Nmap Options - JA Smith

# `nmap` command syntax ```bash nmap [ <Scan Type> ...] [ <Options> ] { <target specification> } ``` - scans top 2000 ports by default # Basic Scanning Switches | Nmap Switch | Description | | :---------- | :-------------------------- | | **-sV** | service version scan | | **-sC** | common scripts scan | | **-sA** | ACK scan | | **-sF** | FIN scan | | **-sI** | IDLE scan | | **-sL** | DNS scan (a.k.a. list scan) | | **-sN** | NULL scan | | **-sO** | Protocol scan | | **-sP** | Ping scan | | **-sR** | RPC scan | | **-sS** | SYN scan | | **-sT** | TCP connect scan | | **-sW** | Windows scan | | **-sX** | XMAS scan | # Output Options | Nmap Switch | Description | | :---------- | :------------------------------------------- | | ``-oN`` | Normal output | | `-oG` | Grepable format | | ``-oX`` | XML output | | ``-oA`` | Normal, XML, and Grepable format all at once | ### Scan a Single Target ```shell nmap [target] ``` ### Scan Multiple Targets ```shell nmap [target1, target2, etc] ``` ### Scan a List of Targets ```shell nmap -iL [list.txt] ``` ### Scan a Range of Hosts ```shell nmap [range of IP addresses] ``` ### Scan an Entire Subnet ```shell nmap [ip address/cdir] ``` ### Scan an IPv6 Target ```shell nmap -6 [target] ``` ## Port Scanning Options ### Perform a Fast Scan ```shell nmap -F [target] ``` ### Scan Specific Ports ```shell nmap -p [port(s)] [target] ``` ### Scan Ports by Name ```shell nmap -p [port name(s)] [target] ``` ### Scan Ports by Protocol ```shell nmap -sU -sT -p U:[ports],T:[ports] [target] ``` ### Scan All Ports ```shell nmap -p 1-65535 [target] nmap -p- [target] ``` ### Scan Top Ports ```shell nmap --top-ports [number] [target] ``` ## Host Discovery Options - `-P` switch determines the type of ping to perform. | Nmap Switch | Description | |:------------|:----------------------------| | **-PI** | ICMP ping | | **-Po** | No ping | | **-PS** | SYN ping | | **-PT** | TCP ping | ### Perform a Ping Only Scan ```shell nmap -sn [target] ``` ### Do Not Ping ```shell nmap -Pn [target] ``` ### TCP SYN Ping ```shell nmap -PS [target] ``` ### TCP ACK Ping ```shell nmap -PA [target] ``` ### UDP Ping ```shell nmap -PU [target] ``` ### SCTP INIT Ping ```shell nmap -PY [target] ``` ### ICMP Echo Ping ```shell nmap -PE [target] ``` ### ICMP Timestamp Ping ```shell nmap -PP [target] ``` ### ICMP Address Mask Ping ```shell nmap -PM [target] ``` ### IP Protocol Ping ```shell nmap -PO [target] ``` ### ARP ping ```shell nmap -PR [target] ``` ### Traceroute ```shell nmap --traceroute [target] ``` ### Force Reverse DNS Resolution ```shell nmap -R [target] ``` ### Disable Reverse DNS Resolution ```shell nmap -n [target] ``` # Timing and Performance - `-T` switch specifies a timing template associated withj varying speed and stealth | Nmap Switch | Description | |:------------|:----------------------------| | **-T0** | Serial, slowest scan | | **-T1** | Serial, slow scan | | **-T2** | Serial, normal speed scan | | **-T3** | Parallel, normal speed scan | | **-T4** | Parallel, fast scan | ### Set the Packet TTL ```shell nmap --ttl [time] [target] ``` ### Minimum NUmber of Parallel Operations ```shell nmap --min-parallelism [number] [target] ``` ### Maximum Number of Parallel Operations ```shell nmap --max-parallelism [number] [target] ``` ### Minimum Host Group Size ```shell nmap --min-hostgroup [number] [targets] ``` ### Maximum Host Group Size ```shell nmap --max-hostgroup [number] [targets] ``` ### Maximum RTT Timeout ```shell nmap --initial-rtt-timeout [time] [target] ``` ### Initial RTT Timeout ```shell nmap --max-rtt-timeout [TTL] [target] ``` ### Maximum Number of Retries ```shell nmap --max-retries [number] [target] ``` ### Host Timeout ```shell nmap --host-timeout [time] [target] ``` ### Minimum Scan Delay ```shell nmap --scan-delay [time] [target] ``` ### Maxmimum Scan Delay ```shell nmap --max-scan-delay [time] [target] ``` ### Minimum Packet Rate ```shell nmap --min-rate [number] [target] ``` ### Maximum Packet Rate ```shell nmap --max-rate [number] [target] ``` ### Defeat Reset Rate Limits ```shell nmap --defeat-rst-ratelimit [target] ``` # Firewall/IDS Evasion and Spoofing ### Fragment Packets ```shell nmap -f [target] ``` ### Specify a Specific MTU ```shell nmap --mtu [MTU] [target] ``` ### Use a Decoy ```shell nmap -D RND:[number] [target] ``` ### Idle Zombie Scan ```shell nmap -sI [zombie] [target] ``` ### Manually Specify a Source Port ```shell nmap --source-port [port] [target] ``` ### Append Random Data ```shell nmap --data-length [size] [target] ``` ### Randomize Target Scan Order ```shell nmap --randomize-hosts [target] ``` ### Spoof MAC Address ```shell nmap --spoof-mac [MAC|0|vendor] [target] ``` ### Send Bad Checksums ```shell nmap --badsum [target] ``` # Nmap Scripting Engine (NSE) ### Execute Individual Scripts ```shell nmap --script [script.nse] [target] ``` ### Execute Multiple Scripts ```shell nmap --script [expression] [target] ``` ### Execute Scripts by Category ```shell nmap --script [category] [target] ``` ### Execute Multiple Script Categories ```shell nmap --script [category1,category2,etc] ``` ### Troubleshoot Scripts ```shell nmap --script [script] --script-trace [target] ``` ### Update the Script Database ```shell nmap --script-updatedb ``` > **Reference Sites** - [ ] [Nmap - The Basics](https://www.youtube.com/watch?v=_JvtO-oe8k8) - [ ] [Reference link 1](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/) - [ ] [Beginner's Guide to Nmap](https://www.linux.com/learn/beginners-guide-nmap) - [ ] [Top 32 Nmap Command](https://www.cyberciti.biz/security/nmap-command-examples-tutorials/) - [ ] [Nmap Linux man page](https://linux.die.net/man/1/nmap) - [ ] [29 Practical Examples of Nmap Commands](https://www.tecmint.com/nmap-command-examples/) - [ ] [Nmap Scanning Types, Scanning Commands , NSE Scripts](https://medium.com/@infosecsanyam/nmap-cheat-sheet-nmap-scanning-types-scanning-commands-nse-scripts-868a7bd7f692) - [ ] [Nmap CheatSheet](https://www.cheatography.com/netwrkspider/cheat-sheets/nmap-cheatsheet/) - [ ] [Nmap Cheat Sheet](https://highon.coffee/blog/nmap-cheat-sheet/) - [ ] [Nmap Cheat Sheet: From Discovery to Exploits](https://resources.infosecinstitute.com/nmap-cheat-sheet/) - [ ] [Nmap: my own cheatsheet](https://www.andreafortuna.org/2018/03/12/nmap-my-own-cheatsheet/) - [ ] [NMAP Commands Cheatsheet](https://hackersonlineclub.com/nmap-commands-cheatsheet/) - [ ] [Nmap Cheat Sheet](https://www.stationx.net/nmap-cheat-sheet/) - [ ] [Nmap Cheat Sheet](http://nmapcookbook.blogspot.com/2010/02/nmap-cheat-sheet.html)