Cheat Sheets
Nmap Cheat sheet
Remember
If you need help :
nmap -h
Basic scan
If you’re lazy, then :
nmap -A <ip>
Scan techniques
-sS : SYN scan, fast scan. Need root privileges
-sV : Version scan. Will get the name and the version of the detected service.
-sC : Script scan. It run basic nmap scan. Find more in your /usr/share/nmap/scripts/
-sT : TCP connect port scan
-p : Define the ports you want to scan. By default it will scan de top 1000. You can scan all the ports using "-p-", unique ports with "-p80" or ranges with "-p100-200"
--top-ports X : Define the X top ports (well known) you want to scan
At the start, nmap will perform a ping scan, if the machine you’re trying to scan doesn’t respond, nmap will stop. You can overcome this using a parameter.
-sn : Nmap will not perform a ping scan at the start
A simple command can look like this then :
sudo nmap -sSVC -p21,22,80,443 10.2.10.3
Going further
All connection aren’t on TCP protocol. Some ports can be open on the UDP protocol. You can scan them using :
-sU : UDP scan
When you perform pentest, you might have a long list of IP to scan. Nmap can help you automate the scan.
-iL <path to your file> : Scan all hosts present in the file
Precise output file :
-oA <name output> : This command will output the scan in all format, grepable, xml, normal.
If you want specific output :
-oX,G,N <name> : X for XML, G for grepable, N for normal
Timing. By default nmap scan with the T3 implicit parameter. You can increase or decrease speed according to the asset scanned :
-T0 : Paranoid IDS evasion
-T1 : Sneaky IDS evasion
-T2 : Polite, it slows down the scan to use less bandwidth
-T3 : Normal scan with default speed
-T4 : Aggressive speeds scan
-T5 : Insane speeds scan