Nmap Cheat-Sheet: Scanning Types, Commands, and NSE Scripts
Learn more about the Nmap
Nmap (Network Mapper) is a free and open-source tool for network discovery and security auditing. It is widely used by network administrators and penetration testers for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets to determine the available hosts, services, operating systems, and other characteristics of a network.
TCP/IP Protocols
Nmap operates on various layers of the TCP/IP protocol suite:
- Application layer: FTP, HTTP, SNMP, BOOTP, DHCP
- Transport layer: TCP, UDP, ICMP, IGMP
- Network layer: ARP, IP, RARP
- Data link layer: SLIP, PPP
UDP and TCP
- UDP: A connection-less protocol that does not guarantee packet delivery. Suitable for real-time applications like live audio/video.
- TCP: A connection-oriented protocol that guarantees packet delivery using a three-way handshake.
Nmap Scan Types
SYN Scan
The default scan type, which is stealthier than a TCP Connect scan. It sends a SYN packet to the target port and waits for a SYN/ACK response.
nmap -sS target
TCP Connect Scan
Completes the TCP handshake, making it noisier but more accurate. Useful when the user does not have administrative privileges.
nmap -sT target
Ping Sweep
Checks which IP addresses are up by sending ICMP Echo Requests.
nmap -sn 192.168.1.1/24
UDP Scan
Checks for open UDP ports by sending UDP packets and analyzing the responses.
nmap -sU target
FIN Scan
Sends a FIN packet to the target port. If a RST packet is received, the port is closed.
nmap -sF target
NULL Scan
Sets all TCP flags to off, which can bypass certain firewalls and packet filters.
nmap -sN target
XMAS Scan
Sets the FIN, PSH, and URG flags, making it more stealthy but less reliable on certain systems.
nmap -sX target
Bounce Scan
Uses an FTP server to “bounce” scan packets to a target, potentially bypassing firewalls.
nmap -b ftp.server target
RPC Scan
Probes open ports to identify RPC services and their versions.
nmap -sR target
Windows Scan
Exploits anomalies in Windows systems’ TCP/IP stack to identify open ports.
nmap -sW target
Idle Scan
Uses a “zombie” host to perform stealthy scans, hiding the true origin of the scan.
nmap -sI zombie target
Nmap Commands
Basic Scans
nmap -sn 192.168.1.1/24 # Ping scan
nmap scanme.nmap.org # Scan a single host
Stealth Scan
nmap -sS scanme.nmap.org
Version Scanning
nmap -sV scanme.nmap.org
OS Scanning
nmap -O scanme.nmap.org
Aggressive Scanning
nmap -A scanme.nmap.org
Scanning Multiple Hosts
nmap 192.164.1.1 192.164.0.2 192.164.0.3 # Multiple IPs
nmap 192.164.1.* # Wildcard
nmap 192.164.0.1,2,3,4 # Comma-separated
nmap 192.164.0.0-255 # Range
Port Scanning
nmap -p 973 192.164.0.1 # Single port
nmap -p T:7777,973 192.164.0.1 # TCP port type
nmap -p 76-973 192.164.0.1 # Port range
nmap --top-ports 10 scanme.nmap.org # Top 10 ports
Scanning from a File
nmap -iL /input_ips.txt
Verbosity and Exporting Scan Results
nmap -v scanme.nmap.org # Verbose output
nmap -oN output.txt scanme.nmap.org # Normal output
nmap -oX output.xml scanme.nmap.org # XML output
nmap -oA output scanme.nmap.org # All formats
Nmap Help
nmap -h
Nmap Scripting Engine (NSE)
NSE is a powerful tool for writing scripts to automate network tasks. Scripts are written in Lua and can perform various functions like vulnerability detection, exploitation, and reporting.
Using NSE Scripts
nmap -sC 192.168.1.1 # Default scripts
nmap --script-help=ssl-heartbleed # Help for a script
nmap --script=ssl-heartbleed.nse 192.168.1.1 # Specific script
nmap --script=smb* 192.168.1.1 # Set of scripts
Zenmap
Zenmap is the graphical user interface for Nmap. It is free and open-source, providing visual network mappings and the ability to save and search scans.
Conclusion
Nmap is an essential tool for network discovery and security auditing, with a wide range of features and capabilities. This cheat-sheet provides a quick reference to various scanning types, commands, and NSE scripts, helping you to effectively use Nmap in your network administration and penetration testing tasks.
Last updated 26 Jun 2024, 05:25 +0200 .