keyboard_arrow_up

title: CheatSheet Nmap
date: Jul 22, 2021
tags: Writeups DamCTF CTF_review Pwn Malware Misc Reverse Web EC2_2021 CheatSheets SQLi Programming Nmap Tools PyJails HeroCTF_v3 Steganography


NMAP

nmap


Table of contents



Various command

-6 # IPv6
-T<1-4> # Speed
-A # Agressive mode
-v <lvl> # verbose (default 0)
-f # fragmenting packet



Discovering

-sn # disable scan port
--disable-arp-ping # disable arp default ping scan
-P # ICMP scan

ARP ping scan

nmap -sn -PR <target-ip>
ARP_ping_scan

Informations:


UDP ping scan

nmap -sn -PU <target-ip>
UDP_ping_scan

Informations:


ICMP ECHO ping sweep

nmap -sn -PE <range-ip>
ICMP_ECHO_ping_sweeps

Informations:


TCP SYN ping scan

nmap -sn -PS <target-ip>
TCP_SYN_ping_scan

Informations:


TCP ACK ping scan

nmap -sn -PA <target-ip>
TCP_ACK_ping_scan

Informations:


Other ping scan methods

nmap -Pn <target-ip> # Default ICMP ping scan
nmap -sn -PP <target-ip> # ICMP Timestamp ping scan
nmap -sn -PM <target-ip> # ICMP Address Mask ping scan
nmap -sn -PO <target-ip> # IP protocol ping scan



Port Scanning

-p <port-range> # specify port to scan (default top 1k most used)
-p- # scan all ports

list of ports : https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml


TCP scan

nmap -sT <target-ip>
TCP_scan

Informations:


TCP Stealth scan

nmap -sS <target-ip>
TCP_Stealth_scan

Informations:


TCP flags scan

nmap -sF <target-ip> # FIN
nmap -sN <target-ip> # NULL
TCP_flag_scan

Informations:


TCP_Xmas_scan

nmap -sX <target-ip>
TCP_Xmas_scan

Informations:


TCP Maimon scan

nmap -sM <target-ip>
TCP_Maimon_scan

Informations:


TCP ACK scan

nmap -sA <target-ip>
TCP_ACK_scan

Informations:


TCP Windows based ACK scan

nmap -sW <target-ip>
TCP_Windows_based_ACK_scan

Informations:


IDLE/IPID Header scan

nmap -sI <zombie-ip> <target-ip>
IDLE_scan

Informations:


UDP scan

nmap -sU <target-ip>
UDP_scan


SCTP INIT scan

nmap -sY <target-ip>
SCTP_INIT


SCTP ECHO scan

nmap -sZ <target-ip>
SCTP_ECHO


Other port scan methods

nmap -ttl <time> <target-ip># ACK TTL scan (TTL < 64 = port open)



OS & Version scanning (Banner grabbing)

nmap -sV <target-ip> # Service version scan
nmap -O <target-ip> # Service OS scan
nmap -sC <target-ip> # Script scan
nmap --script smb-os-discovery.nse <target-ip> # SMB OS scan



Scanning Beyond IDS & Firewall

nmap -g <source-port> <target-ip> # Changing source port
nmap -D RND:X <target-ip> or nmap -D <decoy1, decoy2...> <target-ip> # Using decoy IP



Interesting Course