Skip to main content

NMAP Cheat sheet - Basic and Advanced commands

Nmap Target Selection

Scan a single IPnmap 192.168.1.1
Scan a hostnmap www.testhostname.com
Scan a range of IPsnmap 192.168.1.1-20
Scan a subnetnmap 192.168.1.0/24
Scan targets from a text filenmap -iL list-of-ips.txt
These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.

Nmap Port Selection

Scan a single Portnmap -p 22 192.168.1.1
Scan a range of portsnmap -p 1-100 192.168.1.1
Scan 100 most common ports (Fast)nmap -F 192.168.1.1
Scan all 65535 portsnmap -p- 192.168.1.1

Nmap Port Scan types

Scan using TCP connectnmap -sT 192.168.1.1
Scan using TCP SYN scan (default)nmap -sS 192.168.1.1
Scan UDP portsnmap -sU -p 123,161,162 192.168.1.1
Scan selected ports - ignore discoverynmap -Pn -F 192.168.1.1
Privileged access is required to perform the default SYN scans. If privileges are insufficient a TCP connect scan will be used. A TCP connect requires a full TCP connection to be established and therefore is a slower scan. Ignoring discovery is often required as many firewalls or hosts will not respond to PING, so could be missed unless you select the -Pn parameter. Of course this can make scan times much longer as you could end up sending scan probes to hosts that are not there.
Take a look at the Nmap Tutorial for a detailed look at the scan process.

Service and OS Detection

Detect OS and Servicesnmap -A 192.168.1.1
Standard service detectionnmap -sV 192.168.1.1
More aggressive Service Detectionnmap -sV --version-intensity 5 192.168.1.1
Lighter banner grabbing detectionnmap -sV --version-intensity 0 192.168.1.1
Service and OS detection rely on different methods to determine the operating system or service running on a particular port. The more aggressive service detection is often helpful if there are services running on unusual ports. On the other hand the lighter version of the service will be much faster as it does not really attempt to detect the service simply grabbing the banner of the open service.

Nmap Output Formats

Save default output to filenmap -oN outputfile.txt 192.168.1.1
Save results as XMLnmap -oX outputfile.xml 192.168.1.1
Save results in a format for grepnmap -oG outputfile.txt 192.168.1.1
Save in all formatsnmap -oA outputfile 192.168.1.1
The default format could also be saved to a file using a simple file redirect command > file. Using the -oN option allows the results to be saved but also can be monitored in the terminal as the scan is under way.

Digging deeper with NSE Scripts

Scan using default safe scriptsnmap -sV -sC 192.168.1.1
Get help for a scriptnmap --script-help=ssl-heartbleed
Scan using a specific NSE scriptnmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
Scan with a set of scriptsnmap -sV --script=smb* 192.168.1.1
According to my Nmap install there are currently 471 NSE scripts. The scripts are able to perform a wide range of security related testing and discovery functions. If you are serious about your network scanning you really should take the time to get familiar with some of them.
The option --script-help=$scriptname will display help for the individual scripts. To get an easy list of the installed scripts try locate nse | grep script.
You will notice I have used the -sV service detection parameter. Generally most NSE scripts will be more effective and you will get better coverage by including service detection.

A scan to search for DDOS reflection UDP services

Scan for UDP DDOS reflectorsnmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.1.0/24
UDP based DDOS reflection attacks are a common problem that network defenders come up against. This is a handy Nmap command that will scan a target list for systems with open UDP services that allow these attacks to take place. Full details of the command and the background can be found on the Sans Institute Blog where it was first posted.

HTTP Service Information

Gather page titles from HTTP servicesnmap --script=http-title 192.168.1.0/24
Get HTTP headers of web servicesnmap --script=http-headers 192.168.1.0/24
Find web apps from known pathsnmap --script=http-enum 192.168.1.0/24
There are many HTTP information gathering scripts, here are a few that are simple but helpful when examining larger networks. Helps in quickly identifying what the HTTP service is that is running on the open port. Note the http-enum script is particularly noisy. It is similar to Nikto in that it will attempt to enumerate known paths of web applications and scripts. This will inevitably generated hundreds of 404 HTTP responses in the web server error and access logs.

Detect Heartbleed SSL Vulnerability

Heartbleed Testingnmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24
Heartbleed detection is one of the available SSL scripts. It will detect the presence of the well known Heartbleed vulnerability in SSL services. Specify alternative ports to test SSL on mail and other protocols (Requires Nmap 6.46).

IP Address information

Find Information about IP addressnmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24
Gather information related to the IP address and netblock owner of the IP address. Uses ASN, whois and geoip location lookups. See the IP Tools for more information and similar IP address and DNS lookups.

Remote Scanning

Testing your network perimeter from an external perspective is key when you wish to get the most accurate results. By assessing your exposure from the attackers perspective you can validate firewall rule audits and understand exactly what is allowed into your network. This is the reason we offer a hosted or online version of the Nmap port scanner. To enable remote scanning easily and effectively because anyone who has played with shodan.io knows very well how badly people test their perimeter networks.

Additional Resources

The above commands are just a taste of the power of Nmap. Check out the full set of features by running Nmap with no options. The creator of Nmap Fyodor has a book available that covers the tool in depth. You could also check out our Nmap Tutorial that has more information and tips.

Comments

Post a Comment

Popular posts from this blog

How to remove zabbix-agent from Ubuntu 16.04 (Xenial Xerus)

Uninstall zabbix-agent To remove just zabbix-agent package itself from Ubuntu 16.04 (Xenial Xerus) execute on terminal: sudo apt-get remove zabbix-agent Uninstall zabbix-agent and it's dependent packages To remove the zabbix-agent package and any other dependant package which are no longer needed from Ubuntu Xenial. sudo apt-get remove --auto-remove zabbix-agent Purging zabbix-agent If you also want to delete configuration and/or data files of zabbix-agent from Ubuntu Xenial then this will work: sudo apt-get purge zabbix-agent To delete configuration and/or data files of zabbix-agent and it's dependencies from Ubuntu Xenial then execute: sudo apt-get purge --auto-remove zabbix-agent

Install Zabbix Agent on Suse Linux and Configure

Install taken from Suse –  http://software.opensuse.org/download/package?project=server:monitoring&package=zabbix-agent For SLE 12 SP1 run the following as root : zypper addrepo http://download.opensuse.org/repositories/server:monitoring/SLE_12_SP1/server:monitoring.repo zypper refresh zypper install zabbix-agent For SLE 12 run the following as root : zypper addrepo http://download.opensuse.org/repositories/server:monitoring/SLE_12/server:monitoring.repo zypper refresh zypper install zabbix-agent For SLE 11 SP4 run the following as root : zypper addrepo http://download.opensuse.org/repositories/server:monitoring/SLE_11_SP4/server:monitoring.repo zypper refresh zypper install zabbix-agent For SLE 11 SP3 run the following as root : zypper addrepo http://download.opensuse.org/repositories/server:monitoring/SLE_11_SP3/server:monitoring.repo zypper refresh zypper install zabbix-agent To configure the agent – Instructions t...

Zabbix alert Notification with Telegram

Zabbix Notifications with graphs in Telegram. Features  Graphs based on latest data are sent directly to your messenger  You can send messages both in private and group chats  Channels support  Saves chatid as a temporary file  Simple markdown and HTML are supported  Emoji in messages First of all : Nedd to install python (>3) on Cent os  # yum -y install python-pip # yum install -y https://centos7.iuscommunity.org/ius-release.rpm #  yum install -y python34u python34u-libs python34u-devel python34u-pi # yum -y install python-pip You need to install the  requests  module for python, this is required for operation! # pip install requests Put  zbxtg.py  in your  AlertScriptsPath  directory, the path is set inside your zabbix_server.conf (once confirm by zabbix server conf file ) Link to download ZBXTG.PY file  https://drive.google.com/open?i...