NMAP Cheat Sheet

1. Ping Sweep

When you Ping you can only Ping a single host at a time but suppose you are on a companies internal network and you want to check how many host are live so it will take a lot of time to ping each host and check they are live or not so there comes in Ping Sweep which can ping all the host present in the network range given by user. Nmap Command for doing this will be-

  • nmap -sn 192.168.1.1/24

2. Tcp-Syn Ping Scan

In this we are sending TCP-SYN Packets to all the machines present in the network which means that we are initiating 3 way handshake and if the device is online or the port is open we will receive SYN-ACK packet and if the machine is offline or port is closed we will receive RST. Nmap command for this will be-

  • nmap -PS 192.168.1.1/24

3. UDP Ping Scan

In this we are going to send empty UDP Packet and if the host is live then we will receive ICMP port unreachable and if the host is offline we will receive various ICMP Error messages. Nmap Command for this will be-

  • nmap -PU 192.168.1.1/24

4. ARP Ping Scan

In this we send the request like “who has 192.168.1.1 ? Tell 192.168.1.51” so here the 192.168.1.51 is the IP address of your machine so if the host is up the response will be like “192.168.1.1 is at 00:00:00:00:00:00” and if the host is not up then there will be no response. Nmap Command for this will be-

  • nmap -PR 192.168.1.1/24

5. ICMP Echo Ping

In this we send ICMP Echo packet to the host and if we receive a ICMP Echo reply that means the host is up otherwise the host is not up. Nmap Command for this will be -

  • nmap -PE 192.168.1.1/24

Note- Now nobody uses ICMP Echo Ping because almost all the firewall block the ICMP requests.

6. Traceroute

Traceroute is used to tell us all the hops present between our machine and the target machine or we can say it tells us what path our request is following to reach the target. Nmap Command for this will be-

  • nmap -sn 192.168.1.5 - -traceroute

7. Port Scanning Range

If you want to scan the host for the particular port range then you can use the following Nmap Command-

  • nmap -p 1–1000 192.168.1.51

8. TCP Connect Scan

In this scan nmap confirm that a port is open or not by completing 3 way handshake with the target IP so for each port it will complete 3 way handshake then only it will come to a conclusion. So command for this will be-

  • nmap -sT 192.168.1.51

9. Stealth Scan

In this scan nmap send the SYN Packet and if it receives the ACK Packet means the port is open and it will send the RST Packet and reset the connection it will not complete the 3 way handshake. This scan is used to bypass the firewall. The Command for this will be -

  • nmap -sS 192.168.1.51

10. Operating System Detection & Service Detection

Operating system detection and service detection are two different things from the name we can understand that OS detection is used to identify the Operating system running on the target machine where as the service detection is used to detect the different services running on the different ports “-O” is for OS detection “-sV” is for service detection. Command for this will be-

  • namp -sS -0 -sV 192.168.1.123

11. Aggressive Scan

This scan is combination of Operating System Detection, Service Version Detection and the script scan. This is very noisy and fast scan. Command for this will be-

  • nmap -sS -A 192.168.1.123

12. Reason Option

This Flag in nmap is used to tell that how nmap came to a conclusion that the port is open or not. We can say that it tells the method used by nmap to reach an conclusion. Command for this will be-

  • nmap -sS -A 192.168.123 --reason

13. Output and logging

This Flag helps you to parse the nmap scan results into 3 different file format i.e “.gnmap (grepable format) , .nmap(human readable format), .xml”. so that you can access it later also. Command for this will be-

  • nmap -sS -A 192.168.123 -oA filename

14. Firewall evasion using Packet Fragmentation

The Packet Fragmentation means the packets are divided into fragments and then sent once they reach the target they will reassemble themselves. Command for this will be-

  • nmap -sS -f 192.168.1.122

15. Firewall evasion by Specifying Maximum Transmission Unit (MTU)

In Packet Fragmentation the packets are fragmented into 8bytes but in MTU you can decide or experiment with the packet fragment size according to your target. Command for that will be(here the fragmented packets will of 16bytes)-

  • nmap --mtu 16 192.168.1.122

16. Firewall evasion using IP Decoys

IP Decoys are used to spoof our IP address you can set something yourself or you can set it to RND (Randomize) that will do the work for you. Command for this will be( so the spoofed IP i am using is 192.168.1.1)-

  • nmap -sS -D 192.168.1.1 192.168.1.122

17. Firewall evasion using Scan Delay

In this what nmap does is that instead of sending alot of packets together or we can say instead of generating a huge network traffic all at once it will send the packets with some delay so that the Firewall will not be able to detect. we can set the threshold and decide the time interval between each packet according to us. Command will be(here the threshold is set to 10 seconds)-

  • nmap -sS -A 192.168.1.123 --scan-delay 10s

18. Geo location Enumeration along with Traceroute

Using this nmap script we can find out the Geo-Location of each and every hop Present in the Traceroute. Command for this will be-

  • nmap -sn --traceroute --script traceroute-geolocation 192.168.1.23

19. SMTP Enumeration

We can enumerate User accounts if that functionality is enabled on the target, if there is open-relay then we can bypass authentication and much more can be done using nmap scripts. Command for running the “smtp-commands” script from the nmap scripts will be-

  • nmap -p25 --script smtp-commands 192.168.1.123

20. HTTP Enumeration- Finding hidden File & directories

We can use HTTP enumeration scripts from nmap to find out the hidden files and directories of the target. command for that will be-

  • nmap -sV -p 80 --script http-enum 192.168.1.123

21. Vulnerability scanning with NMAP

We can perform a vulnerability scan on the target by using nmap’s vulners script and this will check for the cve’s according to the service running on the port and display the output. Command for using this will be-

  • nmap -sV -p21–8080 --script vulners 192.168.1.123

So that was all about NMAP i hope u find it useful!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store