InfoSec
Cheat Sheet's
Hack The Box - Reports
Downloads

πŸ—ΊοΈNmap Cheat Sheet

Navigate the world of network scanning with precision using this comprehensive Nmap cheat sheet. Discover essential commands, options, and best practices for performing efficient network scans.

Nmap Cheat Sheet

CommandDescription

nmap <target>

Perform a basic scan on the target

nmap -p <ports> <target>

Scan specific ports on the target

nmap -p- <target>

Scan all 65535 ports on the target

nmap -sS <target>

Stealth SYN scan (default if not root)

nmap -sT <target>

TCP connect scan

nmap -sU <target>

UDP scan

nmap -sA <target>

TCP ACK scan

nmap -sN <target>

TCP NULL scan

nmap -sF <target>

TCP FIN scan

nmap -O <target>

OS detection

nmap -A <target>

Aggressive scan

nmap -T<0-5> <target>

Set timing template (0=paranoid, 5=insane)

nmap -v <target>

Increase verbosity

nmap -vv <target>

Very verbose output

nmap -oN <output.txt> <target>

Save results in normal format to a file

nmap -oX <output.xml> <target>

Save results in XML format to a file

nmap -oG <output.grep> <target>

Save results in grepable format to a file

nmap --script <script> <target>

Run Nmap script against target

nmap -p- --script vuln <target>

Run vulnerability scan against all ports

nmap -sV <target>

Version detection

nmap -sC <target>

Default script scan

nmap --traceroute <target>

Perform a traceroute

Note: Replace <target>, <ports>, <script>, etc., with actual values.

Nmap Best Practice Examples

Basic Scan on Target

Command: nmap target.com

Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:00

UTC Nmap scan report for target.com (192.168.1.1)

Host is up (0.05s latency).

Not shown: 999 filtered ports

PORT STATE SERVICE

80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds

Scan Specific Ports on Target

Command: nmap -p 80,443 target.com

Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:05 UTC

Nmap scan report for target.com (192.168.1.1)

Host is up (0.05s latency).

PORT STATE SERVICE

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Aggressive Scan with Version Detection

Command: nmap -A target.com

Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:10 UTC

Nmap scan report for target.com (192.168.1.1)

Host is up (0.05s latency).

Not shown: 999 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.4.39 ((Unix))

|_http-server-header: Apache/2.4.39 (Unix)

|_http-title: Example Domain

Nmap done: 1 IP address (1 host up) scanned in 5.78 seconds

Run Script Against Target

Command: nmap --script http-enum target.com

Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:15 UTC

Nmap scan report for target.com (192.168.1.1)

Host is up (0.05s latency).

PORT STATE SERVICE

80/tcp open http

| http-enum:

| /: Potentially interesting files found

| /admin/: Potentially interesting files found

| /images/: Potentially interesting files found

|_ /backup/: Potentially interesting files found

Comprehensive Scan with Script Execution and Version Detection

Execute a comprehensive scan on the specified target using Nmap. This command combines the -sV flag for version detection and the -sC flag for script execution. The -sV flag helps identify the versions of services running on open ports, while the -sC flag runs default scripts to perform basic vulnerability and service enumeration.

This approach provides a well-rounded view of the target system, allowing you to gain insights into both the services and potential vulnerabilities present. The combination of version detection and script execution enhances your ability to assess the security posture of the target network or host.

Command: nmap -sV -sC target

Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:20 UTC

Nmap scan report for target.com (192.168.1.1)

Host is up (0.05s latency).

Not shown: 999 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.4.39 ((Unix))

|_http-server-header: Apache/2.4.39 (Unix)

|_http-title: Example Domain 443/tcp open ssl/http Apache httpd 2.4.39 ((Unix))

|_http-server-header: Apache/2.4.39 (Unix)

|_http-title: Example Domain

| ssl-cert: Subject: commonName=target.com

| Subject Alternative Name: DNS:target.com

| Issuer: organizationName=Let's Encrypt, countryName=US

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2023-08-01T00:00:00Z

| Not valid after: 2023-09-01T23:59:59Z

| MD5: aaabbbcccddddeeeeffff11112222

|_SHA-1: 112233445566778899aabbccddee

|_SHA-256: 1234567890abcdef

Remember to replace target.com with the actual target IP address or domain name when executing these commands. These examples showcase different scenarios and how to interpret Nmap's output. You can use these as templates and adjust them based on your specific needs.

For more options and detailed information, refer to the Nmap documentation.

PreviousPentesting Tools Cheat SheetNextEnumeration

Last updated