πΊοΈNmap Cheat Sheet
Navigate the world of network scanning with precision using this comprehensive Nmap cheat sheet. Discover essential commands, options, and best practices for performing efficient network scans.
Nmap Cheat Sheet
Command | Description |
---|---|
| Perform a basic scan on the target |
| Scan specific ports on the target |
| Scan all 65535 ports on the target |
| Stealth SYN scan (default if not root) |
| TCP connect scan |
| UDP scan |
| TCP ACK scan |
| TCP NULL scan |
| TCP FIN scan |
| OS detection |
| Aggressive scan |
| Set timing template (0=paranoid, 5=insane) |
| Increase verbosity |
| Very verbose output |
| Save results in normal format to a file |
| Save results in XML format to a file |
| Save results in grepable format to a file |
| Run Nmap script against target |
| Run vulnerability scan against all ports |
| Version detection |
| Default script scan |
| Perform a traceroute |
Note: Replace <target>
, <ports>
, <script>
, etc., with actual values.
Nmap Best Practice Examples
Basic Scan on Target
Command: nmap target.com
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:00
UTC Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
Scan Specific Ports on Target
Command: nmap -p 80,443 target.com
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:05 UTC
Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
Aggressive Scan with Version Detection
Command: nmap -A target.com
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:10 UTC
Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.39 ((Unix))
|_http-server-header: Apache/2.4.39 (Unix)
|_http-title: Example Domain
Nmap done: 1 IP address (1 host up) scanned in 5.78 seconds
Run Script Against Target
Command: nmap --script http-enum target.com
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:15 UTC
Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /: Potentially interesting files found
| /admin/: Potentially interesting files found
| /images/: Potentially interesting files found
|_ /backup/: Potentially interesting files found
Comprehensive Scan with Script Execution and Version Detection
Execute a comprehensive scan on the specified target using Nmap. This command combines the -sV
flag for version detection and the -sC
flag for script execution. The -sV
flag helps identify the versions of services running on open ports, while the -sC
flag runs default scripts to perform basic vulnerability and service enumeration.
This approach provides a well-rounded view of the target system, allowing you to gain insights into both the services and potential vulnerabilities present. The combination of version detection and script execution enhances your ability to assess the security posture of the target network or host.
Command: nmap -sV -sC target
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:20 UTC
Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.39 ((Unix))
|_http-server-header: Apache/2.4.39 (Unix)
|_http-title: Example Domain 443/tcp open ssl/http Apache httpd 2.4.39 ((Unix))
|_http-server-header: Apache/2.4.39 (Unix)
|_http-title: Example Domain
| ssl-cert: Subject: commonName=target.com
| Subject Alternative Name: DNS:target.com
| Issuer: organizationName=Let's Encrypt, countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-01T00:00:00Z
| Not valid after: 2023-09-01T23:59:59Z
| MD5: aaabbbcccddddeeeeffff11112222
|_SHA-1: 112233445566778899aabbccddee
|_SHA-256: 1234567890abcdef
Remember to replace target.com
with the actual target IP address or domain name when executing these commands. These examples showcase different scenarios and how to interpret Nmap's output. You can use these as templates and adjust them based on your specific needs.
For more options and detailed information, refer to the Nmap documentation.
Last updated