Catalog / Nmap Cheat Sheet
Nmap Cheat Sheet
A comprehensive cheat sheet for Nmap, covering essential scanning techniques, options, and usage examples for network discovery and security auditing.
Basic Scan Types
Scan Types Overview
Nmap offers a variety of scan types to discover hosts and services on a network. These techniques use different TCP, UDP, and ICMP protocols to gather information. |
Common Scan Flags
|
TCP Connect Scan: Establishes a full TCP connection (three-way handshake) to detect open ports. Requires no special privileges. |
|
TCP SYN Scan (Stealth Scan): Sends SYN packets to the target. If a SYN-ACK is received, the port is open. If a RST is received, the port is closed. Requires root privileges. |
|
UDP Scan: Sends UDP packets to the target. Requires root privileges and can be slow but detects open UDP ports. |
|
Ping Scan: Discovers active hosts on a network by sending ICMP echo requests. Deprecated, use |
|
Host Discovery: Discovers active hosts on a network, similar to ping scan, but more reliable. |
|
Version Detection: Determines the service and version running on open ports. |
Example Usage
Performs a SYN scan on the target IP address. |
Performs a UDP scan on the target IP address. |
Attempts to determine service versions on the target IP address. |
Advanced Scanning Techniques
Stealth Scan Options
|
TCP FIN Scan: Sends a FIN packet. Open ports are expected to ignore the packet, while closed ports respond with an RST. |
|
TCP Xmas Scan: Sends a packet with FIN, URG, and PSH flags set. Closed ports respond with an RST. |
|
TCP Null Scan: Sends a packet with no flags set. Closed ports respond with an RST. |
Bypassing Firewalls/IDS
|
Fragment Packets: Helps bypass simple firewalls by fragmenting the packets. |
|
Specify MTU: Sets a specific Maximum Transmission Unit (MTU) to avoid triggering certain IDS rules. |
|
Append Random Data: Adds random data to the end of packets to avoid signature-based detection. |
|
Spoof MAC Address: Spoofs the MAC address of your network interface to hide your identity. |
|
Source Port Manipulation: Use a specific port number |
Timing and Performance
|
Timing Templates: Sets the timing template. 0 is the slowest (paranoid), 5 is the fastest (insane). |
|
Adjust RTT Timeout: Fine-tunes the round-trip time (RTT) timeout values. |
Port Specification and Service Detection
Port Specification
|
Specify Ports: Scans only the specified ports. |
|
Fast Scan: Scans only the ports listed in the nmap-services file. |
|
Top Ports: Scans the specified number of most common ports. |
|
Scan all 65535 ports. |
Service and Version Detection
|
Version Detection: Enables version detection to determine the service and version information. |
|
Version Intensity: Sets the intensity of version scanning. Higher values increase accuracy but take longer. |
|
Version Light: Uses light version scanning. |
|
Version All: Tries every single probe. |
OS Detection
|
OS Detection: Attempts to determine the operating system of the target. |
|
OS Scan Limit: Limits OS detection to promising targets. |
|
OS Scan Guess: Guesses the OS more aggressively. |
Nmap Scripting Engine (NSE)
NSE Basics
The Nmap Scripting Engine (NSE) allows you to run powerful scripts to automate a wide variety of networking tasks. These scripts can discover vulnerabilities, perform version detection, and more. |
Common NSE Categories
|
Script Selection and Execution
|
Run Scripts: Executes the specified NSE scripts. |
|
Script Arguments: Provides arguments to the NSE scripts. |
|
Script Help: Displays help information about the specified script(s). |
|
Update Script Database: Updates the NSE script database. |