Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Nmap Commands Cheat Sheet: A Comprehensive Guide to Network Scanning, Cheat Sheet of Computer Networks

Faith Baptist Bible College & Theological SeminaryComputer Networks

Nmap commands with descriptions on Nmap scan types Reference, Nmap Scripting Engine, Nmap output Reference

Typology: Cheat Sheet

2020/2021

Uploaded on 04/26/2021

ekani
ekani 🇺🇸

4.7

(26)

265 documents

1 / 1

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Nmap Commands Cheat Sheet
Nmap scan types Reference
TCP connect() Scan [-sT] full three-way handshake
- very effective, provides a clear picture of the ports you can and cannot
access
- may trigger warning on FW, IPS or IDS
- uses a system call connect() to begin a TCP connection to target.
a. Success connection made
b. Fail connection could not be made (system is offline, port closed, or
error occurred)
[-sS] SYN Stealth Scan sends SYN, waiting for SYN/ACK, sends RST sent
to tear down before full connection establishment
Response:
- SYN/ACK port OPEN
- RST port CLOSED
- No response FILTERED (requires further probing subject to FW rules)
Note: SYN scan can be detected use “timing options” to hide your activ ity
[-sF, -sN, -sX] FIN, Null and Xmas Tree Scan TCP header flags set, useful
for IDS and FW detection evasion never makes even part of a
connection. Can be used to detect OS running.
Response:
- CLOSED port - responds with an RST upon receiving packets
- OPEN port - drop incoming packets (it’s listening for packets with SYN
set).
-sF - FIN scan sends a packet with only the FIN flag set,
-sX - Xmas Tree scan sets the FIN, URG and PUSH flags,
-sN - Null scan sends a packet with no flags switched on.
Note: TCP/IP implementation following RFC 793 required.
Microsoft Windows does not follow the RFC, and will ignore these packets eve n on
closed ports.
OS Detection with running along an SYN scan
-MS Windows system - SYN scan shows open ports, and the
FIN/NUL/XMAS does not, chances are you’re looking at a Windows box
[-sP] Ping Scan - lists the hosts within the specified range that responded
to a ping - detect computers online, rather than ports open.
Methods:
1. ICMP ECHO REQUEST (ping request) packet sent to the destination
system.
a. ICMP ECHO REPLY received - system is up, ICMP packets are NOT
blocked
b. no response - Nmap will try a "TCP Ping", to determine whether
ICMP is blocked, or host is really not online
2. TCP Ping - sends either a SYN or an ACK packet to any port (80 is the
default) on the remote system.
a. RST or SYN/ACK received - system is online
b. No response system is offline, or the chosen port is filtered (not
responding to anything)
3. Ping scan as root - the default is to use the ICMP and ACK methods.
4. Ping scan as non-root users will use the connect() method, which
attempts to connect to a machine, waiting for a response, and tearing
down the connection as soon as it has been established (similar to the
SYN/ACK method for root users, but establishes a full TCP connection!)
[-P0] disable ICMP scan type
[-sU] UDP Scan - sends 0-byte UDP packets to each target port on the
victim.
a. ICMP Port Unreachable message received - port is closed,
b. Otherwise port is assumed open.
[-sI] Idle Scanning - advanced, highly stealthed technique.
No packets sent to the target which can be identified to originate from
the scanning machine. A zombie host (and optionally port) must be
specified for this scan type.
Read more http://www.insecure.org/nmap/idlescan.html
[-sA] ACK Scan - used to map firewall rule sets, distinguish
stateful/stateless firewalls,
Response:
a. RST - "unfiltered" (that is, it was allowed to send its RST through
whatever firewall was in place).
b. No response "filtered" (firewall prevented the RST coming back
from the port).
- stateless firewall blocked incoming SYN packets
- stateful firewall - tracks connections and blocks unsolicited ACK
packets
Note: ACK scan will NEVER show ports in the "open" state always use in
conjunction with another scan type
[-sW] TCP Window scan - similar to the ACK scan, can sometimes detect
open ports as well as filtered/unfiltered ports due to anomalies in TCP
Window size reporting by some operating.
[-sR] RPC Scan - used in conjunction with other scan types to try to
determine if an open TCP or UDP port is an RPC service, and if so, which
program, and version numbers are running on it. Decoys are not
supported with RPC scans.
[-sL] List scan - prints a list of IPs and names WITHOUT actually pinging or
scanning the hosts. DNS resolution will be used, disable it using the -n
option.
[-sV] enables version detection determine service/version info - critical
in determining an entry point for an attack
[-O] enables OS fingerprinting
[-A] enables OS fingerprinting and version detection, script scanning and
traceroute (and advanced feature added in new releases). Version
detection details - http://www.insecure.org/nmap/vscan/
Nmap output Reference
[-oN <filename>] standard Nmap format
[-oX <filename>] XML format
[-oG <filename>] Greppable format
[-oA <basename>] all outputs using basename
Nmap Timing options
[-T0] Paranoid: Very slow, used for IDS evasion
[-T1] Sneaky: Quite slow, used for IDS evasion
[-T2] Polite: Slows down to consume less bandwidth, runs ~10 times
slower than default
[-T3] Normal: Default, a dynamic timing model based on target
responsiveness
[-T4] Aggressive: Assumes a fast and reliable network and may
overwhelm targets
[-T5] Insane: Very aggressive; will likely overwhelm targets or miss open
ports
Nmap Scripting Engine
Default location of scripts available:
[-sC] Run default scripts
--script-updatedb Update script database
--script <filename>|<category>|<directory>|<expression>[,...]Run
individual or groups of scripts
--script-args=<Name1=Value1,...> Use the list of script arguments
Referring to scripts from script.db use of wildcards
--script "http-*"
--script "not intrusive"
--script "default or safe" same as nmap --script "default,safe"
--script "default and safe"
Nmap Commands
# nmap [Scan Type(s)] [Options] {target
specification}
Ping scan
# nmap -sP <target-range>
SYN scan discovered alive host
# nmap -sS -A <target host>
SYN scan of another host, with more information on output
# nmap -sS -P0 -A -v <target host>
Scan 100 most common ports of <target> “Fast”
# nmap -F <target host>
Scan specific ports on target
# nmap -p T:8888,80 <target host>
Using scripting engine
Scan using default safe scripts
nmap -sV -sC <target host>
Get help for a script
# nmap --script-help=ssl-heartbleed
Scan using a specific NSE script
# nmap -sV -p 443 script=ssl-heartbleed.nse
<target host>
Scan with a set of scripts
# nmap -sV --script=smb* <target host>
Scan for “Heartbleed” bulnerability
# nmap -sV -p 443 --script=ssl-heartbleed <target
range>

Partial preview of the text

Download Nmap Commands Cheat Sheet: A Comprehensive Guide to Network Scanning and more Cheat Sheet Computer Networks in PDF only on Docsity!

Nmap Commands Cheat Sheet

Nmap scan types Reference

TCP connect() Scan [-sT] – full three-way handshake

  • very effective, provides a clear picture of the ports you can and cannot access
  • may trigger warning on FW, IPS or IDS
  • uses a system call connect() to begin a TCP connection to target. a. Success – connection made b. Fail – connection could not be made (system is offline, port closed, or error occurred)

[-sS] SYN Stealth Scan – sends SYN, waiting for SYN/ACK, sends RST sent to tear down before full connection establishment Response:

  • SYN/ACK – port OPEN
  • RST – port CLOSED
  • No response – FILTERED (requires further probing – subject to FW rules) Note: SYN scan can be detected – use “timing options” to hide your activity

[-sF, - sN, - sX ] FIN, Null and Xmas Tree Scan – TCP header flags set, useful for IDS and FW detection evasion – never makes even part of a connection. Can be used to detect OS running. Response:

  • CLOSED port - responds with an RST upon receiving packets
  • OPEN port - drop incoming packets (it’s listening for packets with SYN set). - sF - FIN scan sends a packet with only the FIN flag set,
  • sX - Xmas Tree scan sets the FIN, URG and PUSH flags,
  • sN - Null scan sends a packet with no flags switched on. Note: TCP/IP implementation following RFC 793 required. Microsoft Windows does not follow the RFC, and will ignore these packets even on closed ports. OS Detection – with running along an SYN scan
  • MS Windows system - SYN scan shows open ports, and the FIN/NUL/XMAS does not, chances are you’re looking at a Windows box

[-sP] Ping Scan - lists the hosts within the specified range that responded to a ping - detect computers online, rather than ports open. Methods:

  1. ICMP ECHO REQUEST (ping request) packet sent to the destination system. a. ICMP ECHO REPLY received - system is up, ICMP packets are NOT blocked b. no response - Nmap will try a "TCP Ping", to determine whether ICMP is blocked, or host is really not online
  2. TCP Ping - sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. a. RST or SYN/ACK received - system is online b. No response – system is offline, or the chosen port is filtered (not responding to anything)
  3. Ping scan as root - the default is to use the ICMP and ACK methods.
  4. Ping scan as non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users, but establishes a full TCP connection!)

[-P0] – disable ICMP scan type [-sU] UDP Scan - sends 0-byte UDP packets to each target port on the victim. a. ICMP Port Unreachable message received - port is closed, b. Otherwise – port is assumed open. [-sI] Idle Scanning - advanced, highly stealthed technique. No packets sent to the target which can be identified to originate from the scanning machine. A zombie host (and optionally port) must be specified for this scan type. Read more http://www.insecure.org/nmap/idlescan.html

[-sA] ACK Scan - used to map firewall rule sets, distinguish stateful/stateless firewalls, Response: a. RST - "unfiltered" (that is, it was allowed to send its RST through whatever firewall was in place). b. No response – "filtered" (firewall prevented the RST coming back from the port).

  • stateless firewall – blocked incoming SYN packets
  • stateful firewall - tracks connections and blocks unsolicited ACK packets Note: ACK scan will NEVER show ports in the "open" state – always use in conjunction with another scan type

[-sW] TCP Window scan - similar to the ACK scan, can sometimes detect open ports as well as filtered/unfiltered ports due to anomalies in TCP Window size reporting by some operating.

[-sR] RPC Scan - used in conjunction with other scan types to try to determine if an open TCP or UDP port is an RPC service, and if so, which program, and version numbers are running on it. Decoys are not supported with RPC scans.

[-sL] List scan - prints a list of IPs and names WITHOUT actually pinging or scanning the hosts. DNS resolution will be used, disable it using the - n option.

[-sV] enables version detection – determine service/version info - critical in determining an entry point for an attack

[-O] enables OS fingerprinting

[-A] enables OS fingerprinting and version detection, script scanning and traceroute (and advanced feature added in new releases). Version detection details - http://www.insecure.org/nmap/vscan/

Nmap output Reference

[-oN ] standard Nmap format [-oX ] XML format [-oG ] Greppable format [-oA ] all outputs using basename

Nmap Timing options

[-T0] Paranoid: Very slow, used for IDS evasion [-T1] Sneaky: Quite slow, used for IDS evasion

[-T2] Polite: Slows down to consume less bandwidth, runs ~10 times slower than default [-T3] Normal: Default, a dynamic timing model based on target responsiveness [-T4] Aggressive: Assumes a fast and reliable network and may overwhelm targets [-T5] Insane: Very aggressive; will likely overwhelm targets or miss open ports

Nmap Scripting Engine

Default location of scripts available: [-sC] Run default scripts --script-updatedb Update script database

--script |||[,...]Run individual or groups of scripts --script-args=<Name1=Value1,...> Use the list of script arguments Referring to scripts from script.db – use of wildcards --script "http-*" --script "not intrusive" --script "default or safe" same as nmap --script "default,safe" --script "default and safe"

Nmap Commands

nmap [Scan Type(s)] [Options] {target

specification} Ping scan

nmap -sP <target-range>

SYN scan discovered alive host

nmap -sS -A

SYN scan of another host, with more information on output

nmap -sS -P0 -A -v

Scan 100 most common ports of “Fast”

nmap -F

Scan specific ports on target

nmap -p T:8888,80

Using scripting engine Scan using default safe scripts nmap -sV -sC Get help for a script

nmap --script-help=ssl-heartbleed

Scan using a specific NSE script

nmap -sV -p 443 – script=ssl-heartbleed.nse

Scan with a set of scripts

nmap -sV --script=smb*

Scan for “Heartbleed” bulnerability

nmap -sV -p 443 --script=ssl-heartbleed <target

range>