Perform brute-force attack against telnet
nmap --script http-trace -p80 telnet-brute.nse –script-args
localhost method server
nmap -St -v <Target IP> TCP Connect/ Full Open Scan
nmap --script http-google-email Enumerate SMB service running on the target
<host>
Harvest email accounts with h�p-google-email nmap -p 445 -A <Target IP> IP address/ SMB Enumeration
namp -sS -v <Target IP> Stealth Scan (Half-open Scan)
nmap -p80 --script http-userdir Enumerate users with
-enum localhost h�p-userdir-enum nmap -p 21 <Target Domain> FTP Enumeration
nmap -p80 --script http-trace
Detect HTTP TRACE
<host>

www.eccouncil.org/ceh 95% Chose C|EH for Career Growth 04


Ethical Hacking and Countermeasures
Nmap Cheat Sheet
Certified Ethical Hacker

Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org

Syntax Command Description Command Description

nmap -n -Pn -p 80 --open -sV Fast search for random web servers
1.Nmap Options nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan -vvv --script banner,http-title
nmap [Scan Type...]
[Options] {Target 2.Nmap Port Scan types -iR 1000
specification} 3.Nmap Commands nmap <Target IP>-1/24 -PR -sn Arp discovery only on local network, no
nmap -Pn --script=dns-brute Brute forces DNS hostnames guessing
-vv port scan xyz.com subdomain
nmap -iR 10
-PS22-25,80,113,1050,35000 -v -sn Discovery only on ports x, no port scan nmap -n -Pn -vv -O -sV --script
smb-enum*,smb-ls,smb-mbenum,smb- Safe SMB scripts to run

Ping scans the network, lis�ng machines that os-discovery,smb-s*,smb-vuln*,sm


3. Nmap Commands nmap -sP <Target IP/Subnet> bv2* -vv <Target IP>
respond to ping
Command Description nmap --script whois*<Target
Whois query
Prints verbose output, runs stealth syn scan, T4 Domain>
nmap -v -sS -A -T4 <Target IP> �ming, OS and version detec�on, traceroute
Description nmap -p80 --script
nmap -p 69 <Target Domain> Enumerate TFTP service running on the and scripts against target services
http-unsafe-output-escaping Detect cross site scrip�ng vulnerabili�es
target domain nmap -v -sV -O -sS -T5 <Target Prints verbose output, runs stealth syn <Target Website>
IP> scan, T5 �ming, OS and version detec�on nmap -p80 --script
http-sql-injection <Target Check for SQL injections
nmap -p 179 <Target IP> BGP Enumeration nmap -iL ip-addresses.txt Scans a list of IP addresses
nmap --data-length x <Target
nmap -sS -sU -T4 -A -v <Target IP> Appends random data to sent packets
Perform intense scan and scanning for UDP nmap — script-args=unsafe=1 — Check if Netbios servers are vulnerable to
IP> script smb-check-vulns.nse -p 445 MS08–067 nmap -oN file.file
<Target IP> Append a scan to a previous scan file
nmap -sV -v -p 139,445 <Target Detect all exposed Netbios servers on the --append-output <Target IP>
IP/Subnet> subnet
nmap –Pn –p- -sI zombie target A�ack nmap --iflist Shows the host interface and routes
map’s nbstat NSE script allow attackers to
nmap -sV -v --script nbstat.nse retrieve target’s NetBIOS names and MAC
<Target IP> addresses
FTP Bounce Scan
<username>:<password>@<server>:<port>.
nmap -sU --script nbstat.nse -p nmap –b ftp rely host <Server> is the name or IP address of a nmap -6 2607:f0d2:5664:51::5 Enable IPV6 scanning
137 <Target IP address> Find target Netbios name
vulnerable FTP server
nmap --script-args=unsafe=1 nmap -T0 -b Uses the username “username”, the password
Check if Netbios servers are vulnerable to nmap -T0 <Target IP> Paranoid (0) Intrusion Detec�on System username:[email protected] “password”, the FTP server “ftpserver.tld” and
--script smb-check-vulns.nse -p MS08-067
445 <Target IP address>
evasion :21 victim.tld port 21 on said server to scan victim.tld.

nmap -T1 <Target IP> nmap -sU -sT -p


nmap -sV --version-intensity 0 Sneaky (1) Intrusion Detec�on System evasion Scan ports by protocol
Lighter banner grabbing detection U:[ports],T:[ports] <Target IP>
<Target IP>
Polite (2) slows down the scan to use less
nmap -sV --version-intensity 5 nmap -T2 <Target IP> bandwidth and use less target machine nmap -sV –version-trace <Target
<Target IP> More aggressive Service Detection Troubleshooting version scans
resources IP>
Attempts to determine the version of service nmap -T3 <Target IP> Normal (3) default speed
nmap -sV <Target IP> running/ Standard service detection/ Service nmap –script [script.nse] Execute individual scripts
Version Discovery in Zenmap <Target IP>
nmap -T4 <Target IP> Aggressive (4) speeds scan; assumes you are
nmap on a reasonably fast and reliable network
Get help for a script nmap –script [expression]
--script-help=ssl-heartbleed Execute multiple scripts
<Target IP>
nmap --script Insane (5) speeds scan; assumes you are
dns-zonetransfer.nse nmap -T5 <Target IP> on extraordinarily fast network
--script-args
Attempts to pull a zone file (AXFR) from a DNS nmap –script [category] <Target
server IP> Execute scripts by category
dns-zonetransfer.domain=<domain
> -p53 <hosts>
nmap --script http-robots.txt Harvests robots.txt files from discovered web nmap --script=ftp <Target IP> Scan with a single script
servers nmap –script
<hosts> [category1,category2, etc] Execute multiple scripts categories
Attempts to determine valid username and
nmap --script smb-brute.nse
password combinations via automated nmap –script [script]
-p445 <hosts> Scan with a wildcard script
guessing nmap --script=http* <Target IP> –script-trace <Target IP> Troubleshoot scripts
nmap --script smb-psexec.nse –
script-args=smbuser=<username>, Attempts to run a series of programs on the nmap --script=banner,http <Target Scan with two scripts $ docker -H <docker host> run Use Nmap to scan the host’s internal network
smbpass=<password>[,config=<con target machine, using credentials provided as IP> --network=host --rm to identify running services
fig>] -p445 <hosts> scriptargs marsmensch/nmap -ox <IP Range>
nmap --script "not intrusive"
Scan default, but remove intrusive scripts
nmap -sV -p 443 <Target IP>
ndiff [scan1.xml] [scan2.xml] Comparison using Ndiff
--script=ssl-heartbleed <Target Detect Heartbleed SSL Vulnerability
nmap -Pn
IP/Subnet> HTTP site map generator ndiff -v [scan1.xml] [scan2.xml] Ndiff verbose mode
--script=http-sitemap-generator
Query the Internal DNS for hosts, list targets xyz.com
nmap <Target IP>-50 -sL only ndiff –xml [scan1.xm]
--dns-server <Target IP> XML output mode

www.eccouncil.org/ceh 93% Of Professionals Stated That C|EH Skills Improved Their Organizaonal Security 05
Ethical Hacking and Countermeasures
Nmap Cheat Sheet
Certified Ethical Hacker

Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org

Syntax

nmap [Scan Type...] 1.Nmap Options


[Options] {Target 2.Nmap Port Scan types
specification} 3.Nmap Commands

Port Selection
Command Description

nmap <Target IP> Description


Scan single IP

nmap <Target IP> <Target IP> Scan specific IPs

nmap <Target IP range> Scan a range of IPs

nmap <Target Website> Scan a host

nmap <Target Domain> Scan a domain

nmap <Target IP/Subnet> Scan using CIDR notation

nmap -iL file.txt Scan targets using given file

nmap --exclude <Target IP> Exclude listed host/ specified IP s exclude


from scan

nmap -iR 50 Scan 50 random hosts

NSE Scripts
Command Description

nmap -sC <Target IP> Scan with default NSE scripts.

nmap --script-default <Target


IP> Scan with default NSE scripts.

nmap --script snmp-sysdescr


--script-args NSE script with arguments
snmpcommunity=admin <Target IP>

nmap -script-args-file=filename Provide NSE script args in a file

nmap -sV -sC <Target IP> Scan using default safe scripts

nmap -sV --script=smb* <Target Scan with a set of scripts


IP>

nmap -sV -p 443 Scan using a specific NSE script


–script=ssl-heartbleed.nse
<Target IP>

www.eccouncil.org/ceh 92% Of Hiring Managers Prefer Candidates with C|EH For Jobs That Require Ethical Hacking Skills. 06

You might also like