Nmap

The Nmap cheat sheet is a one-page reference sheet for the famous Network Mapper tool.

Star on GitHub
...
Follow us on X
Buy Me a Coffee

#Getting Started

#Basic Usage :

# set your target in etc/hosts

# fast scan of all port of your target
nmap -p- -T5 target 

# fast scan on port 80 with os detection  
namp -p, 80 -T5 -O target

#Basic Options :

Options Purpose
-p- all ports
-p1-1023 scan ports 1 to 1023
-F 100 most common ports
-r scan ports in consecutive order
-T<0-5> -T0 being the slowest and T5 the fastest
--max-rate 50 rate <= 50 packets/sec
--min-rate 15 rate >= 15 packets/sec
--min-parallelism 100 at least 100 probes in parallel

#Nmap Intermediate Options

#Service Detections :

Option Meaning
--traceroute run traceroute to target
--script=SCRIPTS Nmap scripts to run
-sC or --script=default run default scripts
-O OS detection
-sV Service version detection
-A equivalent to -sV -O -sC --traceroute

#Timing

Option Meaning
-T<0-5> Timing template – paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)
--min-parallelism <numprobes> and --max-parallelism <numprobes> Minimum and maximum number of parallel probes
--min-rate <number> and --max-rate <number> Minimum and maximum rate (packets/second)
--host-timeout Maximum amount of time to wait for a target host

#Formating answers

#Details & Report

Option Purpose
--reason explains how Nmap made its conclusion
-v verbose
-vv very verbose
-d debugging
-dd more details for debugging
-oN <filename> Normal output
-oX <filename> XML output
-oG <filename> grep-able output
-oA <basename> Output in all major formats

#Advanced Technic

#Advanced Scan

Options Protocol Main Function Typical Use Case
-PR -sn ARP Scan Discovering devices on the local network (LAN)
-PE -sn ICMP Echo Scan Checking if hosts are reachable (pinging)
-PP -sn ICMP Timestamp Scan Gathering device time info (less common)
-PM -sn ICMP Address Mask Scan Determining subnet mask info from hosts
-PS -sn TCP SYN Ping Scan Detecting open TCP ports and live hosts
-PA -sn TCP ACK Ping Scan Identifying firewall rules and open ports
-PU -sn ICMP Ping Scan Finding hosts with open UDP services

#Investigation Exemple

#Verbose Os Quick port scan

nmap -sV -O -p- -T5 target 
 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 15:17 CET

Nmap scan report for target (10.10.158.161)
Host is up (0.021s latency).
Not shown: 65532 closed tcp ports (reset)

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  http    Apache Tomcat 8.5.5

Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%),
Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%), 
Sony Android TV (Android 5.0) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.94 seconds


# you can then use `nmap -A -p 22, 8009, 8080 target` on discovered ports

Do not use this tool without consent. For educational purposes, this example is coming from a Try Hack Me machine.

#Also See