Ech0 - 00 / 00 / 00

CheatSheet - Nmap

Description:

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Part 1 : Individual use Cases

Target Selection:

nmap 192.168.0.1(scanning a single ip address)
nmap ech1.netlify.com(scanning an url directly)
nmap 192.168.0.0/24(scan a range of IPs (192.168.0.0-255))
nmap -iL list-of-ips.txt(scan a list of ip)

Port Selection:

nmap 127.0.0.1 -p 22(scanning the default SSH port)
nmap 127.0.0.1 -p 1-1024(scanning ports 1 2 3...1024)
nmap 127.0.0.1 -F(scanning the most 100 common ports (80,22,21,443,etc))
nmap 127.0.0.1 -F --top-ports 30000
nmap 127.0.0.1 -p-(all ports)

Port Scan Types:

nmap 127.0.0.1 -sT (using TCP (used by default))
nmap 127.0.0.1 -sS (TCP SYN scan)
nmap 127.0.0.1 -sU (UDP ports)
nmap 127.0.0.1 -Pn -F (skip the initial ping step)

Service & OS Detection

nmap 127.0.0.1 -A(detect OS & services)
nmap 127.0.0.1 -sV(enumerate versions)
nmap 127.0.0.1 -sC(using default scripts)
nmap 127.0.0.1 -sV --version-intensity 5(Aggressive service detection)
nmap 127.0.0.1 -sV --version-intensity 0(Light banner grabbing detection)

Timing and Performance

nmap 127.0.0.1 -T0(paranoid detection evasion)
nmap 127.0.0.1 -T1(sneaky detection evasion)
nmap 127.0.0.1 -T2(polite (slows down scan, less bandwidth & less target ressources))
nmap 127.0.0.1 -T3(default speed)
nmap 127.0.0.1 -T4(Aggressive (fast & reliable network))
nmap 127.0.0.1 -T5(Insane speeds (assumes low ping and high bandwidth))


nmap 127.0.0.1 --host-timeout 1h 2m 3s(sets timeout to 1hr2min3sec)
nmap 127.0.0.1 --min-parallelism 10(minimal probe parallelization)
nmap 127.0.0.1 --max-parallelism 50(maximal ^)
nmap 127.0.0.1 --max-retries 3
nmap 127.0.0.1 --min-rate (send packets at least _ per second)
nmap 127.0.0.1

Common HTB Use Cases

nmap 127.0.0.1 -F --top-ports 10000(scan the top 10000 ports)
nmap 127.0.0.1 -sCV -p 21,22,80,443,8080(versions & default scripts on selected ports)
nmap 127.0.0.1 -p- -vvv(looking for every open port (verbose output))
nmap 127.0.0.1

4