Download Nmap-Cheat-Sheet-20210116.pdf and more Exercises Network Analysis in PDF only on Docsity! Nmap Cheat Sheet - Page 1 1 Discovery Scans -PR Send an ARP (address resolution protocol) request to a target for a response ARPs are not usually blocked by firewalls Default discovery method for any nmap scan on an ethernet network -sn No port scan; discovery only; use combination of ICMP, ECHO, REQUEST, TCP SYN to port 443; TCP ACK to port 80; and an ICMP timestamp request -PS<portlist> Discover hosts by sending a TCP SYN to specified port/s; Default is port 80; Any response (SYN, ACK, RST) demonstrates the target is up Syntax indicates no space between –PS and the port list Will be followed by a port scan unless the –sn option is used Nmap Scan Types Option Example Description -h nmap -h Help on Nmap -V nmap -V Nmap version -d nmap -d 192.168.1.50 Enable debugging to view all steps of output -sT nmap -sT 192.168.1.50 Complete a TCP 3-way handshake for non-root users Nmap Cheat Sheet - Page 2 2 -sV nmap -sV 192.168.1.50 Probe open ports for service version -sS nmap -sS 192.168.1.50 Send TCP SYN to target for response to check Check for TCP 3-way handshake ■ If port is open, will respond with SYN ACK ■ RST if port is closed -sU nmap -sU 192.168.1.50 Do a UDP scan ■ Ports that respond are open ■ Ports that do not respond are displayed as open|filtered (unknown) ■ Ports that send an ICMP unreachable error (type 3 code 3) are closed -sL nmap -sL 192.168.1.50 List the targets that will be scanned -sA nmap -sA www.example.com Find out if a host/network is protected by a firewall. ■ "Filtered" results indicate firewall is on. ■ "Unfiltered" results indicate port is accessible, but might be open or closed. ■ Run with -A option to determine if accessible ports are actually open or closed (nmap -sA -A www.example.com) Nmap Cheat Sheet - Page 5 5 Stealth Scans - pt 3 -T <0-5> nmap 192.168.1.0/24 -T 2 Use different timing templates to throttle the speed of your queries to make the scan less noticeable; T0 is the slowest, and T5 is the fastest Nmap denotes these speeds as paranoid, sneaky, polite, normal, aggressive, and insane, respectively; T4 is the recommended choice for a fast scan that is still stable. T3 is the default. -f nmap -f 192.168.1.50 Split packets (include pings) into 8-byte fragments to make it more difficult for packet filtering firewalls and intrusion detection to detect the purpose of packets MTU is the maximum fragment size -D [decoy1, decoy2, decoy3, etc.] <target> nmap -D 192.168.1.10 192.168.1.15 192.168.1.30 192.138.1.50 Used to mask a port scan by using decoys; creates bogus packets from the decoys so the actual attacker blends in with the crowd; It appears that both the decoys and the actual attackers are performing attacks -e <interface> nmap -e eth0 192.168.1.50 Specify the interface Nmap should use -S <spoofed source address> nmap -e eth0 -S www.google.com 192.168.1.50 Spoof the source address; will not return useful reports to you, but can be used to confuse an IDS or the target administrator Nmap Cheat Sheet - Page 6 6 Stealth Scans - pt 4 --spoof-mac [vendor type | MAC address] nmap -sT -PN --spoof- mac apple 192.168.1.50 nmap -sT -PN --spoof- mac B7:B1:F9:BC:D4:56 192.168.1.50 Use a bogus source hardware address; you can specify a random MAC based on vendor, or explicitly specify the MAC address --source-port <port number> nmap --source-port 53 192.168.1.36 Use a specific source port number (spoof source port) to dupe packet filters configured to trust that port; same as -g <port number> option --source-port <port number> nmap --source-port 53 192.168.1.36 Use a specific source port number (spoof source port) to dupe packet filters configured to trust that port; same as -g <port number> option --randomize- hosts nmap --randomize-hosts 192.168.1.1-100 Randomize the order of the hosts being scanned. --proxies <proxy:port, proxy:port…> nmap --proxies http://192.168.1.30:8080, http://192.168.1.90:8008 Relay TCP connections through a chain of HTTP or SOCKS4 proxies; especially useful on the Internet. Nmap Options Nmap Cheat Sheet - Page 7 7 -p <port range> nmap -p 80 192.168.1.50 nmap -p 80,443 www.example.com nmap -p1024-3000 192.168.1.0/24 nmap -p U:53,111,137,T:21- 25,80,139,443 192.168.1.0/24 nmap -p- 192.168.1.50 Scan only specified port/s Port status can be OPEN, CLOSED (no service on port), or FILTERED (perhaps a firewall) UDP ports: U; TCP ports: T; ALL TCP ports: -p- -r nmap --top-ports 200 Scan top <indicated number> ports --top-ports <number> nmap --top-ports 200 Scan top <indicated number> ports -6 nmap -6 2001:f0d0:1003:51::4 nmap -6 www.example.com nmap -6 fe80::8d50:86ce:55ad:bc 5c Scan IPv6 addresses -iL <input file name> nmap -iL /tmp/test.txt Scan hosts listed in file --exclude nmap 192.168.1.0/24 -- exclude 192.168.1.5 Exclude certain hosts from scan -n nmap -n 192.168.1.0/24 Do not resolve names (time saver) -R nmap -R 192.168.1.0/24 Try to resolve all names with reserved DNS -F (fast mode) nmap -F 192.168.1.50 Scan fewer ports than default