372 lines
11 KiB
HTML
372 lines
11 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
|
|
<meta http-equiv="X-Content-Type-Options" content="nosniff">
|
|
<link rel="stylesheet" href="../assets/css/style.css">
|
|
<link rel="icon" type="image/x-icon" href="../favicon.ico">
|
|
<script>
|
|
// Apply theme immediately to prevent flash
|
|
(function() {
|
|
const theme = localStorage.getItem('theme') ||
|
|
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
|
|
document.documentElement.setAttribute('data-theme', theme);
|
|
})();
|
|
</script>
|
|
<title>nmap Cheatsheet - Cheatsheets - Launch Pad</title>
|
|
</head>
|
|
<body>
|
|
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
|
|
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
|
|
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
|
|
</button>
|
|
<br/><br/>
|
|
<div class="name">
|
|
__ _______________________ _________._________________________
|
|
/ \ / \_ _____/\______ \/ _____/| \__ ___/\_ _____/
|
|
\ \/\/ /| __)_ | | _/\_____ \ | | | | | __)_
|
|
\ / | \ | | \/ \| | | | | \
|
|
\__/\ / /_______ / |______ /_______ /|___| |____| /_______ /
|
|
\/ \/ \/ \/ \/
|
|
|
|
</div>
|
|
<div class="blog-page-header">
|
|
<div class="blog-header-content">
|
|
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
|
|
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
|
|
</a>
|
|
<h1 class="blog-page-title">nmap Cheatsheet</h1>
|
|
</div>
|
|
</div>
|
|
<div class="blog-post-container">
|
|
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
|
|
<div class="blog-post">
|
|
<div class="blog-post-content">
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
<hr>
|
|
<p>nmap (Network Mapper) is a network scanning and discovery tool. Used for security auditing, network inventory, and finding open ports and services.</p>
|
|
<hr>
|
|
<h2>Basic Scans</h2>
|
|
<ul>
|
|
<li>nmap <target> - Basic TCP port scan</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sP <target> - Ping scan (host discovery only)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sn <target> - Ping scan without port scan</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -p <port> <target> - Scan specific port</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -p- <target> - Scan all ports (1-65535)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -p 80,443,8080 <target> - Scan specific ports</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -p 1-1000 <target> - Scan port range</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Scan Types</h2>
|
|
<ul>
|
|
<li>nmap -sS <target> - TCP SYN scan (stealth scan)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sT <target> - TCP connect scan (default)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sU <target> - UDP scan</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sA <target> - TCP ACK scan</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sN <target> - TCP NULL scan</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sF <target> - TCP FIN scan</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sX <target> - TCP Xmas scan</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sW <target> - TCP Window scan</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sM <target> - TCP Maimon scan</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Timing and Performance</h2>
|
|
<ul>
|
|
<li>nmap -T0 <target> - Paranoid (slowest, most stealth)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -T1 <target> - Sneaky</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -T2 <target> - Polite</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -T3 <target> - Normal (default)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -T4 <target> - Aggressive</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -T5 <target> - Insane (fastest)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --min-rate <rate> <target> - Minimum packet rate</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --max-rate <rate> <target> - Maximum packet rate</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Host Discovery</h2>
|
|
<ul>
|
|
<li>nmap -sn <target> - Ping scan (no port scan)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -Pn <target> - Skip host discovery (assume host is up)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -PS <port> <target> - TCP SYN ping</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -PA <port> <target> - TCP ACK ping</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -PU <port> <target> - UDP ping</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -PE <target> - ICMP echo ping</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -PP <target> - ICMP timestamp ping</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -PR <target> - ARP ping (local network)</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Service and Version Detection</h2>
|
|
<ul>
|
|
<li>nmap -sV <target> - Version detection</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sV --version-intensity <0-9> <target> - Version intensity</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -sC <target> - Default scripts (safe)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script <script> <target> - Run specific script</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script-updatedb - Update script database</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script-help <script> - Script help</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Operating System Detection</h2>
|
|
<ul>
|
|
<li>nmap -O <target> - OS detection</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -O --osscan-guess <target> - Aggressive OS detection</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -A <target> - Aggressive scan (OS, version, script, traceroute)</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Output Options</h2>
|
|
<ul>
|
|
<li>nmap -oN <file> <target> - Normal output to file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -oX <file> <target> - XML output to file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -oS <file> <target> - Script kiddie output</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -oG <file> <target> - Grepable output</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -oA <basename> <target> - All formats (normal, XML, grepable)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -v <target> - Verbose output</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -vv <target> - Very verbose output</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -d <target> - Debug output</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -dd <target> - More debug output</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Common Scan Scripts</h2>
|
|
<ul>
|
|
<li>nmap --script vuln <target> - Vulnerability scripts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script auth <target> - Authentication scripts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script brute <target> - Brute force scripts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script discovery <target> - Discovery scripts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script dos <target> - Denial of service scripts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script exploit <target> - Exploit scripts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script safe <target> - Safe scripts (default)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script http-enum <target> - HTTP enumeration</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --script ssh-brute <target> - SSH brute force</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Useful Scan Examples</h2>
|
|
<h3>Quick Scan</h3>
|
|
<pre><code>nmap -sn 192.168.1.0/24</code></pre>
|
|
<p>Ping scan of local network.</p>
|
|
<h3>Comprehensive Scan</h3>
|
|
<pre><code>nmap -sS -sV -O -A -p- <target></code></pre>
|
|
<p>Stealth scan with version detection, OS detection, and all ports.</p>
|
|
<h3>Fast Scan</h3>
|
|
<pre><code>nmap -F -T4 <target></code></pre>
|
|
<p>Fast scan of top 100 ports.</p>
|
|
<h3>Stealth Scan</h3>
|
|
<pre><code>nmap -sS -T2 <target></code></pre>
|
|
<p>Slower SYN scan to avoid detection.</p>
|
|
<h3>Service Detection</h3>
|
|
<pre><code>nmap -sV -p 80,443,8080 <target></code></pre>
|
|
<p>Version detection on common web ports.</p>
|
|
<hr>
|
|
<h2>Target Specification</h2>
|
|
<ul>
|
|
<li>nmap 192.168.1.1 - Single IP</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap 192.168.1.1-100 - IP range</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap 192.168.1.0/24 - CIDR notation</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -iL <file> - Target list from file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap example.com - Hostname</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap 192.168.1.1 192.168.1.2 - Multiple targets</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Firewall Evasion</h2>
|
|
<ul>
|
|
<li>nmap -f <target> - Fragment packets</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -D <decoy1,decoy2> <target> - Use decoy hosts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -S <source_ip> <target> - Spoof source IP</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -e <interface> <target> - Use specific interface</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap -g <port> <target> - Use source port</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --proxies <proxy> <target> - Use proxy</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nmap --data-length <num> <target> - Add random data</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Configuration</h2>
|
|
<h3>Config File Location</h3>
|
|
<ul>
|
|
<li>`~/.nmaprc` - User configuration file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>`/etc/nmap/nmap.conf` - System configuration file</li>
|
|
</ul>
|
|
<h3>Example Configuration</h3>
|
|
<pre><code># Default scan type
|
|
-oA /tmp/nmap-scan
|
|
# Default port list
|
|
--top-ports 1000</code></pre>
|
|
<hr>
|
|
<h2>Tips</h2>
|
|
<ul>
|
|
<li>Use -sS (SYN scan) for stealth when possible (requires root)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -T4 for faster scans on trusted networks</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -sV to identify services and versions</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use --script for automated vulnerability checks</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -oA to save results in multiple formats</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Always use nmap responsibly and only on networks you own/have permission</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -sn for quick host discovery without port scanning</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -p to target specific ports (saves time)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use CIDR notation for network scanning: 192.168.1.0/24</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Save output with -oA for later analysis</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Combine scan options: -sS -sV -O for comprehensive scan</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use --script-help to learn about available scripts</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Be aware of scan timing (T0-T5) to avoid detection or overload</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -Pn when hosts block ping</li>
|
|
</ul>
|
|
<hr>
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<script async type="text/javascript" src="../blog/analytics.js"></script>
|
|
<script src="../theme.js"></script>
|
|
</body>
|
|
</html> |