# NMAP Cheat Sheet Base nmap Syntax: ``` nmap [ScanType] [Options] {targets} ``` If no port range is specified, Nmap scans the 1,000 most popular ports. - `-p <port1>-<port2>`: Scans a port range - `-p <port1>,<port2>,...`: Scans a port list - `-pU:53,U:110,T20-445`: Mix TCP and UDP - `-r`: Scans linearly (does not randomize ports) - `--top-ports <n>`: Scan n most popular ports - `-p-65535`: Leaving off the initial port in range makes Nmap scan start at port 1 - `-p-`: Leaving off the end port in range makes Nmap scan all ports - `-F`: (Fast (limited port) scan) ## Port Status - Open: This indicates that an application is listening for connections on this port. - Closed: This indicates that the probes were received but there is no application listening on this port. - Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering. - Unfiltered: This indicates that the probes were received but a state could not be established. - Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state. - Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state. ## Scan Types - `-sn`: Probe only (host discovery, not port scan) - `-sS`: SYN Scan - `-sT`: TCP Connect Scan - `-sU`: UDP Scan - `-sV`: Version Scan - `-O`: Used for OS Detection/fingerprinting - `--scanflags`: Sets custom list of TCP using `URG ACK PSH RST SYN FIN` in any order ## Probing Options - `-Pn`: Don't probe (assume all hosts are up) - `-PB`: Default probe (TCP 80, 445 & ICMP) - `-PS<portlist>` : Checks if ssytems are online by probing TCP ports - `-PE`: Using ICMP Echo Request - `-PP`: Using ICMP Timestamp Request - `-PM`: Using ICMP Netmask Request ## Timing Options - `-T0` (Paranoid): Very slow, used for IDS evasion - `-T1` (Sneaky): Quite slow, used for IDS evasion - `-T2` (Polite): Slows down to consume less bandwidth, runs ~10 times slower than default - `-T3` (Normal): Default, a dynamic timing model based on target responsiveness - `-T4` (Aggressive): Assumes a fast and reliable network and may overwhelm targets - `-T5` (Insane): Very aggressive; will likely overwhelm targets or miss open ports ## Fine-Grained Timing Options - `--min-hostgroup/max-hostgroup <size> `: Parallel host scan group sizes - `--min-parallelism/max-parallelism <numprobes>`: Probes parallelization - `--min-rtt-timeout/max-rtttimeout/initial-rtt-timeout <time>`: Specifies probe round trip time. - `--max-retries <tries>`: Caps number of port scan probe retransmissions. - `--host-timeout <time>`: Gives up on target after this long - `--scan-delay/--max-scan-delay <time>`: Adjusts delay between probes - `--min-rate <number>`: Send packets no slower than `<number>` per second - `--max-rate <number>`: Send packets no faster than `<number>` per second ## Nmap Scripting Engine The full list of Nmap Scripting Engine scripts: http://nmap.org/nsedoc/ `nmap -sC` runs default scripts... Running individual or groups of scripts: `nmap --script=<ScriptName>| <ScriptCategory>|<ScriptDir>` Using the list of script arguments: `nmap --script-args=<Name1=Value1,...>` Updating the script database: `nmap --script-updatedb` Some particularly useful scripts include: - dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server. ``` $ nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain=<domain> -p53 <hosts> ``` - http-robots.txt: Harvests robots.txt files from discovered web servers. ``` $ nmap --script http-robots.txt <hosts> ``` - smb-brute: Attempts to determine valid username and password combinations via automated guessing. ``` $ nmap --script smb-brute.nse -p445 <hosts> ``` - smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs. ``` $ nmap --script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p445 <hosts> ``` ### Nmap Scripting Engine Categories The most common Nmap scripting engine categories: - auth: Utilize credentials or bypass authentication on target hosts. - broadcast: Discover hosts not included on command line by broadcasting on local network. - brute: Attempt to guess passwords on target systems, for a variety of protocols, including http, SNMP, IAX, MySQL, VNC, etc. - default: Scripts run automatically when -sC or -A are used. - discovery: Try to learn more information about target hosts through public sources of information, SNMP, directory services, and more. - dos: May cause denial of service conditions in target hosts. - exploit: Attempt to exploit target systems. - external: Interact with third-party systems not included in target list. - fuzzer: Send unexpected input in network protocol fields. - intrusive: May crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion. - malware: Look for signs of malware infection on the target hosts. - safe: Designed not to impact target in a negative fashion. - version: Measure the version of software or protocols on the target hosts. - vul: Measure whether target systems have a known vulnerability. ## Output Options - `-oN`: Standard Nmap output - `-oG`: Greppable format - `-oX`: XML format - `-oA`: <basename> Generate Nmap, Greppable, and XML output files using basename for files ## Additional Options - `-n`: Disables reverse IP address lookups - `-6`: Uses IPv6 only - `-A`: Uses several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute - `--reason`: Displays the reason Nmap thinks that the port is open, closed, or filtered