Nmap Cheat Sheet ‘Nap has a multude of options and when youfrst start paying wth his fecellnt oot canbe abt daunting, inthis chet chest you wilfind ares | Contents of practical example commands fr runing Nmap and geting the most of Target Stet this powerful too Port Seleton Keep in ing that hs cheat sheet merely touches the surface ofthe Service and Operating Sytem avaiable options, The Nmap Documentation portal is your reference for Detection digging deeper into the options avaiable ouut tomate NSE Serptng Fa 0008 renerrs HTTP ito gating Hesrtbleod Detection IPintometon Gating emt Searing Nmap Target Selection ‘Seana single host ww. sean arange of Ps scan 9 subnet Scan targets rom a text fle These are all defut scans, which wil scan 1000-TCP pots. Host ery vl ake place Nmap Port Selection Scan a single Poet scan a range of pots . scan all 65535 ports royNmap Port Scan types. ‘Sean using TOP connect map ~2? 192.168.1.1 ‘Scan using TOP SYN scan (defavt) nap ~s5 192.268.2.2 ‘Sean OP ports rap “20 p 123,262,162 192.168.2.2 ‘Scan selected ports ignore discovery nmap -Pa oF 192.268.3.2, Privileged access is required to perform the default Sw scans. fpiveges are nsuficent a TCP connect san wll ‘be used. ATP connect requies fll TCP connection tobe established and therfore is a slower scan. Ignoring discovery soften required as ray frewallso hosts will at respond to Fixs, so could be missed unless you select ‘the -Pn parameter Ofcourse this cn make scan times much lnger as you could endup sending scan probes to hosts that ae not there, “Take alook at the Nmap Tutorial for a detailed ook a the scan process. Service and 0S Detection Detect OS and Services map -R 192.260.3.3 Standerd service detection map -s¥ 192.260.2.2 More aggressive Service Detection map -s¥ ~-version-intensity § 192.163.1.1 Lighter banner grabbing detection maps —-version-intensity 0 162.268.1.2 Service and 0S detection rely on eiferent methods to determine the operating system or service runing on 2 particular poet, The moce aggresive sevice detection i often elpulif there are services running on unusual pots ‘onthe otherhand the ghtr version ofthe aervce wil be much faster ast doesnot really ater o detect the servic simpy grabbing the banner ofthe open sence. Nmap Output Formats Save default ouput to fe ‘map ol outpurtite.cxe 192.168.1.1 Save rests. a8 XML ‘map “0K outpurtite.xnl 192.168.1.1 Save rests ina format for tep map -o6 cotputfile.cxt 192.460.1.1 Savein a frmats ‘map on outpurtite 192.168.1.1 ‘The default format coud also be saved toa fe using simple fle reitect commend > File. Using the tt option ‘lows the results to be eave bt algo canbe moitoedin the termina asthe scans under way Digging deeper with NSE Scripts ‘Scan using default safe scripts snap ~=v ~sc 192.169.2.2 Cethep fora script snap ~-seript-helpsrel-heartbleed‘Scan using specie NSE script nap 192,168.21 Scanwith asetof scripts nmap ~oV ~-scriptesmb* 152.168.1.1 According tomy Nmap install ther are cure 581 NSE serps. The scripts ae able io perferm a wide ange of security elated testing and discovery functions. f you are serious about your network scarring you really shoul ake the tine to get familiar wih some of them. ‘Theopton --seript-helpSseristnone vil display hep forthe individual scrips. To get an easy ist ofthe installed ‘Scripts ty tecate se | grep script ‘Yu wil notice Ihave used the -s¥ service detection parameter. Generaly most NSE scripts willbe mare effective ‘and you vl get better coverage by including service detection. ‘Ascan to search for DDOS reflection UDP services rmuap “SUA BN ~n ~pU:18, 53,123,161 ~scriptencp- Semfervoroooevtene Tae anenractrten eaprayotccr 0a-10-1-0/24 ‘UDP based 000s reflection stacks at a common problem that newerk defenders come up against. This is @ handy "Nmap command that wil scan a tage ist for systems wth open UDP services tha allow these attack to take pace Full details of the command andthe background canbe foundon the Sans institute Blog where it was fst posted, HTTP Service Information ai rare See serp-titie 192.168.1.0/24 GGetHTTP headers of web serdces nmap ~-rorspeahtep-headers 192.168.1.0/2 Find web apps fromknownpaths sap ~~seriprenteprenun 292.160.2.0/24 Thete are many HTTP infomation gathering Srp, here area few hat ae simple but helpful when examining ager ‘networks. Helps in quickly identifying wha the HTTP service thats runing onthe open pot. Note the heep-enae ‘scrips particularly nos. tsseilar to Nikon that it il attempt to enumerate known paths of web applications and scripts. Ths wllinevitably generated hundreds of 408 HTTP responses nthe webserver errand acess logs. Detect Heartbleed SSL Vulnerability Heartbleed Testing map “SV ~p 443 ~vseripteasl-heartbleed 192.168.1.0/24 eartbleed detections one of the avilable SSL seit. wil detect the presence of the wellknown Heartleed _ulerailty in SSL services. Speci aerative ports to test SSL on mal and ether protocol Requires Nmap 646). IP Address informationpd nfermation about P “ sols, Jonna at locaton lokups, See the IP Tools fr mot infrmton and similar IP adress and DNS lookups Remote Scanning Testing yournetwork perimeter rom ar temal perspective is key when you Wish to get the most accurate results. By sessing your exposure from the attackers perspective you can validate rewallruleauits and understand exactly hats lowed int your network, This the reason we oer a hosted or onine version ofthe Nmap port scanner, To sly and effectively because anyone who has played with stadan.to Knows very well ho bad people test the perimeter networks Additional Resources The above commanes just taste ofthe power of Nmap. Checkout our Nmap Tutorial that has more information You coud also view the ul set of features by uning Nmap wth no options. The creator of Nmap Fyodor, has a book avaiable that covers the toon dep Know Your Network Maltego - Open Source Intell Somurai, BackTrack and Kali ~ LivecD's Gathering for Pentesting Brief History of OMS Explorer Testing Heartbleed Proxy your Phone to Internet Wide ¥ with the NmapNSE Burp Scanning scriptf vy