Nmap Cheat Sheet

Guia Rápido de Comandos

Índice

Target Specification

| Switch    |           Example             | Description |
|-----------|-------------------------------|-----------------------------|
|           | nmap 192.168.1.1              | Scan a single IP            |
|           | nmap 192.168.1.1 192.168.2.1  | Scan specific IPs           |
|           | nmap 192.168.1.1-254          | Scan a range                |
|           | nmap scanme.nmap.org          | Scan a domain               |
|           | nmap 192.168.1.0/24           | Scan using CIDR notation    |
| -iL       | nmap -iL targets.txt          | Scan targets from a file    |
| -iR       | nmap -iR 100                  | Scan 100 random hosts       |
| --exclude | nmap --exclude 192.168.1.1    | Exclude listed hosts        |

Scan Techniques

| Switch |           Example           | Description                                       |
|--------|-----------------------------|---------------------------------------------------|
| -sS    | nmap 192.168.1.1 -sS        | TCP SYN port scan (Default)                       |
| -sT    | nmap 192.168.1.1 -sT        | TCP connect port scan (Default without root)      |
| -sU    | nmap 192.168.1.1 -sU        | UDP port scan                                     |
| -sA    | nmap 192.168.1.1 -sA        | TCP ACK port scan                                 |
| -sW    | nmap 192.168.1.1 -sW        | TCP Window port scan                              |
| -sM    | nmap 192.168.1.1 -sM        | TCP Maimon port scan                              |

Host Discovery

| Switch |                Example                | Description                                       |
|--------|-----------------------------------------|---------------------------------------------------|
| -sL    | nmap 192.168.1.1-3 -sL                  | No Scan. List targets only                        |
| -sn    | nmap 192.168.1.1/24 -sn                 | Disable port scanning. Host discovery only.       |
| -Pn    | nmap 192.168.1.1-5 -Pn                  | Disable host discovery. Port scan only.           |
| -PS    | nmap 192.168.1.1-5 -PS22-25,80          | TCP SYN discovery on port x. Port 80 by default   |
| -PA    | nmap 192.168.1.1-5 -PA22-25,80          | TCP ACK discovery on port x. Port 80 by default   |
| -PU    | nmap 192.168.1.1-5 -PU53                | UDP discovery on port x. Port 40125 by default    |
| -PR    | nmap 192.168.1.1-1/24 -PR               | ARP discovery on local network                    |
| -n     | nmap 192.168.1.1 -n                     | Never do DNS resolution                           |

Port Specification

| Switch      |                Example                | Description                                       |
|-------------|-----------------------------------------|---------------------------------------------------|
| -p          | nmap 192.168.1.1 -p 21                  | Port scan for port x                              |
| -p          | nmap 192.168.1.1 -p 21-100              | Port range                                        |
| -p          | nmap 192.168.1.1 -p U:53,T:21-25,80     | Port scan multiple TCP and UDP ports              |
| -p-         | nmap 192.168.1.1 -p-                   | Port scan all ports                               |
| -p          | nmap 192.168.1.1 -p http,https          | Port scan from service name                       |
| -F          | nmap 192.168.1.1 -F                     | Fast port scan (100 ports)                        |
| --top-ports | nmap 192.168.1.1 --top-ports 2000       | Port scan the top x ports                         |
| -p-65535    | nmap 192.168.1.1 -p-65535               | Leaving off initial port starts scan at port 1    |
| -p0-        | nmap 192.168.1.1 -p0-                   | Leaving off end port scans through to port 65535  |

Service and Version Detection

| Switch                  |                Example                | Description                                       |
|-------------------------|-----------------------------------------|---------------------------------------------------|
| -sV                     | nmap 192.168.1.1 -sV                    | Attempts to determine the service version         |
| -sV --version-intensity | nmap 192.168.1.1 -sV --version-intensity 8 | Intensity 0-9. Higher is more likely correct      |
| -sV --version-light     | nmap 192.168.1.1 -sV --version-light    | Intensity 2. Lower possibility, but faster        |
| -sV --version-all       | nmap 192.168.1.1 -sV --version-all      | Intensity 9. Tries all probes. Slower             |
| -A                      | nmap 192.168.1.1 -A                     | Enables OS/version detection, script scanning, traceroute |

OS Detection

| Switch            |                Example                | Description                                       |
|-------------------|-----------------------------------------|---------------------------------------------------|
| -O                | nmap 192.168.1.1 -O                     | Remote OS detection via TCP/IP fingerprinting     |
| -O --osscan-limit | nmap 192.168.1.1 -O --osscan-limit      | Skips OS detection if no open/closed TCP ports    |
| -O --osscan-guess | nmap 192.168.1.1 -O --osscan-guess      | Makes Nmap guess more aggressively                |
| -O --max-os-tries | nmap 192.168.1.1 -O --max-os-tries 1    | Sets the max number of tries against a target     |
| -A                | nmap 192.168.1.1 -A                     | Enables OS/version detection, script scanning, traceroute |

Timing and Performance

| Switch        |          Example         | Description                                       |
|---------------|--------------------------|---------------------------------------------------|
| -T0 (Paranoid)| nmap 192.168.1.1 -T0     | Very slow, for IDS evasion                        |
| -T1 (Sneaky)  | nmap 192.168.1.1 -T1     | Slow, for IDS evasion                             |
| -T2 (Polite)  | nmap 192.168.1.1 -T2     | Slows down to use less bandwidth/resources        |
| -T3 (Normal)  | nmap 192.168.1.1 -T3     | Default speed                                     |
| -T4 (Aggressive)| nmap 192.168.1.1 -T4     | Assumes a fast network                            |
| -T5 (Insane)  | nmap 192.168.1.1 -T5     | Assumes an extraordinarily fast network           |
| --host-timeout| nmap ... --host-timeout 2h | Give up on target after a set time              |
| --scan-delay  | nmap ... --scan-delay 20ms | Adjust delay between probes                     |
| --max-retries | nmap ... --max-retries 3   | Max number of port scan probe retransmissions     |
| --min-rate    | nmap ... --min-rate 100    | Send packets no slower than X per second          |
| --max-rate    | nmap ... --max-rate 100    | Send packets no faster than X per second          |

NSE Scripts

| Switch         |                  Example                 | Description                                       |
|----------------|------------------------------------------|---------------------------------------------------|
| -sC            | nmap 192.168.1.1 -sC                     | Scan with default scripts (safe)                  |
| --script=default | nmap 192.168.1.1 --script=default        | Same as -sC                                       |
| --script       | nmap 192.168.1.1 --script=banner         | Scan with a single script                         |
| --script       | nmap 192.168.1.1 --script=http* | Scan with a wildcard (e.g., all http scripts)     |
| --script       | nmap 192.168.1.1 --script=http,banner    | Scan with multiple scripts                        |
| --script       | nmap 192.168.1.1 --script "not intrusive"| Scan default scripts, excluding intrusive ones    |
| --script-args  | nmap --script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1 | Provide arguments to scripts |

Useful NSE Script Examples

# HTTP sitemap generator
nmap -Pn --script=http-sitemap-generator scanme.nmap.org

# Fast search for random web servers
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000

# Brute forces DNS hostnames guessing subdomains
nmap -Pn --script=dns-brute domain.com

# Safe SMB scripts to run
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1

# Whois query
nmap --script whois* domain.com

# Detect cross site scripting vulnerabilities
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org

# Check for SQL injections
nmap -p80 --script http-sql-injection scanme.nmap.org

Firewall / IDS Evasion and Spoofing

| Switch        |                             Example                            | Description                                       |
|---------------|----------------------------------------------------------------|---------------------------------------------------|
| -f            | nmap 192.168.1.1 -f                                            | Use tiny fragmented IP packets                    |
| --mtu         | nmap 192.168.1.1 --mtu 32                                      | Set your own offset size                          |
| -D            | nmap -D 192.168.1.101,192.168.1.102,ME 192.168.1.1             | Send scans from spoofed decoy IPs                 |
| -S            | nmap -S www.microsoft.com www.facebook.com                     | Scan Facebook from Microsoft's IP                 |
| -g            | nmap -g 53 192.168.1.1                                         | Use given source port number                      |
| --proxies     | nmap --proxies http://1.1.1.1:8080 192.168.1.1                 | Relay connections through HTTP/SOCKS4 proxies     |
| --data-length | nmap --data-length 200 192.168.1.1                             | Appends random data to sent packets               |

Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1

Output

| Switch          |              Example             | Description                                       |
|-----------------|----------------------------------|---------------------------------------------------|
| -oN             | nmap 192.168.1.1 -oN normal.file | Normal output to file                             |
| -oX             | nmap 192.168.1.1 -oX xml.file    | XML output to file                                |
| -oG             | nmap 192.168.1.1 -oG grep.file   | Grepable output to file                           |
| -oA             | nmap 192.168.1.1 -oA results     | Output in the three major formats at once         |
| -oG -           | nmap 192.168.1.1 -oG -           | Grepable output to screen                         |
| --append-output | nmap ... -oN file --append-output| Append a scan to a previous scan file           |
| -v / -vv        | nmap 192.168.1.1 -v              | Increase the verbosity level                      |
| -d / -dd        | nmap 192.168.1.1 -d              | Increase debugging level                          |
| --reason        | nmap 192.168.1.1 --reason        | Display the reason a port is in a certain state |
| --open          | nmap 192.168.1.1 --open          | Only show open (or possibly open) ports         |
| --packet-trace  | nmap ... --packet-trace          | Show all packets sent and received                |
| --iflist        | nmap --iflist                    | Shows the host interfaces and routes              |
| --resume        | nmap --resume results.file       | Resume a scan                                     |

Helpful Nmap Output examples

# Scan for web servers and grep to show IPs running them
nmap -p80 -sV -oG - --open 192.168.1.1/24 | grep open

# Generate a list of the IPs of live hosts
nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt

# Compare output from nmap using ndiff
ndiff scan1.xml scan2.xml

# Convert nmap xml files to html files
xsltproc nmap.xml -o nmap.html

# Reverse sorted list of how often ports turn up
grep " open " results.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | less

Miscellaneous Options

| Switch |           Example           | Description          |
|--------|-----------------------------|----------------------|
| -6     | nmap -6 2607:f0d0:1002:51::4 | Enable IPv6 scanning |
| -h     | nmap -h                     | nmap help screen     |

Other Useful Nmap Commands

| Command                                         | Description                                       |
|-------------------------------------------------|---------------------------------------------------|
| nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn    | Discovery only on ports x, no port scan           |
| nmap 192.168.1.1-1/24 -PR -sn -vv               | Arp discovery only on local network, no port scan |
| nmap -iR 10 -sn -traceroute                     | Traceroute to random targets, no port scan        |
| nmap 192.168.1.1-50 -sL --dns-server 192.168.1.1 | Query the Internal DNS for hosts, list targets only |