Nmap Cheat Sheet

1. Nmap Cheat Sheet
2. https://www.comparitech.com/net-admin/nmap-nessus-cheat-sheet/
3.  
4. -------------------------------------------------------------------------------
5.  
6.  
7.  
8.  
9. Scanning command syntax
10. Scanning Command Syntax
11.  
12.  
13. nmap [scan types] [options] {172.16.1.1 specification}
14.  
15.  
16. Port Specification options
17. Port Specification Options
18.  
19.  
20. Syntax
21.  
22.  
23. Example
24.  
25.  
26. Description
27.  
28.  
29. -P
30.  
31.  
32. nmap –p 23 172.16.1.1
33.  
34.  
35. Port scanning port specific port
36.  
37.  
38. -P
39.  
40.  
41. nmap –p 23-100 172.16.1.1
42.  
43.  
44. Port scanning port specific port range
45.  
46.  
47. -p
48.  
49.  
50. nmap -pU:110,T:23-25,443 172.16.1.1
51.  
52.  
53. U-UDP,T-TCP different port types scan
54.  
55.  
56. -p-
57.  
58.  
59. nmap -p- 172.16.1.1
60.  
61.  
62. Port scan for all ports
63.  
64.  
65. -p
66.  
67.  
68. nmap -smtp,https 172.16.1.1
69.  
70.  
71. Port scan from specified protocols
72.  
73.  
74. -F
75.  
76.  
77. nmap –F 172.16.1.1
78.  
79.  
80. Fast port scan for speed up
81.  
82.  
83. -P "*"
84.  
85.  
86. namp -p "*" ftp 172.16.1.1
87.  
88.  
89. Port scan using name
90.  
91.  
92. -r
93.  
94.  
95. nmap -r 172.16.1.1
96.  
97.  
98. Sequential port scan
99.  
100.  
101. Host /172.16.1.1 discovery
102. Host /172.16.1.1 Discovery
103.  
104.  
105. Switch/Syntax
106.  
107.  
108. Example
109.  
110.  
111. Description
112.  
113.  
114. -sL
115.  
116.  
117. nmap 172.16.1.1-5 -sL
118.  
119.  
120. List 172.16.1.1 without scanning
121.  
122.  
123. -sn
124.  
125.  
126. nmap 172.16.1.1/8 -sn
127.  
128.  
129. Disable port scanning
130.  
131.  
132. -Pn
133.  
134.  
135. nmap 172.16.1.1-8 -Pn
136.  
137.  
138. Port scans only and no host discovery
139.  
140.  
141. -PS
142.  
143.  
144. nmap 172.16.1.185 -PS22-25,80
145.  
146.  
147. TCP SYN discovery on specified port
148.  
149.  
150. -PA
151.  
152.  
153. nmap 172.16.1.185 -PA22-25,80
154.  
155.  
156. TCP ACK discovery on specified port
157.  
158.  
159. -PU
160.  
161.  
162. nmap 172.16.1.1-8 -PU53
163.  
164.  
165. UDP discovery on specified port
166.  
167.  
168. -PR
169.  
170.  
171. nmap 172.16.1.1-1/8 -PR
172.  
173.  
174. ARP discovery within local network
175.  
176.  
177. -n
178.  
179.  
180. nmap 172.16.1.1 -n
181.  
182.  
183. no DNS resolution
184.  
185.  
186. Scanning types
187. Scanning Types
188.  
189.  
190. Switch/Syntax
191.  
192.  
193. Example
194.  
195.  
196. Description
197.  
198.  
199. -sS
200.  
201.  
202. nmap 172.16.1.1 -sS
203.  
204.  
205. TCP SYN port scan
206.  
207.  
208. -sT
209.  
210.  
211. nmap 172.16.1.1 -sT
212.  
213.  
214. TCP connect port scan
215.  
216.  
217. -sA
218.  
219.  
220. nmap 172.16.1.1 -sA
221.  
222.  
223. TCP ACK port scan
224.  
225.  
226. -sU
227.  
228.  
229. nmap 172.16.1.1 -sU
230.  
231.  
232. UDP port scan
233.  
234.  
235. -Sf
236.  
237.  
238. nmap -Sf 172.16.1.1
239.  
240.  
241. TCP FIN scan
242.  
243.  
244. -sX
245.  
246.  
247. nmap -SX 172.16.1.1
248.  
249.  
250. XMAS scan
251.  
252.  
253. -Sp
254.  
255.  
256. nmap -Sp 172.16.1.1
257.  
258.  
259. Ping scan
260.  
261.  
262. -sU
263.  
264.  
265. nmap -Su 172.16.1.1
266.  
267.  
268. UDP scan
269.  
270.  
271. -sA
272.  
273.  
274. nmap -Sa 172.16.1.1
275.  
276.  
277. TCP ACK scan
278.  
279.  
280. -SL
281.  
282.  
283. nmap -Sl 172.16.1.1
284.  
285.  
286. list scan
287.  
288.  
289. Version detection
290. Version Detection
291.  
292.  
293. Switch/Syntax
294.  
295.  
296. Example
297.  
298.  
299. Description
300.  
301.  
302. -sV
303.  
304.  
305. nmap 172.16.1.1 -sV
306.  
307.  
308. Try to find the version of the service running on port
309.  
310.  
311. -sV --version-intensity
312.  
313.  
314. nmap 172.16.1.1 -sV --version-intensity 6
315.  
316.  
317. Intensity level range 0 to 9.
318.  
319.  
320. -sV --version-all
321.  
322.  
323. nmap 172.16.1.1 -sV --version-all
324.  
325.  
326. Set intensity level to 9
327.  
328.  
329. -sV --version-light
330.  
331.  
332. nmap 172.16.1.1 -sV --version-light
333.  
334.  
335. Enable light mode
336.  
337.  
338. -A
339.  
340.  
341. nmap 172.16.1.1 -A
342.  
343.  
344. Enables OS detection, version detection, script scanning, and traceroute
345.  
346.  
347. -O
348.  
349.  
350. nmap 172.16.1.1 -O
351.  
352.  
353. Remote OS detection
354.  
355.  
356. 172.16.1.1 specification
357. 172.16.1.1 Specification
358.  
359.  
360. nmap 172.16.1.1
361.  
362.  
363. single IP scan
364.  
365.  
366. nmap 172.16.1.1 172.16.100.1
367.  
368.  
369. scan specific IPs
370.  
371.  
372. nmap 172.16.1.1-254
373.  
374.  
375. scan a range of IPs
376.  
377.  
378. nmap xyz.org
379.  
380.  
381. scan a domain
382.  
383.  
384. nmap 10.1.1.0/8
385.  
386.  
387. scan using CIDR notation
388.  
389.  
390. nmap -iL scan.txt
391.  
392.  
393. scan 172.16.1.1s from a file
394.  
395.  
396. nmap --exclude 172.16.1.1
397.  
398.  
399. specified IP s exclude from scan
400.  
401.  
402. Use of NMAP scripts NSE
403. Use of Nmap Scripts NSE
404.  
405.  
406. nmap --script= test script 172.16.1.0/24
407.  
408.  
409. execute thee listed script against target IP address
410.  
411.  
412. nmap --script-update-db
413.  
414.  
415. adding new scripts
416.  
417.  
418. nmap -sV -sC
419.  
420.  
421. use of safe default scripts for scan
422.  
423.  
424. nmap --script-help="Test Script"
425.  
426.  
427. get help for script
428.  
429.  
430. Firewall proofing
431. Firewall Proofing
432.  
433.  
434. nmap -f [172.16.1.1]
435.  
436.  
437. scan fragment packets
438.  
439.  
440. nmap –mtu [MTU] [172.16.1.1]
441.  
442.  
443. specify MTU
444.  
445.  
446. nmap -sI [zombie] [172.16.1.1]
447.  
448.  
449. scan idle zoombie
450.  
451.  
452. nmap –source-port [port] [172.16.1.1]
453.  
454.  
455. manual source port - specify
456.  
457.  
458. nmap –data-length [size] [172.16.1.1]
459.  
460.  
461. randomly append data
462.  
463.  
464. nmap –randomize-hosts [172.16.1.1]
465.  
466.  
467. 172.16.1.1 scan order randomization
468.  
469.  
470. nmap –badsum [172.16.1.1]
471.  
472.  
473. bad checksum
474.  
475.  
476. NMAP output formats
477. Nmap output Formats
478.  
479.  
480. Default/normal output
481.  
482.  
483. nmap -oN scan.txt 172.16.1.1
484.  
485.  
486. XML
487.  
488.  
489. nmap -oX scanr.xml 172.16.1.1
490.  
491.  
492. Grepable format
493.  
494.  
495. snmap -oG grep.txt 172.16.1.1
496.  
497.  
498. All formats
499.  
500.  
501. nmap -oA 172.16.1.1
502.  
503.  
504. Scan options
505. Scan Options
506.  
507.  
508. Syntax
509.  
510.  
511. Description
512.  
513.  
514. nmap -sP 172.16.1.1
515.  
516.  
517. Ping scan only
518.  
519.  
520. nmap -PU 172.16.1.1
521.  
522.  
523. UDP ping scan
524.  
525.  
526. nmap -PE 172.16.1.1
527.  
528.  
529. ICMP echo ping
530.  
531.  
532. nmap -PO 172.16.1.1
533.  
534.  
535. IP protocol ping
536.  
537.  
538. nmap -PR 172.16.1.1
539.  
540.  
541. ARP ping
542.  
543.  
544. nmap -Pn 172.16.1.1
545.  
546.  
547. Scan without pinging
548.  
549.  
550. nmap –traceroute 172.16.1.1
551.  
552.  
553. Traceroute
554.  
555.  
556. NMAP Timing options
557. Nmap Timing Options
558.  
559.  
560. Syntax
561.  
562.  
563. Description
564.  
565.  
566. nmap -T0 172.16.1.1
567.  
568.  
569. Slowest scan
570.  
571.  
572. nmap -T1 172.16.1.1
573.  
574.  
575. Tricky scan to avoid IDS
576.  
577.  
578. nmap -T2 172.16.1.1
579.  
580.  
581. Timely scan
582.  
583.  
584. nmap -T3 172.16.1.1
585.  
586.  
587. Default scan timer
588.  
589.  
590. nmap -T4 172.16.1.1
591.  
592.  
593. Aggressive scan
594.  
595.  
596. nmap -T5 172.16.1.1
597.  
598.  
599. Very aggressive scan
600.  
601.  
602. Miscellaneous commands
603. Miscellaneous Commands
604.  
605.  
606. nmap -6
607.  
608.  
609. scan IPV6 targets
610.  
611.  
612. nmap –proxies proxy 1 URL, proxy 2 URL
613.  
614.  
615. Run in targets with proxies
616.  
617.  
618. nmap –open
619.  
620.  
621. Show open ports only
622.  
623.  
624. Nmap + Nessus Cheat Sheet
625. If you also use Nessus with Nmap, download this cheat sheet instead as it has all the tables included in the Nmap cheat sheet plus three extra Nessus tables. Click on the image below to open the JPG in a new window where you can save it. Alternatively you can download the PDF file here.
626.  
627. Nmap + Nessus Cheat Sheet
628.  
629. Nessus install and use
630. Nessus Installation and Usage
631.  
632.  
633. Installation
634.  
635.  
636. # apt-get install nessus
637.  
638.  
639. Add administrator for the application
640.  
641.  
642. # nessus-adduser
643.  
644.  
645. Update components
646.  
647.  
648. # nessus-update-plugins
649.  
650.  
651. Start nessus
652.  
653.  
654. # /etc/init.d/nessusd start
655.  
656.  
657. Check nessus port
658.  
659.  
660. # netstat -luntp or # netstat –landtp
661.  
662.  
663. Nessuscli
664. Nessuscli
665.  
666.  
667. nessus –h
668.  
669.  
670. Display help
671.  
672.  
673. nessus –q
674.  
675.  
676. Run in batch mode
677.  
678.  
679. nessus --list-policies
680.  
681.  
682. List policies included in .nessus configuration file
683.  
684.  
685. nessus --list-reports
686.  
687.  
688. List report names included in .nessus configuration file
689.  
690.  
691. nessus –p
692.  
693.  
694. List available plugins in the server
695.  
696.  
697. nessus --policy-name (policy name)
698.  
699.  
700. Specify policy to use when a scan initiate in command line
701.  
702.  
703. nessus -T (format)
704.  
705.  
706. Specify output report format (html, text, nbe, nessus)
707.  
708.  
709. nessus --target-file (file name)
710.  
711.  
712. Use scan targets specified in the file instead of default .nessus file
713.  
714.  
715. nessus –x
716.  
717.  
718. Do not check for SSL certificates
719.  
720.  
721. Nessus server commands
722. Nessus Server Commands
723.  
724.  
725. nessus-service -a ( ip address )
726.  
727.  
728. Listens to specified IP address only
729.  
730.  
731. nessus-service -c (Config file name )
732.  
733.  
734. Set to use server side configuration file instead of default configuration file
735.  
736.  
737. nessus-service -D
738.  
739.  
740. Set server mode to background run
741.  
742.  
743. nessus-service -h
744.  
745.  
746. List summary of nessus commands
747.  
748.  
749. nessus-service --ipv4-only
750.  
751.  
752. Listen to IPV4 only
753.  
754.  
755. nessus-service --ipv6-only
756.  
757.  
758. Listen to IPV6 only
759.  
760.  
761. nessus-service -K
762.  
763.  
764. Configure master password for nessus scanner
765.  
766.  
767. nessus-service -p
768.  
769.  
770. Set server to listen to client specified port rather than default port 1241
771.  
772.  
773. nessus-service -q
774.  
775.  
776. Run in quiet mode
777.  
778.