by Noxtal on July 13, 2020 under cheatsheets

5 minute read

A complete cheatsheet for the Nmap pentesting tool. Nmap (standing for Network Scanner) is a free and open-source tool used to discover hosts and services running on a machine’s ports or on a network.

Cheatsheet

Cheatsheet

Basic Usage

Syntax: nmap [SCAN TYPE] [OPTIONS] {TARGET}

Scan Types

Scan IP

nmap $IP

Scan Host

nmap hostname.com

Scan range of IPs

nmap IP-max

Ex.:

nmap 192.168.1.1-20

Scan Subnet

nmap IP/NUMBITS

Ex.:

nmap 192.168.1.0/24

Scan from file

nmap -iL list.txt

Port Selection

Single port

nmap -p 80 $IP

Most common ports (100)

nmap -F $IP

Range of ports

nmap -p min-max $IP

Ex.:

nmap -p 1-100 $IP

All ports

nmap -p- $IP

Port Scan Types

TCP Connect

nmap -sT $IP

TCP SYN scan

Set by default

nmap -sS $IP

UDP

nmap -sU $IP

Service and OS detection

Aggressive Scan

nmap -A $IP

Version Detection

nmap -sV $IP

Scripts

Scripts helps getting more specific results.

Syntax

nmap --script=SCRIPT $IP

nmap --script=SCRIPT1,SCRIPT2,SCRIPT3 $IP

Most Used

Script’s name/ID	Script’s Purpose
default (or -sC flag)	Default
vuln	Vulnerability Scan
http-enum	HTTP Enumeration
http-grep	HTTP Search
smb-enum-shares	SMB Shares Enumeration
smb-enum-users	SMB Users Enumeration
ftp-anon	Detect FTP Anonymous Login
ssh-brute	SSH Bruteforce
ftp-brute	FTP Bruteforce
dns-brute	DNS Discovery (Bruteforce)
http-wordpress-enum	Enumerate WordPress Plugins and Themes
mysql-empty-password	Detect If Login In MySQL Without Password Is Possible
mysql-users	Enumerate MySQL Users
mysql-brute	Bruteforce MySQL

Passing a Wordlist to Bruteforce Script

Ex.:

nmap --script=ssh-brute --script-args userdb=usernames.lst,passwd=passwords.lst $IP

IP Address Information

nmap --script=asn-query,whois,ip-geolocation-maxmind $IP

Set of Scripts

Ex.:

nmap --script=smb* $IP

Help

Ex.:

nmap --script-help=vuln $IP

Output to a File

Default

nmap -oN OUTPUT_FILE $IP

XML

nmap -oX OUTPUT_FILE $IP

Grep ready

nmap -oG OUTPUT_FILE $IP

All

nmap -oA OUTPUT_FILE $IP

Bypass Firewall (Windows)

nmap -Pn $IP

Verbosity

Verbose

nmap -v $IP

Very Verbose

nmap -vv $IP

Personnal Favorites

Default Scan

nmap -vv -sC -sV -oN nmap.log $IP

Complete Scan

nmap -vv -A -p- -oN nmap-complete.log $IP

Vulnerability Scan

nmap -vv --script vuln -oN nmap-vuln.log $IP

HTTP Scan

nmap -vv --script http* -oN nmap-http.log $IP

MySQL Scan

nmap -vv --script mysql* -oN nmap-mysql.log $IP

FTP Scan

nmap -vv --script ftp* -oN nmap-ftp.log $IP

SMB Scan

nmap -vv --script smb* -oN nmap-smb.log $IP

SSH Scan

nmap -vv --script ssh* -oN nmap-ssh.log $IP

I feedback.
Let me know what you think of this article on twitter @noxtal_ or leave a comment below!

Nmap Cheatsheet

Cheatsheet

Basic Usage

Scan Types

Scan IP

Scan Host

Scan range of IPs

Scan Subnet

Scan from file

Port Selection

Single port

Most common ports (100)

Range of ports

All ports

Port Scan Types

TCP Connect

TCP SYN scan

UDP

Service and OS detection

Aggressive Scan

Version Detection

Scripts

Syntax

Most Used

Passing a Wordlist to Bruteforce Script

IP Address Information

Set of Scripts

Help

Output to a File

Default

XML

Grep ready

All

Bypass Firewall (Windows)

Verbosity

Verbose

Very Verbose

Personnal Favorites

Default Scan

Complete Scan

Vulnerability Scan

HTTP Scan

MySQL Scan

FTP Scan

SMB Scan

SSH Scan