Nmap Cheatsheet: Mastering Network Scanning

The nmap cheatsheet is an indispensable resource for network administrators, security professionals, and ethical hackers. This comprehensive guide will walk you through the various features and techniques of nmap, empowering you to conduct thorough network reconnaissance and vulnerability assessments.

1. Understanding Nmap Basics 1.1 What is Nmap? Nmap (Network Mapper) is an open-source tool used to discover hosts, services, and vulnerabilities on a network.

1.2 Why Use Nmap? Nmap is versatile, powerful, and constantly updated, making it essential for network security and management.

2. Target Specification 2.1 Input Methods:

• -iL inputfilename: Scan targets from a file
• -iR: Randomly select hosts for scanning

2.2 Exclusion Techniques:

• –exclude host1[,host2][,host3],…: Omit specific hosts
• –excludefile exclude_file: Skip hosts listed in a file

3. Host Discovery 3.1 Basic Discovery:

• -sL: Simple list scan
• -sn: Ping sweep without port scanning

3.2 Advanced Discovery:

• -Pn: Treat all hosts as online
• -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP, or SCTP discovery
• -PE/PP/PM: ICMP echo, timestamp, and netmask request probes

3.3 Protocol-Specific Discovery:

• -PO[protocol list]: IP protocol ping
• -n/-R: DNS resolution control

4. Scan Techniques 4.1 TCP Scans:

• -sS/-sT/-sA/-sW/-sM: SYN, Connect, ACK, Window, Maimon scans

4.2 UDP and Other Protocols:

• -sU: UDP scanning
• -sY/-sZ: SCTP INIT and COOKIE-ECHO scans
• -sO: IP protocol scanning

4.3 Special Scans:

• -sN/-sF/-sX: Null, FIN, and Xmas scans
• -sI zombie host[:probeport]: Idle scan
• -b “FTP relay host”: FTP bounce scan

5. Port Specification and Scan Order 5.1 Basic Port Selection:

• -p: Specify ports to scan
• -p U:PORT: Scan UDP ports

5.2 Advanced Port Selection:

• -F: Fast mode (fewer ports)
• -r: Sequential port scanning
• –top-ports “number”: Scan most common ports
• –port-ratio “ratio”: Scan based on port commonality

6. Service and Version Detection 6.1 Version Scanning:

• -sV: Probe for service/version info

6.2 Intensity Control:

• –version-intensity “level”: Set probe intensity (0-9)
• –version-light: Light probing (level 2)
• –version-all: Use all probes (level 9)

6.3 Debugging:

• –version-trace: Show detailed scan activity

7. Script Scanning 7.1 Basic Script Usage:

• -sC: Run default scripts
• –script=”Lua scripts”: Specify scripts to run

7.2 Script Arguments:

• –script-args=n1=v1,[n2=v2,…]: Provide script arguments
• –script-args-file=filename: Load script args from file

7.3 Script Management:

• –script-trace: Display all data sent/received
• –script-updatedb: Update script database
• –script-help=”Lua scripts”: Show script help

8. OS Detection 8.1 Basic OS Detection:

• -O: Enable OS detection

8.2 Advanced OS Detection:

• –osscan-limit: Limit OS detection to promising targets
• –osscan-guess: More aggressive OS guessing

9. Output Formats 9.1 Standard Outputs:

• -oN: Normal output
• -oX: XML output

9.2 Special Outputs:

• -oG: Grepable output
• -oA: Output in all major formats

10. Performance Tuning 10.1 Timing Templates:

• -T0 to -T5: Set timing template (higher is faster)

10.2 Parallel Scanning:

• –min-hostgroup/max-hostgroup: Adjust parallel host scan group sizes
• –min-parallelism/max-parallelism: Control probe parallelization

11. Firewall/IDS Evasion and Spoofing 11.1 Packet Fragmentation:

• -f: Fragment packets
• –mtu: Set MTU for fragmentation

11.2 Decoys and Spoofing:

• -D: Use decoy IP addresses
• -S: Spoof source IP address

11.3 Timing and Rate Control:

• –scan-delay: Add delay between probes
• –max-rate: Limit packet sending rate

Conclusion: This expanded nmap cheatsheet provides a comprehensive overview of nmap’s capabilities. By mastering these commands and techniques, you’ll be well-equipped to perform advanced network scanning and security assessments. Remember to use nmap responsibly and always obtain proper authorization before scanning networks you don’t own or manage.

Further Learning: To deepen your understanding of nmap and network security, consider exploring advanced topics such as NSE scripting, integrating nmap with other security tools, and studying common network vulnerabilities. The nmap cheatsheet is just the beginning of your journey into the world of network security and analysis.