Nmap Cheatsheet

Nmap Quick commands

Ping Sweep

nmap -sn <ipaddress range>-<ipaddress range>

example

nmap -sn 192.168.0.2-100

or

nmap -sn 192.168.0.2-192.168.1.100

List Scan aka reverse-dns lookup

On a corperate network this is a bit better of a scan due to enumeration of hosts and instead of icmp request which might get dropped it does reverse dns lookup. Always be enumerating! What’s best is the information you might get. End point naming conventions, etc.

nmap -sL 192.168.0.1-100

TCP and UDP scan - Short hand

Adding UDP scan to Syn scan by adding U

nmap -sSU 192.168.0.1

This is the same is -sS -sU

OS and Version detection

$ nmap -sS -A 192.168.0.1

Ports

Top Ports

Only look at top “x” ports used

nmap -sSU -A --top-ports 10 192.168.0.1

All ports - short hand

nmap -sS -p- 192.168.0.1

Output Types

  • -oN - Normal
  • -oX - XML
  • -oS - Don’t use this one (Skript Kiddie output)
  • -oG - Greppable
  • -oA - All formats except Skript Kiddie

Greppable output with timestamp %D

nmap -sS -A -oG nmap-scan%D

Open Ports Only

nmap -sS 192.168.0.1 --open

Scripts

Location

/usr/share/nmap/scripts

Usage

nmap -sS -A -p- 192.160.0.1 -script /usr/share/nmap/scripts/smb-enum-shares.nse

Default

Run default scripts to enumerate even more

nmap -sSU -A 192.168.0.1 -scripts=default

The Kitchen Sink

Enumerate reverse dns, tcp/udp ports, enumerate versions/OS, all ports, greppable output, using all scripts

nmap -sL -sSU -A -p- -oG nmap-scan%D 192.168.0.1 -script=all
comments powered by Disqus