Post

Network Enumeration with Nmap - Cheat Sheet

Putting together a handy cheat sheet from the Nmap module

Posted Updated
Preview Image
By 0xkrakeNN
3 min read
Network Enumeration with Nmap - Cheat Sheet

SYNTAX

1

nmap <scan types> <options> <target>

Host Discover

CommandDescription
-sn Disable port scanning. Host discovery only.
-PEPerforms the ping scan by using ICMP Echo Requests against the target
nmap -sn 10.129.2.12Scan Single IP
nmap -sn 10.129.2.0/24Scan Network range
nmap -sn -iL hosts.lstScan IP List
nmap -sn 10.129.2.12 10.129.2.13 10.129.2.17Scnan Multiple IPs
nmap -sn 10.129.2.12-18Scan Multiple IPs

Port Scanning

CommandDescription
-sSSyn Scan
-sTTCP Scan
-sUUDP Scan
--top-ports=10Scans the specified top ports that have been defined as most frequent.
-FFast Scan. Scans top 100 Ports
-PnTreat all hosts as online – skip host discovery
-p 80Only scan Port 80
-p 80,8080scan Ports 80 and 8080
-p 80-90Scan port range
-p-Scan all ports

Saving The Results

CommandDescription
-oNNormal output with the .nmap file extension
-oGGrepable output with the .gnmap file extension
-oXXML output with the .xml file extension
-oA TargetSaves the results in all formats, starting the name of each file with Target.

Service and OS Enumeration

CommandDescription
-OOS Detection
-sVService version enumeration
-AAgressive Scanning. Enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (–tracerout)

Nmap Scripting Engine (NSE)

CommandDescription
-sCdefault NSE scripts. Equivalent to –script=default
--script <category>Use specific Scripy category
--script <scripy_Name>,<script_Name>Use defined scripts

Script Categories

Script CategoryDescription
authDetermination of authentication credentials.
broadcastScripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
bruteExecutes scripts that try to log in to the respective service by brute-forcing with credentials.
defaultDefault scripts executed by using the -sC option.
discoveryEvaluation of accessible services.
dosThese scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploitThis category of scripts tries to exploit known vulnerabilities for the scanned port.
externalScripts that use external services for further processing.
fuzzerThis uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusiveIntrusive scripts that could negatively affect the target system.
malwareChecks if some malware infects the target system.
safeDefensive scripts that do not perform intrusive and destructive access.
versionExtension for service detection.
vulnIdentification of specific vulnerabilities.

Performance

  • rttRound trip Time → Time receive a response from the scanned port.

  • Default value for the retry rate is 10.

CommandDescription
--min-rtt-timeout 100msSets the specified time value as Min RTT timeout.
--max-rtt-timeout 100msSets the specified time value as Max RTT timeout
--initial-rtt-timeout 50msSets the specified time value as initial RTT timeout.
--max-retries 0Sets the number of retries that will be performed during the scan.
--min-rate 300Sets the minimum number of packets to be sent per second.
-T <0-5>Time template to use

Time Template

alt text

Source here

Firewall and IDS/IPS Evasion

CommandDescription
nmap 192.168.1.1 -D 192.168.1.35, 192.168.1.26, 192.168.1.13, 192.168.1.100 Decoys. Send scans from spoofed IPs
-D RND:5Generate five random IPs that indicates the source IP the connection comes from
-S <IP>Scans the target by using different source IP address.
-e tun0Sends all requests through the specified interface.
--source-port <Port Number>Perform the scans from the specified source port

Mission Complete

alt text

CPTS Modules Cheat Sheets
CPTS HackTheBox Cheat Sheet
This post is licensed under CC BY 4.0 by the author.