Ethical Hacking and Countermeasures Nmap Cheat Sheet
Ethical Hacking and Countermeasures Nmap Cheat Sheet
Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org
-PP Use ICMP timestamp request Port Specification and Scan Order
Script Scan
Only scan specified range ports
-p <port ranges> nmap -p 1-100 <Target IP>
-PO[protocol list] IP Protocol Ping
e.g. -p80,443 or -p1–65535
Port scans all 1-65535 ports --script=<ScriptName>| Run individual or group of scripts
Never do DNS resolution/Always resolve -p- <ScriptCategory>|<ScriptDir>...
[default: sometimes] nmap <Target IP> -p-
-n/-R nmap –n <Target IP> Port scan from specified protocols
-p <protocol> --script=<Lua scripts> <Lua scripts> is a comma separated list of
nmap –R <Target IP> nmap -smtp,h�ps <Target IP> directories, script-files or script-categories
Fast mode - Scan less ports than the default
scan (scan 100 most common ports) --script-trace Show all data sent and received
-F nmap <Target IP> -F
--dns-servers Immediate mode, display things as we find Update the script database.
<serv1[,serv2],...> them --script-updatedb nmap –script-updatedb
A string representing the intended sequence -r Scan ports consecu�vely – do not randomize
--system-dns
ignorance level
Randomize target host order --script-help “Lua scripts” = Show help about scripts
Path to a file where flat text will be dumped –randomize-hosts nmap –randomize-hosts <Target IP>
--traceroute
that normally would go to the users terminal
Numeric value represen�ng the number of -p<port1>,<port2>,... Port list
-PR seconds to wait before declaring the scan over
Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org
-T<0-5> Set timing template (higher is faster) --datadir <dirname> Specify custom Nmap data file loca�on
Set the packet TTL OUTPUT
–ttl [time] nmap –ttl [time] <Target IP>
Send using raw ethernet frames or IP
nmap <Target IP>/24 -sn Output scan in normal, XML, s|<rIpt kIddi3, --send-eth/--send-ip
and Grepable format, respec�vely, to the packets
--min-hostgroup/max-hostgroup -oN/-oX/-oS/-oG <file>
<size>
Parallel host scan group sizes given filename
--privileged Assume that the user is fully privileged
--min-parallelism/max-paralleli -oA <basename> Output in the three major formats at once
sm <numprobes> Probe parallelization
Increase verbosity level (use -vv or more for Display Nmap version
-v greater effect) -V nmap -V
--min-rtt-timeout/max-rtt-timeo
ut/initial-rtt-timeout <time> Specifies probe round trip time nmap -v <Target IP>
Increase debugging level (use -dd or more for --unprivileged Assume the user lacks raw socket privileges
Caps number of port scan probe greater effect)
--max-retries <tries> -d nmap -d <Target IPs>
retransmissions
--reason Display the reason a port is in a par�cular state
--host-timeout <time> Give up on target after this long
Only show open (or possibly open) ports
--open nmap –open <Target IP>
--scan-delay/--max-scan-delay
<time> Adjust delay between probes
Show all packets sent and received
--packet-trace
nmap –packet-trace <Target IP>
Send packets no slower than <number> per Print host interfaces and routes (for debugging)
--min-rate <number> --iflist
second nmap –iflist
Log errors/warnings to the normal-format
Send packets no faster than <number> per --log-errors
--max-rate <number> output file
second
Append to rather than clobber specified
--append-output
Defeat reset rate limits output files
–defeat-rst-ratelimit nmap –defeat-rst-ratelimit <Target IP>
--resume <filename> Resume an aborted scan
www.eccouncil.org/ceh 97% Of Professionals Stated That Skills Acquired in C|EH Helped Safeguard Their Organizaons 02
Ethical Hacking and Countermeasures
Nmap Cheat Sheet
Certified Ethical Hacker
Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org
nmap -sL <Target IP> No Scan, list targets only nmap -O--osscan-guess <Target IP> Guess OS detec�on results
nmap -sL -v <Target IP> List scan nmap -O --max-os-tries x <Target Set maximum number of OS detec�on tries
IP> against a target
nmap -Pn <Target IP> nmap -sU -p 123,161,162 <Target
Disable host discovery, port scanning Scan UDP ports
IP>
nmap -PSx <Target IP> SYN Discovery on port x, port 80 by default Scan selected ports - ignore discovery
nmap -Pn -F <Target IP>
nmap -PUx <Target IP> UDP discovery on port x, port 40125 by default nmap -Pn -sT --scan-delay 1s
--max-parallelism 1 -p <Port Iden�fy open ports and services
List> <Target IP>
nmap -PAx <Target IP> ACK discovery on port x, port 80 by default
nmap -Pn -sT -p 46824 <Target Iden�fy HMI systems
IP>
nmap -p 21-50 <Target IP> Port Range nmap -Pn -sU -p 47808 --script
bacnet-info <Target IP> ScanBACnet Devices
nmap -Pn -sU -p 44818 --script
nmap -p U:53,T:21-25,80 Scan multiple TCP and UDP ports enip-info <Target IP> Scan Ethernet/IP Devices
www.eccouncil.org/ceh 97% Of Professionals Found C|EH Labs to Accurately Mimic Real-World Cyber Threats 03
Ethical Hacking and Countermeasures
Nmap Cheat Sheet
Certified Ethical Hacker
Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org
nmap <Target IP> --data-string 5 Create Custom Packets by Appending Perform intense scan
Random Data nmap -T4 -A -v <Target IP>
nmap –sn –PM <Target IP> ICMP Address Mask Ping Scan
Perform a check on the status of ISAKMP Identify vulnerable services on service port by
nmap –sU –p 500 <Target IP> nmap -T4 -A <Target IP/Subnet> attackers by using RPC Enumeration
over port 500
nmap –sn –PS <Target IP> TCP SYN Ping Scan
nmap -p 23 <Target Domain> Telnet Enumeration
nmap -sR <Target IP/network> Iden�fy the RPC service running on the network
nmap –sn –PA <Target IP> TCP ACK Ping Scan
nmap -p 23 --script Enumerate information from remote Microsoft
telnet-ntlm-info <Target IP> Telnet services with NTLM authentication
IP Protocol Ping Scan nmap --script hostmap <host> Discover virtual domains with hostmap enabled
nmap –sn –PO <Target IP>
Detect a vulnerable server that uses the TRACE nmap -p 23 –script Perform brute-force attack against telnet
nmap --script http-trace -p80 telnet-brute.nse –script-args
localhost method server
nmap -St -v <Target IP> TCP Connect/ Full Open Scan
nmap --script http-google-email Enumerate SMB service running on the target
<host>
Harvest email accounts with h�p-google-email nmap -p 445 -A <Target IP> IP address/ SMB Enumeration
namp -sS -v <Target IP> Stealth Scan (Half-open Scan)
nmap -p80 --script http-userdir Enumerate users with
-enum localhost h�p-userdir-enum nmap -p 21 <Target Domain> FTP Enumeration
nmap -p80 --script http-trace
Detect HTTP TRACE
<host>
Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org
nmap -n -Pn -p 80 --open -sV Fast search for random web servers
1.Nmap Options nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan -vvv --script banner,http-title
nmap [Scan Type...]
[Options] {Target 2.Nmap Port Scan types -iR 1000
specification} 3.Nmap Commands nmap <Target IP>-1/24 -PR -sn Arp discovery only on local network, no
nmap -Pn --script=dns-brute Brute forces DNS hostnames guessing
-vv port scan xyz.com subdomain
nmap -iR 10
-PS22-25,80,113,1050,35000 -v -sn Discovery only on ports x, no port scan nmap -n -Pn -vv -O -sV --script
smb-enum*,smb-ls,smb-mbenum,smb- Safe SMB scripts to run
www.eccouncil.org/ceh 93% Of Professionals Stated That C|EH Skills Improved Their Organizaonal Security 05
Ethical Hacking and Countermeasures
Nmap Cheat Sheet
Certified Ethical Hacker
Nmap is a security scanner for network explora�on and hacking. It allows you to discover hosts and services on a computer network, thus crea�ng a "map" of the network. It sends specially cra�ed packets to the target host and then analyzes
Nmap the responses to accomplish its goal. Either a network administrator or an a�acker can use this tool for their specific needs.
Source: https://nmap.org
Syntax
Port Selection
Command Description
NSE Scripts
Command Description
nmap -sV -sC <Target IP> Scan using default safe scripts
www.eccouncil.org/ceh 92% Of Hiring Managers Prefer Candidates with C|EH For Jobs That Require Ethical Hacking Skills. 06